Posts Tagged social media

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Posted by on
Tracking A Patient’s Every Move: HIPAA Compliance Risk

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices. 

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology. 

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure. 

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.” 

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible. 

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Pin It

Tags: , , ,

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

Social Media & Electronic Communication: Asset or Liability

Posted by on

social-media-management-1

Editor’s Note: This article was originally published in the 2015 Winter issue of Alabama Medicine magazine.

You may have heard the adage, “Don’t put anything on the Internet that you wouldn’t want tacked to a bulletin board in the Town Square.” Thanks to smartphones and their applications, that adage is easier than ever to ignore – and isn’t always followed. During the past few years, there have been numerous news stories of physicians being reprimanded after inadvertently identifying patients on social media, nurses being fired for posting photos taken during surgeries, etc. So what may a physician do to minimize liability risk when using smartphones?

There are many areas of concern – social media, email/text, and smartphone applications. While these may be viable tools for communicating with patients, there are inherent risks – confidentiality, data security, and the potential for email and text to replace open communication. The following tips may help minimize your risk.

Social Media

Social media has exploded from Facebook and its ancestor MySpace to Twitter, LinkedIn, Pinterest – the list goes on – and according to Facebook’s third quarter 2014 earnings, more than 1.3 billion people use Facebook monthly.

You’ve heard ad nauseam that patients who perceive they have a good relationship with their physicians are less likely to sue, even in the event of an adverse outcome, and heard more times than you can count that communication is the cornerstone of your relationships with your patients. But, that advice is proffered for the therapeutic, professional setting.

So how do you navigate the boundary between therapeutic and personal – or social?

“As a physician, I understand the perceived value of the ways in which patients tend to rely on Facebook to communicate with family and friends. However, we physicians need to be sure of a couple of things: One, communication about a patient’s therapeutic course happens face-to-face and, at times, is supplemented with phone conversations, with the common thread of give-and-take interaction. And two, ethically, that we don’t blur the line between therapeutic care and the social relationship,” Hayes V. Whiteside, M.D., Chief Medical Officer and Senior Vice President of Risk Resource at ProAssurance, said.

Generally, the best advice is to keep your professional and personal lives separate when using Facebook and not accept friend requests from patients. Facebook friends typically have access to all other friends, to photos posted, and also to notes and messages posted on your wall. No matter how tightly you lock down your privacy settings, there’s no guarantee of privacy.

If you decide to use Facebook or other social media professionally, it’s a good idea to set up an account for your practice only and consider these suggestions:

Add a disclaimer statement along the lines of, “Our clinic cannot give medical advice to any individual over Facebook. This Facebook page is
for general informational purposes only and should not be used in place of a consult with your regular medical provider. The information presented here is not intended to be used as a diagnosis or treatment. If you need emergency medical attention, please call 911 or go to the nearest emergency room. If you need to be seen in our office by a physician, please call [telephone number] for an appointment.”

  • Frequently monitor privacy settings and the page itself.Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.
  • Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.
  • Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.

The American Medical Association has issued “Opinion 9.124 – Professionalism in the Use of Social Media,” and it may be found here.

Communicating via Email and Text

While email and, to a certain extent, texts may be viable tools for communicating with patients, there are some inherent liability risks. Issues such as confidentiality, data security, and the potential for email to replace open communication are examples of those risks. If email or text is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, normal lab results regarding non-sensitive medical issues, appointment reminders, and routine follow-ups may be appropriate to transmit via email.

Confidentiality and security become issues of primary concern. Who will be processing the messages? Will physicians obtain informed consent from patients regarding transmission of information via email? Who has access to the email account? To the computer where emails are stored? If email is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, lab results, appointment reminders, and routine follow-up inquiries are generally appropriate to transmit via email. Physicians should also print emails to and from patients and place them in the patient’s medical record.

The AMA in its “Opinion 5.026 – The Use of Electronic Mail” recommends physicians don’t establish a relationship via email and notes the same ethical obligations apply to any other encounter apply to communication via email. Regarding texts, medical/legal experts note they are subject to the same considerations and parameters as emails when it comes to privacy and protected health information, such as incorporation into the medical record. Risk management experts recommend avoiding using text to communicate patient information, treatment advice, etc. The AMA’s opinion may be found here.

Smartphone Apps

With 8-out-of-10 physicians using smartphones for professional purposes, according to mhealthwatch.com, it’s wise to be concerned about potential risk management implications. While such medical apps are great tools, there are innate risks – the unsecured smartphone, for example. Risk management experts recommend evaluating the types of information stored on a personal device. Research apps, such as Epocrates, should not be subject to HIPAA risks if used for research purposes only. However, apps allowing mobile dictation of information that can be transferred to an electronic medical record may be, as they may contain confidential patient health information. Another consideration is security – apps that transmit information may be vulnerable to hacking. Some medical apps bill themselves as HIPAA compliant; it’s wise to examine an app’s privacy policy and take reasonable steps to verify security. It’s also wise to keep in mind no app – especially free ones – is 100 percent secure.

Regardless of whether a smartphone app transmits, stores, or simply accesses patient health information, physicians should ensure the apps are HIPAA and HITECH compliant.

Tips to keep in mind:

  • HIPAA requires data security and proper destruction and/or file retention of patient health information when appropriate.
  • Physicians should remove patient health information from devices with apps before discarding/replacing the device.
  • Wireless apps should be reviewed to ensure security at all levels.
  • A security policy addressing mobile devices and apps that can be used, along with the appropriate use and destruction of patient health information, should be in place.
  • Work closely with information technology personnel to address security issues.

platinummvpProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at riskadvisor@proassurance.com. ProAssurance is an official Platinum Partner with the Medical Association.

Pin It

Tags: , , , ,

Posted in: Management

Leave a Comment (0) →