A hospital in California will fire 5 employees and discipline another because they posted information about patients on social media sites.

An ongoing investigation at Tri-City Medical Center in Oceanside “has not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees,” according to a statement from Larry Anderson, CEO. “But our investigation yielded sufficient information to warrant disciplinary action.”

A hospital spokesman declined to provide any further details. Under the HIPAA privacy rule, which was toughened by the HITECH Act, patients must give permission for their private information to be disclosed.

The California Department of Public Health is conducting an investigation of the incident, a spokesman confirmed June 8, declining to provide further details. The incident involved posting information on Facebook, according to a report by KNSD, the NBC TV affiliate in San Diego.

To help prevent similar incidents, Anderson said the hospital is “re-emphasizing, through employee training and education, the hospital’s and the employees’ ongoing commitment and obligation to protect our patients’ privacy.”

Social media does play an important role in marketing in today’s world. It is important that you have a policy in place that identifies who can use social media sites and how it will be used. It is also beneficial to set up some searches for things you will track. This can easily be done in Google reader or on Twitter. Companies need to be aware of what their employees are putting on social media sites as well as what is being said about the company on these sites.

Incidents like the one above should be considered security threats and dealt with swiftly. Don’t let your company be one who ends up in the middle of an investigation because your staff doesn’t have guidance. Be sure the new world of social media is covered in your policies!

The healthcare industry often uses portable devices for the storage and transmission of protected health information. I find it concerning to hear many of the people I speak with thinking that because they use a jump drive or an external hard drive to store patient information, they are compliant. It simply isn't true.

The HITECH Act now specifically says that information must be encrypted during transmission AND at rest. That means all of the patient information you are storing on any kind of portable device must also be encrypted. In the publication by OCR of breaches, you will find a good many of them are as the result of theft or loss of a laptop or jump drive.

In a recent conversation I had with a transcription service owner, who is a business associate and thus subject to these new laws, the response to the above information was "well, the customers don't care so I can't be responsible for it." If you read the laws, you realize this is not the case and that business associates are held to the same standards as the covered entity. In addition, you are responsible for the actions of your subcontractors. Simply "telling them to use an external drive for storage" doesn't relieve you of that responsibility.

Simply storing things on an external drive without encryption isn't good enough. Be sure you are not caught in this situation. If you are audited, it could mean monetary penalties and fines for you.

In the first HIPAA legal case against an individual, a former UCLA Medical Center researcher was sentenced on April 27 to four months in federal prison for looking at the confidential medical records of co-workers and celebrities such as Tom Hanks, Leonardo DiCaprio and Arnold Schwarzenegger.

This is certainly evidence that the government is going to take the enforcement of HIPAA violations seriously. In addition, because the new rules related to HIPAA and the HITECH Act hold individuals responsible, the responsibility for protecting patient information becomes even more crucial.

Be sure your systems have the ability to provide audit trails, and be sure those audit trails are periodically reviewed for unauthorized access.

Training of all staff is critical here. The researcher's defense is that he did not know this was a federal offense and that no reasonable person would have understood this. Training of staff so that they fully understand the consequences of their actions is critical in being able to show that you have met your responsibilities under the law.

HIPAA requires training in privacy and security for everyone, and now you can meet that obligation here. The first HIPAA and HITECH Act training courses will start on June 14, 2010. Whether you are an independent business owner, an independent contractor, a business associate, a covered entity, or simply someone who would like a general overview of the HIPAA and HITECT Act laws, there is a course designed for you.

In addition to the courses being offered, you will also find sample policies and procedures. If you are struggling with what to do about creating the policies and procedures that that law now requires you to have, these are customizable to your business setting.

Discounts!
Registration is now open for these courses. In honor of Medical Transcriptionist Week, which is May 16-22, we will offer a 10% discount for anyone registering before May 22. After that date, the regular prices will apply.

Don't delay in being sure that you have the necessary training and documentation that you have completed this training. Sign up today for one of our courses and join us in June! Be sure to sign up by May 22 to receive your discount.

One of the biggest challenges for many of us is doing the required risk analysis that is in the HIPAA Security Rule. The industry has struggled with how to conduct this, what to cover, and how to document it. This past week the Office of Civil Rights has issues a draft guidance document about the risk analysis required by the security rule.

The document is titled "HIPAA Security Standards: Guidance on Risk Analysis" and should be reviewed if you still have not conducted your risk analysis.

The OCR is tasked with issuing annual guidance related to the security rule. Following these guidelines as they are issued will help you stay on top of what you should be doing to be compliant.

Have you conducted your risk analysis? If not, now is the time!