A hospital in California will fire 5 employees and discipline another because they posted information about patients on social media sites.

An ongoing investigation at Tri-City Medical Center in Oceanside “has not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees,” according to a statement from Larry Anderson, CEO. “But our investigation yielded sufficient information to warrant disciplinary action.”

A hospital spokesman declined to provide any further details. Under the HIPAA privacy rule, which was toughened by the HITECH Act, patients must give permission for their private information to be disclosed.

The California Department of Public Health is conducting an investigation of the incident, a spokesman confirmed June 8, declining to provide further details. The incident involved posting information on Facebook, according to a report by KNSD, the NBC TV affiliate in San Diego.

To help prevent similar incidents, Anderson said the hospital is “re-emphasizing, through employee training and education, the hospital’s and the employees’ ongoing commitment and obligation to protect our patients’ privacy.”

Social media does play an important role in marketing in today’s world. It is important that you have a policy in place that identifies who can use social media sites and how it will be used. It is also beneficial to set up some searches for things you will track. This can easily be done in Google reader or on Twitter. Companies need to be aware of what their employees are putting on social media sites as well as what is being said about the company on these sites.

Incidents like the one above should be considered security threats and dealt with swiftly. Don’t let your company be one who ends up in the middle of an investigation because your staff doesn’t have guidance. Be sure the new world of social media is covered in your policies!

In the first HIPAA legal case against an individual, a former UCLA Medical Center researcher was sentenced on April 27 to four months in federal prison for looking at the confidential medical records of co-workers and celebrities such as Tom Hanks, Leonardo DiCaprio and Arnold Schwarzenegger.

This is certainly evidence that the government is going to take the enforcement of HIPAA violations seriously. In addition, because the new rules related to HIPAA and the HITECH Act hold individuals responsible, the responsibility for protecting patient information becomes even more crucial.

Be sure your systems have the ability to provide audit trails, and be sure those audit trails are periodically reviewed for unauthorized access.

Training of all staff is critical here. The researcher's defense is that he did not know this was a federal offense and that no reasonable person would have understood this. Training of staff so that they fully understand the consequences of their actions is critical in being able to show that you have met your responsibilities under the law.

HIPAA requires training in privacy and security for everyone, and now you can meet that obligation here. The first HIPAA and HITECH Act training courses will start on June 14, 2010. Whether you are an independent business owner, an independent contractor, a business associate, a covered entity, or simply someone who would like a general overview of the HIPAA and HITECT Act laws, there is a course designed for you.

In addition to the courses being offered, you will also find sample policies and procedures. If you are struggling with what to do about creating the policies and procedures that that law now requires you to have, these are customizable to your business setting.

Discounts!
Registration is now open for these courses. In honor of Medical Transcriptionist Week, which is May 16-22, we will offer a 10% discount for anyone registering before May 22. After that date, the regular prices will apply.

Don't delay in being sure that you have the necessary training and documentation that you have completed this training. Sign up today for one of our courses and join us in June! Be sure to sign up by May 22 to receive your discount.

HIPAA compliance requirements have been greatly changed with the American Recovery and Reinvestment Act (ARRA) and its Title XIII called the HITECH (Health Information Technology for Economic and Clinical Health) Act. With the introduction of this new law, business associates are now accountable for the privacy and security requirements that previously were required only by covered entities. In addition, a business associate is now subject to civil and criminal penalties. This also includes a provision that lets patients receive financial compensation for a violation of their privacy.

This new federal law has added strength to the enforcement portion of the law. The significant changes include:

• Employees and other workforce members, including independent contractors, are now subject to civil penalties. This means that individuals are also now accountable legally.
• There is a requirement for HHS to formally investigate any complaints and to impose civil penalties for violations of the rules if the violation is due to "willful" neglect.
• The law requires that any civil monetary penalties or monetary settlements as a result of a violation of the rules be sent to the Office of Civil Rights (OCR) for enforcement of the privacy and security rules.
• Civil monetary penalties now have a tiered system ranging from $100 to $50,000 depending on the offense.
• The Secretary of HHS is required to conduct periodic audits to be sure that covered entities and business associates are compliant with the new rules.
• The State Attorneys General now have the authority to bring suit in district courts for any violation on behalf of the residents of their state.

What Steps Should a Business Associate Take to be sure you are Compliant?

The first step is being sure you are properly classified. For example, if you are an independent contractor working for a service and not directly contracting with a covered entity, that probably means you are not a business associate, but an agent or subcontractor of a business associate. It is important, however, for independent contractors to understand if your contract is directly with the covered entity, that makes you a business associate and all of the new laws do apply to you.

Some things you need to consider include:

• Assigning responsibility for compliance to one person. While you can have a team working on compliance issues, one person must be named as the compliance officer and be responsible. This does not have to be an employee and you can use a consultant if that works best for you, however, it is critical that you have this person identified.
• Encryption of all electronic files. The HITECH Act has made the use of encryption the one thing that provides a "safe harbour" for not having a breach. Data that is not encrypted is considered unsecured according to the law. While you may already be using encryption for data transfers, this law also requires that information be encrypted while "at rest." This may require that you add encryption to all electronic files that are stored anywhere on your system. If you are in medical transcription, remember that this will also include the voice files stored on any dictation system. The Secretary of HHS will review these standards annually for any changes.
• Breach notifications. While HIPAA has always required that a business associate notify their client of any breaches of  information, the law now makes you responsible for being sure the notification is done. A breach is defined as acquisition, access, use or disclosure of unsecured PHI that is not permitted under HIPAA and that compromises the privacy or security of the information. Remember that unsecured data means unencrypted. Documentation of breech notifications must be kept for six years.
• Be sure you are compliant with both the privacy and security rules. There are many points to consider in these rules. You must have written policies and procedures. You must have a written risk analysis done. You also must have a contingency plan in place for any kind of business disruption. Your systems also have to provide audit trails for who accesses protected health information.
• Realize you are responsible for the actions of your workforce. The rules require training of the workforce, which must be done and documented. If you have remote workers, this can be more of a challenge, but it is possible.
• Another significant change is that business associates are now responsible for trying to stop any violations by the covered entity (their client). This includes things even up to canceling your contract with a client who refuses to fix a violation or prefers to ignore the law. Both parties are responsible for doing this for the other, and this could very well change some of the relationships you currently have with your clients.
• Documentation. Remember, it's all about being sure you have things documented. Use the rule of thumb that says "if it's not documented, it wasn't done." It is no longer acceptable to just say you are compliant. You must have written documentation to show that you have done all of the required steps.

The changes that have come as a result of the HITECH Act certainly have a big impact on business associates. The date for compliance is past. If you haven't taken the required steps, now is the time to do it.

The US Department of Health and Human Services (HHS) released it's semi-annual regulatory agenda this week. Included in this are the updates to the HIPAA privacy, security and enforcement rules and regulations.

The healthcare industry has been waiting for specific information from HHS on how the changes brought about by the HITECH Act will impact the HIPAA rules, and next month should make this more clear.

While the notice did not specify which rules would be impacted, the Office of Civil Rights (OCR), which enforces the privacy and security rules, addressed this earlier this month with the following list:
* Business associate (BA) liability
* New limitations on the sale of personal health information, marketing, and fundraising communications
* Stronger individual rights to access electronic medical records and restricting the disclosure of certain information

Although the HITECH act was effective February 17, neither agency had released any dates as to when we can expect updated rules and regulations until this week. At least now we know they are coming next month.