The times, they are a changin' …Hospitals and other covered entities originally responded to the passage of HIPAA with a flurry of activity, mostly in the form of privacy notices, the installation of new policies and procedures, and the delivery of regular employee training. Over time, the market learned to meet news of substantial fines levied by HHS for failure to enact these basic safeguards with a mental shrug.
Recently, however, the environment has become more active, and we are beginning to see HIPAA violations and penalties that illustrate the changing focus on the nature of compliance. Certainly, OCR continues to police unauthorized releases of PHI in hard copy format, but it is no coincidence that HHS' gallery of offenders has become more populated with CEs like BCBS of Tennessee ($1.5 million payment this month to settle the matter of 57 lost and unencrypted hard drives containing PHI), than with the likes of Massachusetts General Hospital ($1 million payment last year as settlement for losing hard copy patient files on the subway).
Reports of privacy breaches through Facebook, Twitter, MySpace and other platforms are increasing and can be ignored only at a hospital's peril. Earlier this month, a nurse in California posted on his Facebook wall a patient's picture and chart, along with his comments on her sexual health concerns (because, he said, 1) it was "only Facebook," and therefore not "real," and 2) he thought it was "funny — and that if you didn't get the joke, then too bad). Other recent incidents of similar behavior include ER personnel posting pictures on the web of a man dying from knife wounds, and a physician in Oklahoma treating a patient via Twitter. Extreme examples? Perhaps. But few will argue that the concept of privacy in a social-media world does not square with privacy as demanded by HIPAA. Because these particular violations are so new, HHS has yet to reach a formal decision on its response, but there is little doubt we will soon hear more on these incidents. Moreover, HHS will only be part of the story, with private legal actions brought by patients in their local jurisdictions for violations of state privacy laws likely to follow.
HHS has clearly signaled the need for all CEs to implement a comprehensive policy on the use of social media, the employment of reasonable means to safeguard PHI and the consistent application and enforcement of a sanctions policy. What isn't yet clear is the extent to which HHS will expect and demand that CE's take steps to identify breaches and engage in corrective action to mitigate the extent of the incident. However, all indications are that CE's not aggressively attempting to get out in front of unauthorized releases of PHI through all avenues, including social media, will face stiff penalties, including fines and corrective action plans.
New problems need new toolsNew monitoring tools are being developed to address these concerns. For example, Novarus Healthcare, a Charlotte, North Carolina-based mobile solution development company, is developing a confidential and proprietary mobile technology platform that proactively monitors social media sites for HIPAA violations to allow providers to meet the developing challenge presented by the use and prevalence of social media. As social media continues to grow, tools to allow providers to identify and correct violations will become an integral part of a coordinated risk management program. The Novarus Healthcare application will, in addition to identifying the potential breach, score the severity of the issue, and provide reports to the client CE that are easily understandable and actionable so that it may aggressively address improper behavior immediately.