HIPAA and Social Media

April 18, 2017

HIPAA laws can be broken in one social post, don't let your practice fall victim to simple social media indiscretions.

The Health Insurance Portability and Accountability Act (HIPAA) requires that all patients' medical records, whether in paper or electronic format, be protected from unnecessary use or disclosure. This protection applies to everyone, including celebrities. Unfortunately, a group of employees at the University of California Los Angeles (UCLA) Medical Center are finding out the hard way that looking up a celebrity's medical information is a HIPAA breach that could cost them their jobs.

Several employees at the UCLA Medical Center, accessed Kayne West's medical records when he entered the hospital last year seeking treatment for a nervous breakdown. According to Oregonlive.com, "It's not clear if they managed to sneak a peek at his treatment records, but it was enough to prompt UCLA bosses to launch an investigation into the alleged breach, which is expected to lead to a number of dismissals."

This is not a new issue for Kanye West, or his wife Kim Kardashian. In 2013, Mrs. Kardashian's private medical records found themselves at the center of a HIPAA breach at the hospital where she gave birth, Cedars-Sinai Medical Center in Los Angeles, Ca. Shortly thereafter, the hospital fired six workers for snooping on more than a dozen patients' health records.

According to a report by The Los Angeles Times, "Los Angeles hospitals have a history with curious employees inappropriately accessing celebrity health records. Britney Spears, Farrah Fawcett, and then-California First Lady Maria Shriver have all been affected by HIPAA breaches in recent years. [The] UCLA Health System in 2011 agreed to pay $865,000 settlement for HIPAA breach allegations."

The lesson here is no matter how excited we are to see our favorite celebrity at the medical office, his or her records are protected under HIPAA and should not be used, viewed or disclosed by anyone who does not have access to them. While I highly doubt anyone is interested in my medical history, someone like catcher Yadi Molina's medical history would be of interest to almost every St. Louis Cardinals fan.

This type of breach can be difficult for an employer to keep an employee from committing. Imagine former St. Louis Cardinal and Hall of Famer Lou Brock walked into your medical office. Any Cardinal fans that you might employ would be excited to see him. They may even want to let their friends know who they saw at work today by disclosing that fact on their Facebook pages. The second one of your employees discloses the fact that Mr. Brock was in your office, you could be on the hook for any fines or penalties that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) decides to hand down.

People may want access to medical records for monetary gain as well. For example, the HHS website is filled with examples of hackers and disgruntled employees who walked away with a thumb drive full of patient information that they then used to open credit cards in those patients names.  When it comes to celebrities, some employees may try to sell the medical information to tabloids, etc. Many of these types of breaches can be prevented by doing thorough and accurate trainings and risk analysis of the medical office, both of which are required by HIPAA. There are three specific things that can go a long way to helping medical practices protect themselves from these types of breaches: running a risk analysis, conducting thorough training of all employees, and using audit trail reports.

Running a Risk Analysis

HIPAA requires that risk analyses be run whenever a breach has occurred in order to determine if there is a high or low risk of compromise to the patients' medical information. The risk analysis I run for my clients comes straight from the HHS audit protocol. This audit is very thorough and can be effective in making sure all of your potential vulnerabilities are addressed.

The problem most doctors face is that they don't conduct these analyses unless a breach occurs. To fully protect yourself, you need to run these analyses on a regular basis. A doctor's office, for example, that runs a risk analysis bi-annually, or quarterly, has a better chance of catching shortfalls in their medical record protections, than the doctor who doesn't run a risk analysis until the breach has occurred. Getting ahead of the risk, before it happens, is the best way to protect your office and staff from a breach.

Thorough Training

HIPAA requires that employees be trained on all of the policies and procedures of a medical practice, hospital, or clinic concerning HIPAA. These trainings should cover the Privacy Rule, the Security Rule, and the Breach Notification Rule. Employees are less likely to snoop into a celebrity's medical record if they have been fully trained on these rules and know the consequences of violating the policies. There is always the employee who will look even though they know the consequences, but if a practice can show that all employees have been trained on the rules, and know the consequences of violating them, you might be able to mitigate some of the penalties that may come from the breach. 

Trainings should not be annual. HIPAA merely states "A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity."

You can train as frequently as you choose, but there is too much information to go over for an employee to understand everything they are supposed to while only be trained once a year.

When we do these trainings for clients, we break them down to four trainings a year, usually done quarterly, so that we can break the information down into much more manageable segments. Doing this allows our clients' employees to have a much better understanding of how to comply. It also makes it less likely for an employee to claim they didn't know they weren't supposed to do something, as they were trained in a way that made it much more manageable.

Regular Audit Trails

Finally, all doctors' offices, hospitals and clinics that use electronic health records (EHR) should run an audit trail on a regular basis. What a regular basis is differs by practice. HIPAA requires that a covered entity conduct these audit trails. The law states that a covered entity should, "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."

We have our clients run audit trails on a monthly basis. We show them exactly what to look for so they are aware if an employee, or outside third party, accessed patient information they did not have authorization to access. You want to make these trials random. Don't always run them on the same day every month, and don't tell your staff that you are running them. If your staff knows when you're running the audit trails, there may be ways for them to hide their snooping.

Don't let what happened to UCLA happen in your practice. Remember, UCLA Medical Center has its own risk management department and in-house legal department to monitor potential breaches. If you're a sole practitioner, or you work for a practice, hospital, or clinic that doesn't have these departments, can you say that you are protected from these potential breaches? You would never roll the dice when it came to the medical care of your patients; why would you want to roll the dice when it comes to complying with laws that can potentially hand you massive fines and penalties?  

 Kyle Haubrich, Counsel with Sandberg Phoenix & von Gontard P.C., focuses his practice on rapidly evolving areas of health care law – including HIPAA and MACRA – and MIPS regulations, which represent the most significant change in Medicare compensation in decades.  Kyle can be reached at 314-425-4936 or khaubrich@sandbergphoenix.com.