The Doctors Company published a great article on how
physicians can safeguard against HIPAA violations in the event texting is used
to access medical information. The article can be accessed here. The article
discusses ways to safeguard against HIPAA violations.
While texting can often be a convenient form of
communication between medical professionals, it can lead to violations of the
Health Insurance Portability and Accountability Act (HIPAA). These violations
can be imposed based upon Federal law and State law.
The article refers to a member survey the the College of Healthcare Information Management Executives and notes that of those surveyed, 96.7 percent allowed physicians to text and 57.6 percent of those organizations did not use encryption software.
The Health Insurance Portability and
Accountability Act (“HIPAA”)[1]
is the federal statute[2]
that governs the disclosure of medical records and mandates confidentiality
with regards to health information[3]
and individually identifiable health information.[4]
The office of Civil Rights works to enforce the HIPAA privacy rule.[5]
Under HIPPA a covered entity[6]
is subject to the regulations and restriction on divulging of private health
information.[7]
This private health information may be protected health information (“PHI”) as defined by the statute.[8] When PHI is released without proper authorization a violation can occur.
Florida law has codified federal privacy
standards to protect and maintain a patient’s medical records and information.[9]
The right to privacy is a right guaranteed by the state constitution.[10]
The existing law and regulations are very stringent and there are high standards
to protect the confidentiality[11]
of this type of information.[12]
Physicians have a duty to maintain records in accordance with statutory law and
federal and state agency regulations.[13] The general state provisions for the ownership
and control of patient records are outlined under §456.057 Fla. Stat. and
relevant case law.[14]
A physician[15]
is considered to be the “record owner” [16]
of medical records created by him and must maintain the confidentiality and
disclosure requirements of the records as provided by statute.[17]
The medical records may not be furnished to anyone, without written
authorization from the patient, and upon written authorization from the
patient, the records may be released to the patient’s doctor, the patient’s
legal representative or any other physician involved in the treatment of the
patient.[18]
There are exceptions that apply and that allow the records to be furnished
without written authorization from the patient.[19]
The statute also requires all record owners to “develop and implement policies,
standards, and procedures to protect the confidentiality and security of the
medical record.”[20]
The Florida Department of Health gives the Board
of Medicine (“the Board”) rule making authority to promulgate rules that
regulate the practice of medicine by adhering to delineated standards.[21]
One of the rules created by the Board clearly outlines the standards for the
proper maintenance and adequacy of medical records.[22]
The Board also governs the retention, disposition, and reproduction of medical
records.[23]
Pursuant to the Board of Medicine, “a licensed physician shall maintain the
full and total responsibility for and control of all files and records relating
to his patients and medical practice. All such records shall remain
confidential except as otherwise provided by law.”[24]
The Doctors Company article recommends the following action to safeguard a medical practice from HIPAA violations in a texting scenario:
- Enable encryption on your mobile device.
- Have a texting policy that outlines the acceptable types of text communications and specifies situations when a phone call is warranted.
- Report to the practice’s privacy officer any incidents of lost devices or data breaches
- Install autolock and remote wiping programs to prevent lost devices from becoming data breaches.
- Know your recipient, and double check the “To” field to prevent sending confidential information to the wrong person.
- Avoid identifying patient details in texts.
- Assume that your text can be viewed by anyone in close proximity to you.
- Ensure the metadata retention policy of the device is consistent with the medical record retention policy and/or that it is in accordance with a legal preservation order.
- Ensure that your system has a secure method to verify provider authorization.
- When conducting your HIPAA risk analysis, include text message content and capability.
[1]
45
C.F.R. §164.502 [hereinafter HIPAA].
[2]
U.S. Department of Health and Human
Services, Health Information
Privacy:Statute, http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html
(last visited April 21, 2015).
[3] Health
information is defined as: “any information, whether oral or recorded in
any form or medium, that: (a) is created or received by a health care provider,
health plan, public health authority, employer, life insurer, school or
university, or health care clearinghouse; and (b) relates to the past, present,
or future physical or mental health or condition of an individual, the
provision of health care to an individual, or the past, present, or future
payment for the provision of health care to an individual.
[4] Id.
Individually Identifiable Health
Information is defined as: any information, including demographic
information collected from an individual, that: (a) is created or received by a
health care provider, health plan, employer, or health care clearinghouse; and
(b) relates to the past, present, or future physical or mental health or
condition of an individual, the provision of health care to an individual, or
the past, present, or future payment for the provision of health care to an
individual, and (i) identifies the individual; or (ii) with respect to which
there is a reasonable basis to believe that the information can be used to
identify the individual.
[5] U.S. Department of Health and Human
Services, Health Information Privacy,
http://www.hhs.gov/ocr/privacy (last visited April 22, 2015).
[6] The term “covered entity” under the HIPAA Privacy Rule refers to three
specific groups (i) health plans (ii) health care clearinghouses, and (iii)
health care providers that transmit health information electronically. Covered
entities under the HIPAA Privacy Rule must comply with the Rule’s requirements
for safeguarding the privacy of protected health information. U.S. Department
of Health and Human Services, What is a "covered entity" under
HIPAA?,
http://www.hrsa.gov/healthit/toolbox/HealthITAdoptiontoolbox/PrivacyandSecurity/entityhipaa.html.
[7] See supra
note 3.
[8] 45 C.F.R. §164.502(a)(2), 45 C.F.R. §164.522(b),
45 C.F.R. §164.524, 45 C.F.R. §164.528.
[9] Florida Medical Association, Medical Records, http://www.flmedical.org/LRC_Medical_records.aspx.
[10] Fla. Const. art. I, § 23 states: “Every natural person has the right to be let alone and free from governmental intrusion into the person’s private life except as otherwise provided herein. This section shall not be construed to limit the public’s right of access to public records and meetings as provided by law.”
[11] Bradley v. Brotman Bradley v. Brotman, 836 So. 2d 1129,1133 (Fla. 4th DCA 2003).
[12] §456.082 Fla. Stat.
[13] §456.057 Fla. Stat.
[14] Pain Care First of Orlando, LLC v. Edwards, 84 So. 3d 351 (Fla. Dist. Ct. App. 5th Dist. 2012)
[15] The statute refers to the physician as a “health care practitioner.”
[16] Id. “Records owner” means any health care practitioner who generates a medical record after making a physical or mental examination of, or administering treatment or dispensing legend drugs to, any person.
[17] §456.057(6) Fla. Stat.
[18] §456.057(7a) Fla. Stat.
[19] Under §456.057(7a)(1-5), the following exceptions apply and do not require prior written authorization from the patient for the release of medical records: 1.To any person, firm, or corporation that has procured or furnished such care or treatment with the patient’s consent. 2. When compulsory physical examination is made pursuant to Rule 1.360, Florida Rules of Civil Procedure, in which case copies of the medical records shall be furnished to both the defendant and the plaintiff. 3. In any civil or criminal action, unless otherwise prohibited by law, upon the issuance of a subpoena from a court of competent jurisdiction and proper notice to the patient or the patient’s legal representative by the party seeking such records. 4. For statistical and scientific research, provided the information is abstracted in such a way as to protect the identity of the patient or provided written permission is received from the patient or the patient’s legal representative. 5. To a regional poison control center for purposes of treating a poison episode under evaluation, case management of poison cases, or compliance with data collection and reporting requirements of s. 395.1027 and the professional organization that certifies poison control centers in accordance with federal law.
[20] §456.057(10).
[21] §458.309 Fla. Stat.
[22] Fla. Admin Code 64B8-9.003.
[23] Fla. Admin Code 64B8-10.
[24] Fla. Admin Code 64B8-10.002.
No comments:
Post a Comment