Transcript What does the law say about Privacy in Electronic Communications?

Privacy in Electronic
Communications;
Malpractice and
Credentialing Updates
Privacy in Electronic
Communications
Two topics to discuss:
 What does the law say?
 Problem Areas?
What does the law say
about Privacy in Electronic
Communications?
ay about Privacy in Electronic Communications?
What does the law say?
General HIPAA Rule
45 CFR 164.502(a)
“A covered entity or business associate
may not use or disclose protected health
information, except as permitted or
required [by these regulations].”
What does the law say?
Very generally speaking:
 Privacy Rule: When can you use or
disclose?
 Security Rule: How do you
safeguard and transmit e-PHI?
What does the law say?
 Keys to Privacy Compliance
 Good policies
 Good training
 Keys to Security Compliance
 Regular Risk Assessment
 Response to Risk Assessment
What does the law say?
Security Rule FAQ Regarding Email:
 Security Rule does not prohibit
use of email for sending e-PHI.
 Assess use of open networks.
 Identify available and appropriate
means to protect e-PHI.
 Select a solutions, document the
decision.
What does the law say?
Privacy Rule FAQ Regarding Email:
 Check email address for accuracy.
 Communications to patients for treatment
purposes do not have to be encrypted.
 However, limit amount and type of
information sent through unencrypted
email.
 Patient may request email, or patient may
request no email.
What does the law say?
Privacy in Electronic Communication:
Problem Areas
Mobile Devices
Not prohibited, but ...







Risk of theft.
Risk creating unintentional record.
Do require authentication.
Do require encryption.
No public Wi-Fi.
Keep inventory of devices.
Remote shut down tools.
HIPAA and Social Media
With new technology comes new
problems.
Two paramedic students working
in the ED in Florida as part of
their training took digital photos
of a patient who had been
attacked by a shark and e-mailed
the photos to several friends.
A Chicago physician, on his blog,
called a patient “lazy” and
“ignorant” because she had made
several visits to the ED after
failing to monitor her sugar level.
A medical student filmed a doctor
inserting a chest tube into a
patient, whose face was clearly
visible, and posted the footage on
You Tube.
A nurse posted on her Facebook
page that she had treated a “cop
killer” the day following many
news accounts named the accused
shooter and the hospital where he
was treated.
These individuals should have used
the “Coffee Shop Test” before
posting the information:
If you
wouldn’t talk about it with a friend
in a coffee shop, then it’s not
appropriate to talk about it online
(and it’s never ok to talk about
specific patients with a friend in a
coffee shop).
And it is really worse than that. It is
more like inviting all of your friends
to the coffee shop and announcing
to the entire coffee shop certain
pieces of information about the
patient.
Hypothetical
Nurse Mary, using her personal iPhone, after
work hours, posts on her Facebook page (after
describing her daughter’s soccer game and
shopping outing earlier that day) the following:
“I met (Famous Football Player) today!! Such a nice
guy! Not bad on the eyes either!” Later that same
day, in response to a “Friend’s” question, Mary
responded: “He came in for a broken arm.”
Meanwhile, one of Mary’s Friends, “Susan,”
responded to Mary’s original post with a simple
“Likes” reply.
It is important for you to know:
1. Mary’s Profile states that she is a
Registered Nurse who works in the
Orthopedics Department of Large
Hospital System in Anytown, USA; and
2. Among her “Friends” is a co-worker,
“Susan,” a Physical Therapist who works
in the same Department of the same
Hospital. Susan’s Profile also states her
profession and her place of work.
Around 90 days later, Large Hospital System
receives a letter from the Office for Civil Rights
advising that it received an anonymous
complaint alleging that it was not in compliance
with the HIPAA Privacy Standards and, more
specifically that Mary had impermissibly
disclosed protected health information of
individuals who were patients of the Hospital’s
Orthopedics Department. Specifically, it is
alleged that Mary posted PHI on her Facebook
page related to the patient status and medical
condition of “Famous Football Player.”
Was this a HIPAA violation?
The “general” rule is that, under HIPAA, a
Covered Entity (or Business Associate) may not
use or disclose PHI except as permitted or
required by the Privacy Rules. Facebook and
other social media posts, like verbal “gossip”
about patients are electronic forms of PHI if
patients are identified by name (or otherwise)
and the context of the posts says something about
the medical condition or patient status of the
individual. In the “Mary” hypothetical, this
would be a HIPAA violation.
Lawsuits
In late December of 2013, a patient who was seen at the ED
of Northwestern Memorial Hospital in Chicago sued the
Hospital, the Feinberg School of Medicine and the
physician who treated her, after the physician posted
pictures of the drunk patient to social media. She is
seeking $1.5 million in damages. The patient is an actress,
model and ex-professional tennis player from Russia who
claims that the postings damaged her future career
prospects and caused her emotional distress. In posting the
pictures, the physician invited friends for rooftop cocktails
across the street from the ED where the patient was
admitted for alcohol poisoning.
Walgreens was ordered to pay $1.44 million in a lawsuit brought
against it for a violation of privacy by one of its pharmacist
employees. The pharmacist looked up the medical records of her
husband’s ex-girlfriend, who she suspected gave her husband an
STD. She found what she was looking for, told her husband about
it, and he then sent a text message to the ex and told her he knew all
about the results. The ex figured out how the husband found out
about the results and filed the lawsuit, not against the pharmacist,
but against the deep-pocket, Walgreens. The jury decided that
Walgreens was responsible for 80% of the verdict. Walgreens said it
will appeal. But wait, HIPAA does not allow a private right of
action, so how did this lawsuit proceed?
It was brought under common law theories of invasion of privacy,
negligence and professional malpractice. Walgreens was not sued
for violating HIPAA, however, the HIPAA violation by Walgreen’s
employee was used to show that Walgreens was negligent.
Common Myths and Misunderstandings of
Social Media:
1. A mistaken belief that the communication or
post is private and accessible only to the
intended recipient.
2. A mistaken belief that content that has been
deleted from a site is no longer accessible.
3. A mistaken belief that it is harmless if patient
information is disclosed if the communication
is accessed only by the intended recipient.
This is still a HIPAA violation if the intended
recipient is an unauthorized individual.
Common Myths and Misunderstandings of
Social Media:
4. A mistaken belief that it is acceptable to
discuss or refer to patients if they are not
identified by name, but referred to by a
nickname, room number, diagnosis or
condition.
Common Myths and Misunderstandings of
Social Media:
5. Confusion between a patient’s right to
disclose
personal
information
about
himself/herself and the obligation of a health
care provider to refrain from disclosing such
information unless it is related to treatment,
payment or healthcare operations.
6. The ease of posting and commonplace nature
of sharing information via social media may
appear to blur the line between one’s personal
and professional lives.
HIPAA Enforcement
(as of the end of 2014)
HIPAA Enforcement
Since the compliance date of the Privacy
Rule in April 2003, OCR has received
over 106,522 HIPAA complaints and has
initiated over 1,183 compliance reviews.
OCR has resolved ninety-five percent of
these cases.
HIPAA Enforcement
OCR has investigated and resolved over
23,314 cases by requiring changes in
privacy practices and corrective actions
or providing technical assistance to,
HIPAA covered entities and their
business associates.
HIPAA Enforcement
In another 10,566 cases, OCR
investigations found no violation had
occurred.
HIPAA Enforcement
Additionally, in 7,883 cases, OCR has
intervened early and provided technical
assistance to HIPAA covered entities,
their business associates, and individuals
exercising their rights under the Privacy
Rule, without the need for an
investigation.
HIPAA Enforcement
In the rest of the completed cases, (68,412)
OCR determined that the complaint did not
present an eligible case for enforcement.
These include cases in which:
 OCR lacks jurisdiction under HIPAA.
For example, in cases alleging a violation
by an entity not covered by HIPAA;
HIPAA Enforcement
 The complaint is
withdrawn by the filer.
untimely,
or
 The activity described does not violate
the HIPAA Rules. For example, in cases
where the covered entity has disclosed
protected
health
information
in
circumstances in which the Privacy
Rule permits such a disclosure.
HIPAA Enforcement
From the compliance date to December
31, 2014, the compliance issues
investigated most are, in order of
frequency:
1. Impermissible uses and disclosures of
protected health information;
2. Lack of safeguards of protected health
information;
HIPAA Enforcement
3. Lack of patient access to their protected
health information;
4. Lack of administrative safeguards of
electronic protected health information;
and
5. Use or disclosure of more than the
minimum necessary protected health
information.
HIPAA Enforcement
The most common types of covered
entities that have been required to take
corrective action to achieve voluntary
compliance are, in order of frequency:
1. Private Physician Practices;
2. General Hospitals;
HIPAA Enforcement
3. Outpatient Facilities;
4. Pharmacies; and
5. Health Plans (group health plans and
health insurance issuers)
Security Rule Enforcement
Since OCR began reporting enforcement
of the security rule in October of 2009,
they have received 940 complaints. 689
complaints have been resolved. As of
August 31, 2014, 316 of these complaints
remain outstanding.
Referrals to Department of Justice
As of December 31, 2014, OCR has
referred 543 cases to the Department of
Justice for criminal investigation involving
violations of the HIPAA Privacy Regs.
Legal Issues with
Electronic Medical
Records
Legal Issues - EMR
 Learning Curve
 Studies Conducted on the effect on
Malpractice cases
Legal Issues - EMR
 More Data Available
 Sometimes good, sometimes not
 EMR Metadata (i.e., time stamps,
length of the viewing)
 Generally Discoverable
Legal Issues - EMR
Case Examples of More ≠ Better
 Patient injured during surgery.
 Lawsuit targeted surgeon’s
competence.
 EMR Metadata during discovery.
 Time stamp triggered suspicion
about anesthesiologist.
Legal Issues - EMR
 Medical Errors
 Theoretically EMR should help to
reduce, and probably do in cases.
 Easy to click incorrectly and make
a mistake that would never have
been made in writing.
Legal Issues - EMR
 Fraud Claims
 “Cloning”
 Personal Example
Legal Issues - EMR
 Consolidation of massive amounts
of information.
 Theft of Laptop could mean theft of
thousands of medical records.
 HIPAA Security Regulations and
Policies.
Credentialing Update
Why do Hospitals Credential?
Credentialing Requirements
 Arkansas Department of Health
Rules
 CMS Regulations
What is the HCQIA?
 Healthcare Quality Improvement Act of
1986
 Lots of undetected Malpractice
 Incompetent physicians moving state to
state
 Easier to conduct professional review
activities.
 Immunity
 Originated National Practitioner Data
Bank
Hospital Credentialing
Selected Cases
Case Example – Negligent Credentialing
 Frigo v. Silver Cross Hospital
 Podiatrist
 Patient alleges podiatrist negligent.
Resulted in amputation of foot.
(1998)
Case Example – Negligent Credentialing
 Podiatrist had been granted “Level
2” surgical privileges required for
this procedure.
 Did not have required additional
post graduate surgical training
which was actually required in
Bylaws.
Case Example – Negligent Credentialing
 Bylaws standards changed before
re-appointment but still did not
meet them.
 At time of alleged negligence, he
had performed only 6 similar
procedures ever and none at this
facility.
Case Example – Negligent Credentialing
 In addition to suing the podiatrist
for obvious reasons, plaintiff sued
hospital for negligent credentialing.
 Podiatrist settled for $900,000.
 Jury verdict against Hospital for
almost $8 million.
Case Example – Negligent Credentialing
 Hospital argued no industry-wide
standard for podiatric surgical
privileges.
 Hospital argued no bad to comes to
make it question reappointment.
 Court said Hospital breached its
own standards.
Negligent Credentialing – Action Items
 Audit whether bylaws, rules and
regulations, and policies comply
with applicable standards.
 Audit whether written standards are
followed.
Poliner Case
 Dr. Poliner – Cardiologist
 Sought privileges at Dallas
Presbyterian in 1997.
 Several questions regarding cath
lab incidents.
Poliner Case
 Department chair met with Poliner.
 Requested no cath lab procedures
until Committee appointed to
review case.
 Poliner claims he felt backed into a
corner ... “sign this letter, or we’ll
suspend you.”
Poliner Case
 Committee reviewed 44 cases and
found substandard care in 29!
 Cases also referred for independent
review.
 Independent review not conducted
prior to department meeting.
Poliner Case
 Poliner requested extension for
meeting.
 Denied.
 Given 1 hour to discuss.
 Committee unanimously recommended
suspension.
 Cath lab and echocardiography
privileges suspended. Could still admit,
consult, perform echocardiograms.
Poliner Case
 Hearing committee recommended
restoration, with conditions.
 Poliner wanted the summary
suspension overturned to clear his
name.
 Committee determined that due process
didn’t require this.
Poliner Case
 Poliner sues in federal court, numerous
claims (antitrust breach of contract,
slander, libel, tortious, interference).
 Hospital claimed HCQIA immunity.
 Court would not grant.
Poliner Case




Violated Bylaws.
Forced to sign letter.
Animosity.
Not given enough information.
Poliner Case
 However, 5th Circuit Court of Appeals
reversed.
 Found Immunity under HCQIA.
 Action was taken in furtherance of
quality healthcare.
 Hearing procedures fair.
 This court said that strictly following
Bylaws not necessary for immunity.
Poliner Case
Action Items
 Consider all alternatives to summary
suspension.
 Never let personal animosities impact
decision-making.
 Try to avoid decisions by only direct
competitors.
 Follow Bylaws procedures.
 Keep adequate documentation.
 Accommodate requests for extensions,
access to records.
Medical Malpractice Update
What’s New?
• Technology
• Tactics
Technology
* More potential evidence generated than ever
- more EMR, more emails, more telemetry,
more policies, more, more, more . . . .
Technology
More ≠ Better
ELECTRONIC MEDICAL RECORDS
• BENEFITS:
– Intended to make recordkeeping more accurate, comprehensive and
accessible
– Often faster and clearer documentation
• DOWNSIDES:
– Often difficult to navigate in legal setting
– Sometimes, computerized records appear to be “auto-filled” or “copy
and pasted”
– Too accurate and comprehensive?
• Saves hidden metadata (timestamps/locations) that would
otherwise not be saved, leading to new questions from plaintiff’s
lawyers
ELECTRONIC MEDICAL RECORDS
DOCUMENTATION - WHAT TO INCLUDE
(BESIDES THE OBVIOUS)
• Patient refusals to accept care
recommendations (treatment, surgery,
medications, therapy)
• Family interactions with patient and care
providers
• Patient reactions to care and environment
(happy, angry etc.)
ELECTRONIC MEDICAL RECORDS
DOCUMENTATION
• Most cases involve both doctors and nurses
– you usually stand or fall together
• When you work as a team, document as a
team.
 Avoid emotional or negative inferences
 “Nurse failed to call until FHR had been low for 15 min”
 “Doctor finally provided new orders”
 “Doctor has been paged but refused to respond”
ELECTRONIC MEDICAL RECORDS
• Support the team when possible.
- What did the team do?
- “Dr. Smith arrived immediately and
assessed patient”
- “Nurse recognized problem and called me
appropriately”
ELECTRONIC MEDICAL RECORDS
DOCUMENTATION
Document accurately what happened – (What is the observation?)
• “Patient experienced increasingly severe respiratory distress
before losing consciousness.”
Document immediate response
(What is the response?)
• “Multiple attempts at intubation were unsuccessful. After second
attempt, requested that nurse call for surgeon to respond for
attempt at surgical airway.”
ELECTRONIC MEDICAL RECORDS
• Nurses/Doctors will be required to give live
testimony and . . .
“Open book” tests are easier.
Trend - Techniques
Reptile Theory
REPTILE THEORY
What is the Reptile Theory?
• Based on book Reptile Revolution written by a
plaintiff’s lawyer and a jury consultant
• Aimed at helping plaintiffs “trick” witnesses
into giving damaging testimony (especially in
depositions) and scaring jurors
• Appeals to the “reptile” brain of jurors – fear
response
• End result is higher verdicts
REPTILE THEORY
Does it really work?
• Unfortunately, yes – very well when done
correctly
How does it work?
• Ask series of questions – starting very simple
and general – that builds into specific
questions about the case
• Witness gets “trapped” by own previous
answers and must admit to fault
REPTILE THEORY
Examples of general principle questions:
– “You have an obligation to ensure patient safety,
right?”
– “It would be wrong to needlessly endanger a
patient, wouldn’t it?”
– “All nurses have a duty to decrease risk to
patients, don’t they?”
REPTILE THEORY
Reptile’s “Big Picture” Principles:
•
•
•
•
•
•
Safety is always a top priority
Danger is never appropriate
Protection is always a top priority
Reducing risk is always a top priority
Sooner is always better
More is always better
REPTILE THEORY
• Once the witness agrees to these principles as
blanket statements, the attorney asks
hypotheticals that incorporate them
• Witness feels compelled to comply with prior
answers
REPTILE THEORY
Then, the “big picture” questions turn into
hypotheticals:
• “If a patient’s status changes, the safest thing to do
is call the doctor immediately, right?”
• “Documentation must be complete and accurate;
otherwise, a patient could be put in danger, right?”
• “When a patient develops a new complaint of pain in
her leg, the safest thing to do is assume it is a DVT
until proven otherwise, right?”
REPTILE THEORY
• Then, hypotheticals turn into specific facts of your
case
• Witness feels immense pressure to stay consistent –
even by admitting fault
Examples:
– “When you failed to call the doctor immediately, that
created a safety risk to my client?”
– “That exposed my client to unnecessary risk of harm?”
– “Failing to call the doctor was below the standard of care
for a nurse, wasn’t it?”
REPTILE THEORY
How can nurses and doctors avoid these traps?
• Never agree to what they say.
• Practice, practice, practice:
– Requires a great deal of preparation leading up to
deposition
– And then more preparation
Add it up . . .
Easier to Sue + More Money at Stake
= Bigger (and Nastier) Lawsuits
What you can do now
Action Items- EMR
1)
2)
3)
4)
5)
6)
Check Content - Does it tell the story???
Can you read it when printed?
Is it personal?
Does it make sense as a whole?
Is it repetitive? Is it gibberish?
Do items print that aren’t pertinent?
Is more just more?
Action Items - EMR
Print Samples -
1) Include all departments
2) Is it useful or is it a scavenger hunt?
3) Does it give you credit for your good work?
Action Items
Texts
Email
Develop email and text messaging use policies
Action Items
Develop social media policies
Handling Issues When they Occur
Handling Issues
Goals:
Take care of the patient
Improve future care
Treat patients and employees fairly
Protect privileges
Preserve evidence
Protecting Privilege
Although medical errors do not necessarily
constitute improper,
negligent, or unethical behavior,
failure to disclose them are all three.
American College of Physicians: Ethics Manual (Ann Intern Med 1998)
Ritchie JH, Davies SC (BMJ 1995)
Protecting Privilege
Generally . . .
– Peer Review protects records and testimony of meetings
of organized committees of the medical staff
– “QA” privilege protects data collected
– Attorney-client protects all confidential communications
Protecting Privilege
Documents “compiled or accumulated” by
the administrative staff in connection with
the review are protected
Protecting Privilege
But . . . .
“incident reports” are NOT privileged
Protecting Privilege
Unless there is a hardship parties cannot obtain
documents:
– prepared in anticipation of litigation or for trial
– by or for that party's representative (including his
attorney or insurer)
Protecting Privilege
Privileges may be waived if matters are
written anywhere other than in QA, peer
review, or lawyer-client documents
Protecting Privilege
Be aware of what information is being filed in
personnel files
If you have a quality issue with an employee,
handle it through the quality committee
Protecting Privilege
Discussion of adverse events to anyone outside of QA,
peer review, or lawyer-client communications
is not privileged
Protecting Privilege
“DO NOTS”:
-
Do not reference QA documents in the chart
Do not do QA follow up in the chart
Do not keep documents anywhere other than the QA file
Do not take them home
Do not attach them to board minutes
Do not use them for other purposes (like routine matters,
meeting prep, theft reports)
Protecting Privileges
DOs:
1)
Review peer review policies and procedures
2)
Review information collection papers
3)
Review routing procedures
4)
Educate staff
Preserving Evidence
Institute a “Litigation Hold”
Preserving Evidence
Your obligation starts when litigation is
reasonably anticipated
Preserving Evidence
Your litigation hold MUST:
1) Preserve all potentially relevant documents
Chart, billing records, schedules, staffing records,
nursing policies, security videos, incident reports, locator
records, PIXIS records, pharmacy records, emails,
personnel files, logs, phone messages, photos, faxes,
computer files . . . .
Preserving Evidence
2) No matter where they are stored
Sticky notes, computer files, email folders, cell
phones, laptops, discs, network servers,
flash drives . . .
Preserving Evidence
3) In their native form
Electronic records can’t be moved or changed
-
Do not delete, modify, move e-records
Must talk with IT about securing records
Make sure they don’t change modification dates
Paper stays paper
-
Sticky notes stay sticky notes
Paper clips stay on
Preserving Evidence
There can be big fines or penalties
for failing to preserve evidence in
accordance with required standards.
Even law firms have been fined or
sanctioned. Check your litigation
hold policies.
QUESTIONS
Tim Ezell
Friday, Eldredge & Clark, LLP
[email protected]
501-370-1414