This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click “Ask.”
After you click Ask, the button name will change to “Edit.” Questions will be queued and most will be answered at the end of the meeting as time allows.
• The HIPAA Privacy Rule provides federal protections for PHI held by covered entities and gives patients an array of rights with respect to that information.
• At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes – RELEASES TO SOCIAL MEDIA SITES ARE NOT AMONG THEM.
• The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to ensure the confidentiality, integrity, and availability of electronic protected health information.
• Depending on the platform/security, the public at large– May be able to determine the identity of online friends– Could reasonably infer that the person is a patient of
the provider
• This assumption may create a violation of a person’s privacy rights
• Blogging by patients often includes details of medical conditions and treatments– www.caringbridge.org– www.carepages.com
• Patients may not understand or appreciate the potential for unauthorized disclosure and should be notified regarding security limitations for these blogs if the agency suggests using such blogs.
• A naïve healthcare provider may assume that posting on these blogs means the patient is waiving his or her right to have their provider safeguard the privacy of their PHI, and so replies or discusses the condition and procedure.
• This assumption and online response violate the patient’s privacy rights under HIPAA.
• Study performed at the University of Florida in 2007 and 2009 of all medical students and residents to determine– who had Facebook profiles – and to scan them to determine how many contained
representations of protected health information, such as portrayals of people (either in text or pictures), names, dates, or descriptions of procedures.
• Photographs included trainees interacting with identifiable patients, all children, or performing medical examinations or procedures such as vaccinations of children.
• While students and residents in this study are posting photographs that are potentially violations of patient privacy, they only seem to make this lapse in the setting of medical mission trips.
• The recommendation was that all trainees need to learn to equate standards of patient privacy in all medical contexts using both legal and ethical arguments to maintain the highest professional principles.
• Three practical guidelines were suggested:– A legal resource for physicians traveling on medical
mission trips such as an online list of local laws, or a telephone legal contact, should be established.
– Institutions that organize medical mission trips should plan an ethics seminar prior the departure on any trip because the legal and ethical implications may not be intuitive.
– At a minimum, traveling physicians should apply the strictest legal standard to any situation.
• Ramifications for health care professionals:– Many employee suspensions or firings after
unauthorized release of patient photos• Chief Resident of General Surgery, Mayo Clinic
– Firings also related to inappropriate comments or complaints about employer or patients, which can result in loss of future job opportunities (25-75% of employers check social networking sites in hiring process)
• Some facilities have banned the use of any cell phones or laptops under any circumstance by staff or patients.– difficult to enforce– may be counter productive
• Others require completion of a form stating that photos will be taken of family members only.
– Conspicuously posted signs clearly stating bans or limitations on cell phone or camera usage within facilities so that staff, volunteers and patients are all aware
• Providers should avoid violating a patient’s PHI when participating in social media by, at a minimum, requiring potential online patient/friends to agree to a written statement indicating that they have read an online disclosure BEFORE an online “friendship” can be started.
• Do not comment online without a patient’s express written authorization to do so.
• Four new penalty tiers were implemented, effective November 30, 2009
• For violations occurring on or after February 18, 2010:
– CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred
– CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to “reasonable cause” and not willful neglect
• Reasonable cause: “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply”
– CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
– CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
• Penalties may be avoided if the entity can demonstrate:
– Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. § 1320d-6, or
– Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate
• Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to “reasonable cause,” even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.