HIPAA, Facebook and Temporary Staff

HIPAA, Facebook and Temporary Staff  

When I conduct a training or draft policies for practices, I always include a prohibition against sharing patient information on social media sites. I usually get a few laughs or rolling eyes in response, as if to say "that's obvious!"  Unfortunately for a patient in California, it wasn't obvious to a temporary staff person at Providence Holy Cross Medical Center in Mission Hills, who is said to have recently posted a medical record on Facebook.  Allegedly, the patient's name and other complete identifiers were included in the post.  According to reports, this agency employee rejected complaints of a HIPAA violation and thought the post was both funny and perfectly acceptable to post to her page.   

Along those same lines, I recently received a note from a client asking what to do in terms of privacy and security when a student or temporary staff comes on board.  My response? Training first and foremost. Clearly, the agency employee in the Facebook incident had not received appropriate education or preparation in this area.

A "temp" is considered part of your workforce. A new workforce member should not access protected health information (PHI) in any format without first reviewing appropriate privacy and security policies, and signing off on a confidentiality/sanction agreement.  Ideally, the new staff member already should have been trained about privacy and security concepts, either by his or her school or staffing agency. You need to screen the individual and confirm background education in this area. Then you need to ensure that the new workforce member is trained in your practices, and the "do's-and-don'ts" of accessing, creating, using and disclosing your PHI. 

Remember: Only allow access to electronic records, especially those hosted on a cloud system, during those hours that the the temporary workforce member is actually working for your organization.  Failing to terminate access for all those days and weeks in between work days in your office creates a huge risk for you.

Proactively attending to these preliminary steps up front, as a matter of office practice, could spare your entity from dealing with breach issues, investigations, and legal or regulatory sanctions later on.

Thoughts for the New Year

Much continues to happen in the compliance world.  Before the turn of the New Year, I found myself helping a number of small practices move through their HIPAA security risk analysis process, which was inspired by their desire to meet the Meaningful Use criteria and receive incentive dollars.

Meaningful Use Core Measure 15 requires the eligible professional to attest “Yes” to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.  This only relates to ePHI.

But wait, the federal HIPAA audits are underway. The regulators, through their private auditors, will be looking at privacy and security compliance, risks and best practices. So the providers I assist get a review of both privacy and security gaps and risks, because one cannot operate without the other. The resulting action plan and risk management process incorporate common sense steps to reasonably address our findings, and weave compliance through their regular operations. Both privacy and security must be woven together, especially in the face of breach notification requirements at both the state and federal level.

Not to mention the mandates of the Medicare Conditions of Participation, Medicaid, Joint Commission and both hospital and professional licensing boards for keeping PHI private and secure. A failure to have policies and systems to protect your patient data could lead to headaches on many levels.

For the new year, make it a priority to put your HIPAA and HITECH house in order.  You can't afford to work in a silo, addressing only electronic security or only privacy protections.  Both items must be on your to-do list.  Let me know if I can help.