Transcript electronic prescribing

May 11, 2016
Compliance, Technology, and Cybersecurity:
Are You Covered?
Presented by
Mike Lowe, Esquire
This presentation provides education on record
management and related legal principles, not
specific legal advice
The presenters advise vetting of all your Legal
Health Record activities with your legal counsel
What is telehealth?
•
The Health Resources Services Administration defines telehealth as the use of electronic information
and telecommunications technologies to support long-distance clinical health care, patient and
professional health-related education, public health and health administration. Technologies include
videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and
wireless communications. Telehealth technology enables the remote diagnoses and evaluation of
patients in addition to the ability to remote detection of fluctuations in the medical condition of the
patient at home so that the medications or the specific therapy can be altered accordingly. It also
allows for e-prescribe medications and remotely prescribed treatments.
What is telemedicine?
•
Formally defined, telemedicine is the use of medical information exchanged from one
site to another via electronic communications to improve a patient’s clinical health
status. Telemedicine includes a growing variety of applications and services using twoway video, email, smart phones, wireless tools and other forms of telecommunications
technology. Telemedicine refers to the use of information technologies and electronic
communications to provide remote clinical services to patients. The digital
transmission of medical imaging, remote medical diagnosis and evaluations, and video
consultations with specialists are all examples of telemedicine.
How is telehealth different from telemedicine?
• Telehealth is different from telemedicine because it refers to a
broader scope of remote healthcare services than telemedicine.
While telemedicine refers specifically to remote clinical services,
telehealth can refer to remote non-clinical services, such as provider
training, administrative meetings, and continuing medical education,
in addition to clinical services.
• Licensure Considerations
– i. Overview
– ii. FSMB Interstate Medical Licensure Compact
– iii. Types of Licenses
– iv. Licensing Exceptions
• Scope of Practice Considerations
– i. Overview
– ii. Establishing the Physician-Patient Relationship – Consultations,
Diagnoses, and Treatment Recommendations
– iii. FSMB Model Policy for the Appropriate Use of Telemedicine
Technologies in the Practice of Medicine
– iv. Remote Prescribing
Licensure and Telemedicine – An Overview
• States, and specifically state medical boards, are responsible for regulating
and monitoring the practices of health care professionals within their
boundaries
• Licensure is the process by which states validate the credentials of health
care professionals
• Licensure rules apply to all health care professionals, including those who
practice telemedicine both within states and across different states
• Yet, state licensure rules traditionally have run counter to the practice of
telemedicine, which transcends geographic boundaries
Health care practitioners who practice telemedicine generally are subject to
the licensure rules of: (1) the states in which their patients are physically
located and (2) the states where they (the practitioners) are practicing
Types of Licenses Available to Telemedicine Providers
• Regular Licenses
• Some states require telemedicine providers to obtain the relevant
professional license required by the state and to meet other related statespecific requirements such as payment of licensure fees and passage of
professional examinations
• Examples: Alaska, Connecticut, Florida, Illinois, Massachusetts
• Special Telemedicine Licenses
• Some states issue special licenses / certificates related to the practice of
telemedicine services, allowing out-of-state providers holding such licenses to
render services provided certain conditions are met, such as not opening an
office in the state
• 10 states
• Licenses for Non-Physician Practitioners
Telemedicine Licensing Exceptions
• Endorsement
–
–
Allows out-of-state licensed physicians to obtain in-state licenses based on their
out-of-state credentials
A state board accepts the license granted by another state with similar standards
• Examples include Arizona (Ariz. Rev. Stat. § 32-1426); Florida (Fla. Stat. §
458.313); Ohio (Ohio. Rev. Coded Ann. § 4731-6-16)
• Registration
–
Allows out-of-state licensed physicians to register with in-state medical licensing
boards, rather than obtaining an additional in-state license
• Reciprocity
–
Specific agreements between state licensing boards to mutually recognize out-ofstate licenses for the purpose of in-state practice; usually created between states
that have similar medical licensing laws or have agreed to harmonize their laws
• “Bordering States” Exception
–
Permits, under certain circumstances, the in-state practice of medicine by out-ofstate physicians who are licensed by bordering states
• Consultation
Telemedicine Licensing Exceptions – Consultation Exception
• Available in many states
• Allows a physician who is not licensed in the state to practice medicine “in
consultation” with a referring physician who is licensed in the state
–
Unclear whether the exception applies to routine, ongoing consultations with
telemedicine providers
• Scope varies from state to state
–
25 states allow consultation with limited restriction
• Florida
• “Limited restriction” is defined to include one or more of the following:
–
–
–
–
Consultation must be with an in-state physician;
Consultation must be at the request of an in-state physician;
Out-of-state physician may not open up an office to see patients/receive calls in
the state; and
In-state physician must maintain ultimate responsibility for the primary diagnosis
and/or treatment of the patient
Telemedicine Scope of Practice
When Does Scope of Practice Matter?
• Direct-to-patient arrangements
• Follow-up visits/consults for existing patients (e.g., post-op, mental health,
chronic disease)
• Online second opinions
• Direct-to-Patient care model
• Telemedicine Practice
–
–
–
–
–
Consults
Diagnosis
Treatment recommendations
Remote prescribing
Telesurgery
Telemedicine Scope of Practice
• Consults, diagnosis, treatment recommendations
–
–
–
In-person exam required to establish valid doctor-patient relationship?
In-person exam required for diagnosis and treatment recommendation?
Each time or just once?
• Remote Prescribing
–
–
Not just State Board of Medicine rules.
Pharmacy, DEA, FDA
• In-person exam required to prescribe?
–
–
–
Even if a pre-existing doctor-patient relationship exists?
Online interface without real-time video?
Exceptions for in-facility use (e.g., hospitals)?
• In-person exam required for all medications? Controlled substances?
Scheduled substances?
• In-person exam required for refills?
Telemedicine Scope of Practice
•
•
•
•
Nature of patient examination and technology requirements
Telemedicine special informed consent?
Telemedicine-specific record-keeping requirements?
Supervision of NPPs
Case Study: Florida
• “Standards for Telemedicine Prescribing Practice” (F.A.C. §§ 64B89.014, 64B15-14.008)
• Must have phys-patient relationship before prescribing. Must conduct
some exam before prescribing
• Questionable applicability to modern, legitimate telehealth
arrangements.
Case Study: Florida
• New regulations (Mar 2014); 64B8-9.0141
–
–
–
–
–
A valid D-P relationship may be established through telemedicine.
Allow consultations between physicians, as well as the transmission and review of
digital images, pathology specimens, test results, or other medical data by
physicians or other qualified providers related to the care of Florida patients.
Prohibit remote prescribing of controlled substances, but make no statement with
regard to prescriptions for non-controlled substances.
• But note, the ordering of controlled substances for hospitalized patients
through the use of telemedicine is not prohibited.
Telemedicine may be performed not only by a licensed Florida physician, but also
by a physician assistant.
Defer to existing standards of care .
Telemedicine Reimbursement
•
•
•
•
•
•
Medicare
Medicaid
Commercial insurance
Employer-pay
Org-to-org compensation arrangements
Self-pay
Telemedicine Reimbursement
• Medicare Telehealth Coverage
–
–
–
–
Reimburses for telemedicine services when the originating site (patient location)
is in a HPSA or a county outside a Metropolitan Statistical Area (MSA).
Originating site must be a medical facility and not the patient's home (e.g.,
practitioners' offices, hospital, and rural health clinics).
Only covers face-to-face, interactive video consultation services where the
patient is present. (S&F in AK and HI)
Limited set of covered services.
Telemedicine: Business Issues
• A. Corporate practice of medicine
• B. Fee splitting
• C. Anti-Kickback Statute and Self-Referral
Characteristic Prohibitions & Requirements
Prohibitions:
• Practice of medicine without a license
• Sharing of fees between licensed and unlicensed individuals or business
entities
• Ownership of medical practices
• Employment of professionals by
–
–
Nonprofessionals
Business entities
Requirements:
• Licensed physicians to own and operate entities that provide medical
services
• Management fees stated within management services agreements set at fair
market value
1997 Balanced Budget Act Required Fee Splitting
• Medicare reimbursement has always been limited
• 1997 BBA: 100% of Medicare payment went to the remote, consulting
practitioner
• Consultant (remote site) then had to pass 25% of the payment to referring
practitioner (originating site)
• Accounting problems: full amount was reported to IRS as income to the
consultant, even though for one-fourth of the payment he was but a conduit
BIPA, Pub. L. No. 106-554, § 223(m)(2)(c)
• Medicare, Medicaid, and SCHIP Benefits Improvement and Protection Act of
2000, 42 U.S.C. § 1395m
• Consultant receives entire Medicare payment in "an amount equal to the
amount that the physician or practitioner would have been paid under
Medicare had the service been furnished without the use of a
telecommunications system.”
• Referring physician (telepresenter) could bill Medicare for any services he
provided to the patient on the day of the telehealth service
• Referring physician's site may also receive a "facility fee”
–
–
Originally $20
Now 80% of the lesser of the actual charge or $24.43
Anti-Kickback Statute:
The Medicare/Medicaid Patient Protection Act
• Criminal statute: makes illegal any arrangement where 1 purpose is to
offer, solicit, or pay anything of value in return for a referral for
treatment or services provided to Medicare, Medicaid, and state program
patients
– Mens rea: intent
– 42 U.S.C. § 1320a-7b
• Regulatory safe harbors: narrow, but provide immunity from prosecution
–
42 C.F.R. § 1001.952
• Violations: Fine of up to $25,000, imprisonment of up to 5 years, or both
AKS Analysis
• Does the provider have any remunerative relationship between itself and
persons or entities in a position to generate Federal health care program
business for the for the provider directly or indirectly?
• Could one purpose of the remuneration be to induce or reward the referral
or recommendation of business payable in whole or in part by a Federal
health care program?
Additional Considerations
• Does the arrangement have a potential to interfere with, or skew, clinical
decision-making?
• Does the arrangement or practice have a potential to increase costs to
Federal health care programs?
• Does the arrangement have a potential to increase the risk of overutilization
or inappropriate utilization?
• Does the arrangement raise patient safety or quality of care concerns?
AKS Safe Harbors
•
•
•
•
Equipment rental
Personal services and management contracts
Electronic prescribing items and services
Electronic health records items and services
• Must analyze any telemedicine arrangement from each party’s perspective
and what benefits either party may receive in return for inducing referrals
• Safe harbor is remuneration-specific and does not globally protect an
arrangement
AKS and Telestroke: Advisory Opinion No. 11-12
• Proposal: emergency protocols and consults with stroke neurologists via
telemedicine to community hospitals: Neuro emergency telemedicine
hardware, software: audio-visual
–
–
–
Neuro emergency clinical consults 24/7/365
Acceptance of neuro emergency transfers
Neuro emergency protocols, training, and medical education
• Participating hospitals
–
–
Not to participate in any other neuro emergency telemedicine service without
system’s prior OK for length of agreement; 2y anticipated
Marketing: Grant system a limited license to use the participating hospital’s
trademarks and service marks
• OIG: proposed arrangement could potentially generate illegal remuneration
under federal AKS
• OIG would not impose sanctions because arrangement contains sufficient
safe guards to reduce the risk that it would result in improper payments for
referrals
No. 11-12: Safeguards
• System unlikely to generate many referrals:
–
–
Neither participating hospitals nor their MDs would be required or encouraged to
refer to system’s hospital
No EP would get additional compensation
• Program participation initially would be offered to hospitals with which the
system already had a clinical affiliation
• Both participating hospitals and system might benefit from deal, but primary
beneficiaries would be patients who could be treated at the participating
hospitals’ emergency departments
–
“Time is brain”
• Deal would afford system and hospitals opportunity to engage in marketing
using each other’s marks, but
–
–
Neither would be required to engage in marketing
Each party would pay its own marketing costs
• Unlikely to result in increased costs: System certified that few, if any,
consults would be billable to Medicare
AKS and Grant-Supported Rural TM Network: Op. 99-14
• Federal grant supported a rural TM network
–
Possible fraud exposure upon expiration
• Health system’s ongoing financial support of equipment provided to rural
HCPs would not violate AKS because of clear Congressional intent that
network support continue beyond the grant’s term to establish TM
infrastructure in rural areas
• Still, any HCP that stood to profit from the TM network should share the
appropriate costs borne by the health system to maintain the TM
infrastructure
–
99 Op. Off. Inspector Gen. 14 (1999)
Ad Services Facilitating Telemedicine: Advis. Op. 02-12
• Party requesting opinion “certified that it would comply with the Health
on the Net Foundation Code of Conduct for medical and health care web
sites.”
• Entailed ensuring “that the visitor-web site relationship support, and not
replace, the patient-physician relationship.” “Through the use of identifying
words, design, or placement,” advertiser must make clear to readers that it
provides commercial advertising
• Disclaimer: “affirmatively state[s] that the inclusion of such ads does not
constitute a guarantee, endorsement, or recommendation of the products,
services, or companies appearing in such ads or accessible through such
hyperlinks.”
• May help: leave the design of ads up to advertising docs.
• Goal: Make clear to reader that site is providing no medical advice, nor is it
in some special position to do so.
Potentially Pertinent AKS Safe Harbors
1994: OIG special fraud alert re: clinical lab services
• If clinical labs provide free computers or fax machines to MDs, could
constitute illegal remuneration unless MD
• (1) Used the equipment exclusively to coordinate lab services;
• (2) Equipment was integral to MD’s use of lab’s services
– OIG, Special Fraud Alert: Arrangements for the Provision of Clinical Lab
Service, 59 Fed. Reg. 65,372, 65,377 (Dec. 19, 1994)
• MD access to hospital TM equipment could implicate AKS unless
hospital takes precautions to make sure equipment and services are
used for hospital patients only
– Charge MD FMV for any additional use
• MD receives free electronic prescribing technology or training
–
42 CFR § 1001.952(x)
• Free EHR software, information technology or training
–
42 CFR § 1001.952 (y)
Telemedicine Equipment Leases:
Medical Staff Incidental Benefit?
• (i) Written lease signed by the parties
• (ii) Lease specifies the equipment covered
• (iii) Lease provides lessee with use of equipment for periodic intervals, not
full-time for lease term
–
Lease specifies schedule, length and rent for the intervals
• (iv) Term is for at least for 1 year
• (v) Aggregate rent set in advance, c/w FMV
– Not influenced by volume or value of any referrals or business otherwise
generated between the parties
• 42 CFR Section 1001.952(c)
• OIG Advisory Opinion No. 98-18 (optometrist)
Provision of Subsidized or Free Equipment
• Telemedicine partners may be incentivized to refer to each other by virtue
of their interconnectedness
• Is host subsidy of system’s capital or operating costs intended to lock in a
referral stream to the host?
• Risk: proportional to the extent that
–
–
Host bears most of the cost
Remote MD access to host results in referrals, and vice-versa
Federal Stark Law (42 U.S.C. § 1395nn)
–
–
–
–
Physician
Referral
Medicare/Medicaid Patient
Designated Health Services (Partial List)
•
•
•
•
•
•
•
Clinical Lab
DME
Diagnostic Imaging Services (X-ray, CT, MRI, etc.)
Occupational and Physical Therapy
Home Health Services
Prescription Drugs
Inpatient/Outpatient Hospital Services
- Applicable Expectation?
Caution Under Stark
• Free telemedicine equipment or services
• Volume discounts
• “Per-click” payments or advertisements on physician websites
• Joint ventures with telemedicine technology, monitoring, or networking
companies
• Telemedicine network to facilitate patient consultations: MD may wish to be
financially independent
• Practitioner could invest in a comprehensive hospital or health system; not a
discrete telemedicine subsection of that hospital or health system
• MD may invest in
–
–
Well-capitalized telemedicine services company or
One that provides or manufactures telemedicine technology
• 42 U.S.C. § 1395nn(d)(3) (2002).
• Riskier: telemedicine start-ups
Telemedicine Self-Referral Exceptions
• Free electronic prescribing technology or training or free EHR software,
IT or training (through 2021)
• Hospitals may fund up to 85% of docs’ EHR costs
– 42 CFR § 411.357(v), (w)
• Community-wide health information systems MDs may refer Medicare
patients to entities from which MD has received IT equipment or
services that allow MD access to and sharing of EHR for patients served
by community providers, if certain conditions are met
• 42 CFR § 411.357(u)
• Referrals to a rural provider in which MD has a financial interest
–
Rural provider: any entity that furnishes at least 75% of the DHS that it furnishes
to residents of a rural area
• 42 CFR § 411.356(c)(1); § 1395nn(d)(2)
Social Media Marketing/
Patient Communication Pitfalls
(to text or not to text? Or email …)
Intersection of Law and Social Media
• Professional Liability/Risk Management
–
Highly recommend not giving medical advice, consultation, care, treatment, etc.
via social media
–
Try to document all social media correspondence and communications that may
involve medical advice, consultation, care, treatment, etc. in the patient’s
record
–
Check with your professional liability insurance carrier to determine if such
communications or correspondence are covered or excluded from your policy
–
Develop a written policy and procedure for your practice and physicians on the
use of social media and communication with patients
Intersection of Law and Social Media
• HIPAA/Florida Medical Record Confidentiality Law Considerations (§
456.057, F.S.)
–
Use written consent/authorization forms that clearly identify the use of social
media for patient communication purposes and the patient’s authorization to do
so
–
Use HIPAA compliant procedures for secure transmissions and/or encryption for
e-mails, Facebook or Twitter
–
Try to avoid posting any patient information in social medias if at all possible –
even a faceless image of a skin rash can be a breach of patient confidentiality
–
Never put superconfidential information (HIV/AIDS, STDs, substance abuse,
mental health, etc.) in social media, even if the patient requests it (highly
recommend declining such requests)
Understanding the Technology
• “Social Media” is general term that encompasses
different types of technology.
• Each poses different risks, and must be addressed
thoughtfully.
• Common social media applications include Facebook,
LinkedIn, Twitter, Weblogs(“Blogs”), websites (including
photo sharing sites), Instant Messaging, and “Texting”.
Identify Risks
• The HIPAA rules apply to social networking; except for
TPO and other more limited exception, patient
authorization is required for uses and disclosures of
Protected Health Information. Even demographics are
considered to be PHI.
• “Communication” is the key – protected health
information that finds its way onto social media is being
communicated, typically without authorization, and
likely constitutes a breach.
• Company policies should reflect the risk inherent in each
type of technology.
Top Four Marketing Pitfalls
on Social Media
1.
Sharing inaccurate medical articles and information
• As a trusted medical professional, it is your responsibility to avoid sharing or liking news
stories or articles about medical treatments unless you have thoroughly read the story
and verified its accuracy
• Be wary of posting satirical articles also, as some people may not be able to distinguish
the difference
• Posting inaccurate or false information on your practice’s Twitter page, your personal
Facebook page, etc., can reflect poorly on you and your reputation
2.
Potentially misleading information and images
• Be careful not to post claims or information about your practice which could be
considered deceptive or ambiguous to patients
• Be especially mindful of guarantees of results, exaggerated reporting of past success,
and other problematic statements
Top Four Marketing Pitfalls
on Social Media
3. Violating Patient Confidentiality
• It is always best to avoid talking about specific patients on social media unless you have
clear written authorization and permission to do so
• When taking photographs in or around your offices for publication online, be sure that
no patients, no medical records, and no patient names are visible in the background
4.
Making Missteps in Establishing your Online Presence
• Do not use social media as a platform to “blow off steam” – once you have made a
statement online, it cannot ever truly be deleted
• When using social media as a health professional, only post information that your
patients and community will find helpful
• It is best to avoid “hot button” divisive issues such as religion and politics
The technology is here to stay!
• Your workforce uses it . . .
• On your computer system
• On a smart phone
• Away from work
• Workforce means
• Employees, volunteers, trainees, and other persons whose conduct, in the performance
of work for a covered entity, is under the direct control of such entity, whether or not
they are paid by the covered entity.
• You are responsible for your workforce under HIPAA
• Even on social media . . .
Workforce Checklist
 Do they know the organizations philosophy
 Do they understand you policies, code of conduct
 Don’t underestimate need for retraining
 Do they know where to go with an issue
 Sign confidentiality agreements
 Use of your computers for social media
 Use Smart phones and other devices as part of the
job vs. person use
Text messaging
solutions carry a great
deal of risk stemming
from various threats
and vulnerabilities
Before utilizing text
messaging, these risks
must be evaluated and
effectively managed to
ensure compliance with
HIPPA and avoid the
potential for
unauthorized use or
disclosure as well as
data breach
Texting Done
Two Ways
Category
#1
Traditional
wireless
carrier-based
text messaging
SMS
Short Message
Service
Category
#2
Application-based
instant messaging
Users exchange
messages over the
internet between
web-enabled
devices
The Trouble with SMS Texting …
By virtue of how it is generated, transmitted, stored, and viewed, traditional SMS
texting presents several obstacles to HIPAA compliance.
Key Obstacles of
SMS TEXTING
SMS text
messages
are currently
not secured
through
encryption
ePHI can remain
stored on wireless
carrier servers
SMS text
messages are
transmitted in
clear text
Senders cannot
authenticate
recipients
SMS text
messages are
not encrypted
Recipients
cannot
authenticate
senders
ePHI
sent via
SMS text
message
can end up
being
stored in
places
outside the
control of
the sender
or the
recipient
Investigate, Mitigate and Discipline
• In the event the information that is posted included
personal information, Social Security Number, Drivers
License Number, or bank or credit card information,
state consumer protection laws may, separately from
HIPPA, require notification of individuals and, in many
states, state regulatory agencies.
Investigate, Mitigate and Discipline
• The challenge is mitigation of the effect of the disclosure.
• The answer depends on the social media that are involved, but every effort
must be made and documented.
• Take down of the Protected Health Information is the goal.
• Reality is that once something is posted on the internet, it may live forever.
Information can be disseminated in a variety of ways – copied, emailed,
stored on line and off-line.
Investigate, Mitigate and Discipline
• Terms & Conditions:
– Determine the rights of the workforce member that made the posting and
request that he/she remove the posting;
– Contact the social media site, cite HIPAA and request assistance in removing
the material;
– Make whatever efforts are possible to trace and remove secondary postings;
and
– Use the postings as a teaching opportunity to prevent further violations.
Investigate, Mitigate and Discipline
•
Discovering the issue
•
Different type of investigation – not always patient driven
•
Coordination of HR and Privacy Officer
•
Interview witnesses and workforce members
•
Consider reporting obligations and respond appropriately
•
Respond to government or patient, as appropriate
Investigate, Mitigate and Discipline
•
Factors:
–
–
–
–
–
Harm to the patient or covered entity
Intent
Lack of training
Previous violations
Severity of the incident
•
Be Coordinated
•
Be Consistent
Covered Entities: Assess
Current Compliance
• Review Policies and Procedures
– Complete? Accessible? Followed?
• Business Associate and Data Use Agreements
– In place? Current? Gathered together?
• Other Requirements:
– NPP, access, accounting, amendment, restrictions on use/disclosure,
confidential communication arrangements, personnel, training,
documentation
• Address Gaps
Develop a Social Media Policy
•
Govern how employees use social media in and out of the workforce
•
To protect confidential information and prevent improper use of social media
•
To outline disciplinary procedures
•
Description of social media & purpose
•
Address use of social media on company tine and use of company equipment
•
Distinguish between use of covered entity provided technology and personal
technology
•
Dovetail with employment policies
Develop a Social Media Policy
•
Prohibit Disclosure of Confidential Information
•
•
•
•
•
Specify “No disclosure of member/patient identifiable information of any kind
– even if the individual is not identified by name”.
Specify no disclosure of trade secret information.
Reference other company policies – confidentiality, electronic use, cellular
phone policies.
Prohibit discriminatory/harassing statements about co-workers, current and
past employee and patients.
• Reference company anti-discrimination and anti-harassment policies.
Prohibit defamatory comments regarding the office, employees, patients,
services.
• Specific that the policy will be applied and construed in accordance
with Section 7 of the National Labor Relations Act (“NLRA”) – Protected
Activity exception.
• Carve out whistleblower protection to explain that employees can voice
good faith concerns about a law or regulation that my have been
violated, company conditions affecting public health and safety, and
suspected privacy and securities fraud breaches.
Develop a Social Media Policy
•
Section 7 of the NLRA provides:
•
•
This means you can’t prohibit employee posts that can be seen as an attempt to
improve working conditions. For example,
•
•
•
•
•
Employees shall have the right to self-organize, to form, join, or assist labor
organizations, to bargain collectively . . . and to engage in other concerted activities
for the purpose of collective bargaining or other mutual aid and protection.
Posts that criticize operations impacting employees.
Posts discussing wages, hours, & other working conditions.
Posts that disparage supervisors or management.
Section 7 has been interpreted very broadly and the Board is taking an aggressive
approach towards work rules and policies, including social media policies, which
might be interpreted to restrict employee’s right to engage in concerted activity.
Effective November 14, 2011, employers are required to post notices in workplace
informing workers of their rights under the NLRA.
Develop a Social Media Policy
•
What Should Be Included?
•
•
•
Violation of the policy may result in disciplinary action, up to, and including
termination.
Reporting Requirements
Notify supervisor or privacy officer of policy breach
Responsible Investigation of Employee
Social Media Interaction
•
•
Employers most commonly use social media to investigate applicants and to
monitor employee use of social media.
Advantage of reviewing social media is knowledge.
•
Future Employees
•
•
•
•
•
Misrepresentation of qualifications
Breaches with regard to former employers
Inappropriate posts
Discriminatory/harassing comments
Current Employees
•
•
•
•
Misrepresentations with regard to ability to work
Disclosure of confidential information
Inappropriate posts
Discriminatory/harassing comments
Responsible Investigation of
Employee Social Media Interaction
• Employers can take several steps to minimize legal exposure with regard to
review of employee social media.
–
–
–
–
–
–
–
A Social Media policy for employees explaining they have no reasonable
expectation of privacy in social media posts is crucial.
Consider obtaining a stand alone consent form from employees, as well as a
consent form from potential employees permitting social media searches.
Consider drafting a policy for management to address how to run searches on
potential and current employees and how to handle information received.
Consider using a non-decision maker to run the searches and report only relevant
information.
To avoid potential liability, employers should not pose as a co-worker to friend
another employee. Employers also should not attempt to break into password
protected or private sites.
Be consistent. If you choose to run a social media search on potential
applicants, do not select a few haphazardly, but search all candidates in the
same manner. Also be consistent with regard to how and when you monitor
employee use.
Document information used to disqualify candidates or discipline employee.
Patients and Technology How to Remain Compliant
• Health Professionals face new compliance challenges
by the increased use of technology by patients
–
With the advent of the smartphone, any patient potentially has a digital camera,
a video and audio recorder, and mobile upload device on their person
–
It is becoming increasingly commonplace for a patient to ask if they may record
part or all of their visit (audio, video, or both)
–
Other patients may not even ask permission and may simply begin taking
photographs or recording audio/video on their phone while in a reception area,
walking to an examination room, or during their interactions with staff and
doctors during the visit itself
–
It is highly recommended that an office policy be kept in place disallowing any
and all recording of audio, video, or still images by patients within the office
Patients and Technology Office Policy
• Florida is a “dual consent” state, meaning it is illegal to record an oral or
electronic communication in Florida unless all parties to the communication
consent – Section 934.03, Florida Statutes
• If you consent to have your conversation recorded by the patient, the
recording is confidential for the patient, not for you – in other words, only
the patient could disclose the record to third parties or even post it online
• Office Policy - “To protect the rights of this office and our patients, the use
of cellular phones or other electronic devices to record audio, video, or still
images within this office is strictly prohibited”
• Post a visible copy and consider having patients sign an acknowledgement
form in which they agree that they understand and will not to violate this
office policy
Patients and Technology Be Consistent
• The key to effective enforcement is consistency
–
Be consistent in your enforcement of the policy – inconsistencies and/or
exceptions are a slippery slope that can lead to a number of issues
–
“I have a bad memory, do you mind if I record this to help me remember later?”
Advise that it is against office policy, but offer alternatives such as a clinical
visit summary
–
Ensure that employees not only know the policy but will also enforce it by
reminding patients of the policy if it appears a patient may be taking
photographs/recording with their phone
–
The risks posed by recordings are to both the practice and other patients something as seemingly innocuous as a patient (or employee) taking a picture of
themselves in your office to post on Facebook, Instagram or Snapchat may result
in unauthorized disclosure of PHI – another patient’s name could be visible in the
image on a scheduling board, a computer monitor, a records file, etc.
Breach Notification –
OMG- I have a Breach!!!
Now What?
Prior Notification Obligations in Case of Breach of
PHI or PHR
Effective by August 16, 2009 (interim final regulations due)
• Covered Entities – Upon discovering a breach of unsecured personal health
information (“PHI”), a CE will be required to notify the affected
individual(s) and, if more than 500 individuals are affected, HHS and
prominent media outlets serving the area. CEs will be required to maintain
and submit annually to HHS a log of all breaches.
• Business Associates – Upon discovering a breach of unsecured PHI, a BA will
be required to notify the CE.
• PHR Vendors and Entities – Upon discovering a breach of security of
personal health records (“PHR”), a PHR vendor or entity will be required to
notify the affected individual(s) and the Federal Trade Commission
(“FTC”).
• Third-Party Service Providers – Upon discovering a breach of security of PHR
health information, third-party service providers that provide services to
PHR vendors or entities that offer products and services through a website
will be required to notify the PHR vendor or entity.
Changes to Breach Notification
in Final Rule
• The Final Rule retains many requirements from the interim final breach
notification rule. However, it removes the “risk of harm” standard in
exchange for a more objective standard for determining whether a
“breach” has occurred. (Thus, inquiry into whether there is a significant
risk of harm to privacy and security is no longer appropriate.)
• The Final Rule establishes a presumption that impermissible uses and
disclosures of PHI are breaches, unless an exception applies. Covered
entities can rebut that presumption (removing the notification
requirement) by engaging in a risk assessment to determine whether there
is a low probability that PHI has been compromised. However, because of
the presumption, covered entities may avoid the risk assessment and
provide notification.
Changes to Breach Notification in Final Rule
• A risk assessment would examine at least the following four factors:
–
The nature and extent of the PHI involved, including the types of identifiers and
the likelihood of re-identification;
–
The unauthorized person who used the PHI or to whom the disclosure was made;
–
Whether the PHI was actually acquired or viewed; and
–
The extent to which the risk to the PHI has been mitigated.
•
If no exception applies and, after reviewing all of these factors, the covered entity
cannot demonstrate that there is a low probability of compromise to the PHI,
notification is required.
•
The OCR cautioned that, when working through these factors, many forms of health
information can be sensitive, not just information about sexually transmitted
diseases, mental health diseases or substance abuse. In addition, the OCR confirmed
that violations of the minimum necessary rules also could result in breaches requiring
notification.
Changes to Breach Notification
in Final Rule
• OCR clarified other aspects of the breach notification rule:
–
The time for notification begins to run when the incident is known to have
occurred, not when it has been determined to be a breach. However, a covered
entity is expected to make notifications after a reasonable time to investigate
the circumstances surrounding the breach in order to collect and develop the
information required to be included in the notice to the individual(s).
–
The obligation to determine whether a breach has occurred and to notify
individuals remains with the covered entity. However, covered entities can
delegate these functions to third parties or BAs.
–
Written notification by first-class mail is the general, default rule. However,
individuals who affirmatively agree to receive notice by e-mail may be notified
accordingly. In limited cases, individuals who affirmatively agree to be notified
orally or by telephone may be contacted though those means with instructions
on how to pick up the written notice.
–
Notices of Privacy Practices must include a statement that covered entities must
notify affected individual following a breach
Privacy Violations and Breaches
•
HITECH is definitely pushing for all PHI to be secured, methods of disclosing that are
unsecured (i.e. paper & faxes) are not encouraged
•
‘Breach’ defined as the unauthorized acquisition, access, use or disclosure of PHI
which compromises the Privacy & Security of unsecured PHI and is going to be very
strictly enforced
•
Cases of PHI Breach will cause the CE, Data Exchange or PHR (Personal Health Record)
to notify the Individual of all breaches of their unsecured PHI that were determined to
have the potential for harm.
•
–
If HHS Secretary (OCR) must be notified as well
–
Media must also be notified if over 500 names and posted on your website
‘Secured ‘vs. ‘unsecured’ PHI is a very complex set of concepts, thorough
understanding of these terms and which of your data falls into which category is
mandatory.
Privacy Violations and Breaches
•
Snooping into electronic records, unauthorized access, is definitely a privacy
violation, but if the records are ‘secured’ according to definition the violation need
not be reported to Individuals or OCR
•
Inadvertent access by employees, as long as they immediately close the records they
accessed without reading is not a privacy breach
•
Misdirected faxes are a privacy violation as are lost, mailed paper record copies are
too, may also be technically a ‘breach’
•
CE must make ‘harm’ determination, whether there is a potential for reputational or
financial harm resulting from the violation . If there is the potential for harm to the
Individual (and the PHI is unsecured according to definition) then the violation is a
breach and both the Individual and OCR must be notified.
•
Get ready! HHS has just stated that not knowing is no excuse, in fact beware of
Willful Neglect!
•
Notification methods listed, in HITECH could be burdensome for CE
Privacy Violations and Breaches
• Set-up your Policies, Procedures and forms now.
• I like to use the term ‘Privacy Events’, they are not Breaches until that is
determined by defined procedure
• Very complex set of Policies and Procedures to structure, must be aware of
all the rules and apply them to areas like Harm Threshold Analysis, how to
determine unsecured vs. secured PHI and who needs to be notified when
• Remember BAs have to report Privacy Events to CEs asap, make sure that
the CEs and BAs coordinate
• Breach reporting:
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationr
ule/brinstruction.html
Privacy Event, Breach, Harm Threshold
Analysis and Notification
•
Purpose
– To provide foundational
elements for the determination
and response to Privacy
Violations, Breaches (wrongful
acquisition, access or
disclosure) of PHI (Protected
Health Information), the
resultant Harm Threshold
Analysis and Breach Notification
responsibilities, policies and
procedures that may occur from
both HIPAA and State
perspectives.
Policy:
Create your policy to cover
appropriate areas of the
overall policy scope.
Let’s review the Policy
example
Privacy Event, Breach,
Harm Threshold Analysis
and Notification
Step 1.
Investigation and
documentation by
CE (or BA) of a
Privacy Event.
Step 4.
If unsecured PHI has
been breached perform
a Harm Threshold
Analysis.
Step 5.
If required, notify
individuals(s) of a
breach of their PHI.
Step 4 a.
If a HIPAA Privacy
violation of unsecured
PHI has occurred notify
OCR either immediately
(if over 500 individuals
per event) or annually (if
under 500 individuals
per event).
Step 2.
Final determination
of whether a Privacy
Violation has occurred.
Step 6.
Feedback, mitigation,
sanctions and
corrective actions
developed and
recorded.
Step 4. b.
Key Steps
in Breach
Procedure
Step 3.
Determine if a Breach
of unsecured PHI has
probably occurred
If less than 500
individuals per
Breach were
involved notify
OCR annually.
Steps for Privacy Breaches
• What is Secured PHI?
•
On April 27, 2009, HHS issued the HITECH Breach Notification Guidance specifying
the technologies and methodologies that render PHI unusable, unreadable, or
indecipherable to unauthorized individuals.
•
Encryption. Electronic PHI is only secured where it has been encrypted. The HIPAA
Security Rule specifies encryption to mean the use of an algorithmic process to
transform data into a form in which there is a low probability of assigning meaning
without use of a confidential process or key. The Rule identifies the various
encryption processes which are judged to meet this standard. Further, such
confidential process or key that might enable decryption must not have been
Breached. To avoid a Breach of the confidential process or key, decryption tools
should be kept on a separate device or at a location separate from the data they are
used to encrypt or decrypt.
•
Destruction. Hard copy PHI, such as paper or film media, is only secured where it has
been shredded or destroyed such that the PHI cannot be read or otherwise cannot be
reconstructed.
Steps for Privacy Breaches
•
Determine whether the use or disclosure of PHI violates the HIPAA Privacy Rule.
For an acquisition, access, use, or disclosure of PHI to constitute a Breach, it must
constitute a violation of the HIPAA Privacy Rule.
•
Analyze whether there is a use or disclosure that compromises the security and
privacy of PHI (Harm Threshold Analysis). See Use case and Q&A Tools
•
Assess Whether any Exceptions to the Breach Definition Apply. The Rule discusses
a number of exceptions to the definition of Breach. The following three situations
are excluded from the definition of “Breach” under the Act:
– The unintentional acquisition, access, or use of PHI by any workforce member or
person acting under the authority of a CE or BA, if such acquisition, access, or
use was made in good faith and within the scope of authority
–
The inadvertent disclosure of PHI by an individual otherwise authorized to access
PHI at a facility operated by a CE or BA to another person at the same CE or BA,
or at a organized health care arrangement in which the CE participates
–
An unauthorized disclosure where a CE or BA has a good faith belief that an
unauthorized person to whom PHI is disclosed would not reasonably have been
able to retain the information.
Notification Requirements
• Notification Requirements to Individuals and /or Media in the Event of a
Breach of Unsecured PHI
• The Breach notifications required by the Act and the Rule are significant
and are triggered by the “discovery” of the Breach of unsecured PHI. A
Breach is treated as “discovered” by a CE as of the first day the Breach is
known, or reasonably should have been known, to the CE.
• Notification to Individuals. A CE must send the required notification to
each individual whose unsecured PHI has been, or is reasonably believed to
have been, accessed, acquired, used, or disclosed as a result of the Breach,
without unreasonable delay and in no case later than 60 calendar days after
the date the Breach was first discovered by the CE. Or sooner if state law is
more stringent (i.e. Florida is 45 days).
• Notification to Media. If a CE discovers a Breach affecting more than 500
residents of a state or jurisdiction, it must provide notice to prominent
media outlets serving that state or jurisdiction
Notification Requirements
• Notification to HHS (OCR). If more than 500 individuals ( are involved in
the Breach, regardless of whether the Breach involved more than 500
residents of a particular State or Jurisdiction, then the CE must notify HHS
concurrently with the individual notifications.
• For Breaches involving fewer than 500 individuals, the CE must maintain an
internal log or other documentation of such Breaches and annually submit
such log to HHS.
• Notification by a Business Associate. Following the discovery of a Breach
of unsecured PHI, a BA is required to notify the CE of the Breach so that the
CE can, in turn, notify the affected individuals. To the extent possible, the
BA should identity each individual whose unsecured PHI has been, or is
reasonably believed to have been, Breached. CE should notify CE of
suspected privacy violation or breach within 1 business day
Methods and Contents of Notice
• Methods of notification include:
–
–
–
–
First class mail to last known address
Or e-mail if preferred by patient
Provide for substitute notice if insufficient or unknown contact information
In the case of a Breach with 10 or more patients with unknown contact info post
general info in media, site website and have a toll free number to call
• Contents of Breach Notification:
–
–
–
–
–
–
Dates of Breach and Discovery
Brief description of what happened
Description of types of information involved
Steps individuals should take to protect themselves
Brief description of CE (or BA) remediation actions
Contact information for individuals to learn more
• Timing of notification: Without unreasonable delay, not longer than 60 days after
discovery
Business Associates
• What is a “business associate”?
– Person or company which performs an activity or service for a
Covered Entity that involves the use or disclosure of individually
identifiable health information or any other function regulated
by the Privacy Standards
A person or entity that creates, receives, or transmits PHI
in fulfilling functions for a HIPAA-covered entity
Entities that “maintain” PHI
for a covered entity, such as
a data storage company
E-prescribing
gateways
Subcontractors
Health
Information
Organizations
Data transmission
providers
Business Associates
• What is a “business associate”?
– Examples of business associates are firms conducting
claims processing or administration, data analysis,
processing or administration, utilization review, quality
assurance, billing, benefit management, practice
management, or legal, actuarial, accounting, consulting,
management, accreditation, administrative, or financial
services
– HHS does not have the statutory authority to regulate
business associates
Covered Entities: Business Associates
• Policies and Procedures
– Types of business associates
– Agreement content
• Compliance with updated privacy and security requirements
• Breach notification
• Accountings of disclosures
• Contract Management
Implications of the HIPAA Final Rule
for Business Associates
• The final rule added the following to the definition of business associate
1. A health information organization, e-prescribing gateway, or other entity that
provides data transmission services to a covered entity and requires access on a
routine basis to protected health information (PHI). The preamble to the final rule
clarifies that an entity that is a mere conduit (such as a courier service) does not
require access to PHI, and therefore is not included.
2. An entity that offers a personal health record (PHR) on behalf of a covered entity.
However, if the PHR is not offered on behalf of a covered entity, the PHR vendor is
not a business associate.
3. A subcontractor. The regulations provide that if a business associate subcontracts
part of its function requiring access or use of PHI to another organization, that
subcontractor is also subject to HIPAA. There must be an agreement between the
business associate and its subcontractor that contains the elements required to be
included in business associate agreements and describes the subcontractor's
permitted uses and disclosures of PHI (which may not include uses and disclosures
not permitted to the business associate).
Implications of the HIPAA Final Rule
for Business Associates
• New responsibilities and liabilities under HIPAA for Business Associates
1. To keep records and submit compliance reports to HHS, when HHS requires such
disclosure in order to investigate the business associate's compliance with HIPAA, and
to cooperate with complaint investigations and compliance reviews.
2. To disclose PHI as needed by a covered entity to respond to an individual's request
for an electronic copy of his/her PHI
3. To notify the covered entity of a breach of unsecured PHI
4. To make reasonable efforts to limit use and disclosure of PHI, and requests for PHI,
to the minimum necessary
5. To provide an accounting of disclosures
6. To enter into agreements with subcontractors that comply with the Privacy and
Security Rules.
BAAs & Breach Notification under the New
HIPAA/HITECH Omnibus Final Rule
•
•
•
•
•
•
•
•
•
•
•
•
The timeframe within which the business associate (“BA”) must notify the
covered entity (“CE”) of a breach
Indemnification for breach expenses
Cooperation in breach risk assessment
Cooperation in HIPAA investigations
Reporting of unsuccessful Security Incidents
The extent to which the CE may direct the patient rights duties of the BA
The right of the BA to operate outside the U.S., including storing data offshore
Audit rights
BA’s right to de-identify protected health information (“PHI”)
BA’s right to use PHI for management and administration and data aggregation
purposes
Defining when return or destruction of PHI upon termination of BAA is infeasible
The extent to which the provisions in the BAA between the BA and its
subcontractor shall be identical to the BAA between such BA and the CE.
Copies and contact information
Request copies of this presentation
and more information from
Michael R. Lowe, Esquire
www.lowehealthlaw.com
407-332-6353