The increased use of portable electronic devices in the workplace and the popularity of social media pose unique challenges for health care employers, particularly when the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) conflict with the NLRB’s position on policies that could infringe upon an employee’s right to engage in concerted activity under the NLRA.

HIPAA governs the use and disclosure of protected health information (“PHI”) by health care providers. HIPAA violations may occur when health care employees post images of patients or patients’ records or vitals on social media. Oftentimes, the disclosure is inadvertent. For example, sharing a photo of co-workers in the workplace without realizing that a patient’s file was captured in the photo could result in the unauthorized disclosure of PHI. HIPAA violations may also occur when an employee shares a positive patient experience on social media, with or without an image, as a nursing student recently did to support a three year old who was fighting cancer.

The NLRA applies to all employers, both union and non-union. Section 7 of the NLRA protects “concerted activity,” which includes an employee’s ability to form, join, or assist a union; choose representatives to bargain with the company on their behalf; and act together with other employees for mutual benefit and protection. In some circumstances, recording activities in the workplace may be protected, concerted activity.

Recently, the NLRB in Whole Foods Market, Inc., 363 NLRB No. 87 (Dec. 24, 2015), held that the company’s no-recording policy unlawfully restrained employees’ Section 7 rights. In doing so, the NLRB held that “[p]hotography and audio or video recording in the workplace, as well as the posting of photographs and recordings on social media, are protected by Section 7 if employees are acting in concert for their mutual aid and protection and no overriding employer interest is present.” Thus, an employer may not lawfully adopt a work rule prohibiting employees from workplace recording if the employees are acting in concert for mutual aid and protection and the employer cannot demonstrate an overriding business interest. The Board specifically stated that the employer may not prohibit employees from recording the following: protected picketing, unsafe equipment or workplace conditions, discussions with others about terms and conditions of employment, the inconsistent application of employer rules, and recordings that preserve evidence for later use in administrative or judicial forums in employment-related actions.

The Board, however, acknowledged that employers may be able to establish an overriding business interest to justify restrictions on workplace recordings. The NLRB explained, “[W]e do not hold that an employer is prohibited from maintaining any rules regarding recording in the workplace. We hold only that those rules must be narrowly drawn, so that employees will reasonably understand that Section 7 activity is not being restricted.”

Health care employers should be able to demonstrate such an overriding business interest to support policies restricting workplace recordings and social media use given their obligations to protect patient privacy and comply with HIPAA.

In fact, the NLRB previously upheld a recording restriction implemented to protect patient privacy in Flagstaff Medical Center, 357 NLRB No. 65 (Aug., 26, 2011), a decision which was upheld by the U.S. Court of Appeals for the District of Columbia. In that case, the NLRB ruled that a hospital’s policy prohibiting the recording of images of patients, hospital equipment, property, or facilities was lawful because “the privacy interests of hospital patients are weighty,” and the hospital had a “significant interest in preventing the wrongful disclosure of individually identifiable health information.” The Board in Whole Foods acknowledged the Flagstaff ruling and distinguished its rule from the one in Whole Foods, noting that the business interests at issue in Flagstaff were more pervasive and compelling. Thus, the implementation of narrowly tailored no-recording policies in the health care setting should pass the NLRB’s scrutiny.

The Board should find that health care employers’ interest in protecting patient privacy and complying with federal law justifies appropriately tailored restrictions on workplace recordings. Therefore, to prevent the disclosure of PHI and to protect patient privacy, health care employers should implement policies restricting employees from recording and sharing patients’ images, conversations, or information on social media. Such policies should restrict employees from recording (video, still images, or audio) in patient rooms or settings, and sharing patient images or information on social media. Restricting recordings in non-patient settings (e.g., break rooms, cafeterias, and administrative offices) should be limited to those that will not infringe upon employees’ Section 7 rights.

Takeaways

  • Review and revise no-recording and social media policies to ensure that they are narrowly tailored to protect patient privacy and the disclosure of PHI. Be sure that the policies clearly explain that any restrictions on workplace recordings are due to patient privacy and HIPAA obligations and are not intended to infringe upon employees’ Section 7 rights.
  • Consider revising existing policies on HIPAA compliance to address the use and restrictions of social media.
  • Regularly train employees on recording and social media policies and on HIPAA compliance to ensure that every employee has a working knowledge of the foundational privacy and security regulations issued under HIPAA, and understands how such privacy can be compromised by workplace recording and social media use.
  • Consult with counsel before disciplining an employee for making a workplace recording or posting patient information on social media.

A version of this article originally appeared in the Take 5 newsletter Five Key Issues Impacting Health Care Employers.”

WHEN: November 17, 2014

TIME:    2:00pm – 3:30pm EST

To register for this webinar, please click here.

Please join us for a complimentary webinar addressing the professional and business challenges encountered by health care providers dealing with Ebola and other infectious diseases. This webinar will offer a clinical overview as well as a review of the guidelines which offer protocols for addressing concerns over Ebola and similar diseases, the health regulatory and risk management issues providers might consider in developing a response strategy, and the resulting labor and employment considerations facing health care employers. A question and answer period will follow the program.

Topics will include:

  • Clinical Overview and Emergency Management Issues
  • Health Regulatory Considerations for Providers
  • Risk Management Concerns
  • Employment Issues Confronting the Health Care Industry

Speakers:

  • Bruno Petinaux, M.D. – Associate Professor, Co-Chief of the Emergency Management Section, Department of Emergency Medicine, George Washington University Medical Faculty Associates
  • George B. Breen – Member, Epstein Becker Green, Chair, Health Care and Life Sciences Practice Steering Committee
  • Frank C. Morris, Jr. – Member, Epstein Becker Green, Employment, Labor and Workforce Management Practice
  • Amy F. Lerman – Associate, Epstein Becker Green, Health Care and Life Sciences Practice

To register for this webinar, please click here.

If you have questions regarding this event, please contact Whitney Krebs at (202) 861-0900, or wkrebs@ebglaw.com.

Several colleagues and I recently wrote Health Reform: Key Compliance Actions for the New HIPAA Privacy Regulations, an alert published by the Implementing Health and Insurance Reform team of Epstein Becker Green.

In it, we summarized areas in which employers should consider taking action prior to September 2013 to facilitate compliance with the new requirements.  Here are our top five action items for covered entities and business associates to focus on in their Omnibus Rule compliance efforts:

  1. Review Business Associate Relationships, and Update Business Associate Agreements;
  2. Evaluate Compliance with Heightened Safeguard Requirements;
  3. Update Notices of Privacy Practices;
  4. Update Privacy Policies and Procedures; and
  5. Update Policies Regarding Determination of Breaches of Unsecured PHI.

The following is an excerpt from the alert:

In light of the Omnibus Rule’s new requirements, business associates and covered entities should strongly consider reviewing their existing HIPAA privacy and security practices, including compliance policies and business associate agreements. While the Omnibus Rule takes effect on March 26, 2013, affected parties have until September 23, 2013, to come into compliance with most of its provisions. This alert reviews several of the regulatory changes and suggests action items to facilitate compliance with the new requirements.

Read the full version on ebglaw.com.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides standards for the use and disclosure of “individually identifiable health information,” dubbed protected health information, or PHI.  PHI is information, including demographic information, that relates to an individual’s physical or mental health, the provision of health care to the individual, or payment for the provision of health care to the individual.  Such information constitutes PHI if it identifies the individual or if there is a reasonable basis to believe it can be used to identify the individual to whom the health information pertains.  Thus, PHI includes many everyday identifiers (i.e. name, address, birth date, social security number)that can be associated with an individual’s health information.

With the rapid advancement in information analytic technologies, the ability to combine large, complex data sets from various sources into a powerful tool for advancement in health care protocols is accelerating.  These same analytic technologies, however, enhance the ability to use publicly available demographic information to associate an individual’s health information with that individual.  In order to balance the potential utility of health information, even when it is not individually identifiable, against the risk that the subject of the information might be identified, the Privacy Rule provides two methods of de-identification: (1) determination by a qualified expert; and (2) removal of specified identifiers.

THE DE-IDENTIFICATION STANDARDS

The HIPAA Privacy Rule provides a safe harbor for de-identification that requires the complete removal of each of 18 types of identifiers.  However, the removal of these identifiers, such as birth date, dates of admission and discharge, death, and indications of age over 89, may render the data set less useful as a research tool.  To provide some flexibility, the Rule allows use of other de-identification strategies where an expert determines “that the risk is very small that the information could be used, alone or in combination with other reasonably available information” to identify the subject of the information. § 164.514(b).  Beyond this rather limited language, no guidance is provided regarding when it should be applied to real-life circumstances.  As a result, the Office of Civil Rights of the United States Department of Health and Human Services (OCR), the entity charged with enforcement of the Privacy Rule, has recently issued guidance regarding methods for de-identifying PHI that would satisfy the Rule.  See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

THE OCR GUIDANCE

Beginning with the level of expertise needed by an “expert” in order to provide a de-identification opinion under HIPAA, the Rule requires “[a] person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable . . .”   § 164.514(b)  The guidance confirms that no specific professional degree or certification exists for such expertise.  Relevant expertise may be obtained through many types of experience in the scientific, mathematical, statistical or other arenas.  Whether a particular individual is such an expert under the Privacy Rule is a judgment to be exercised based upon the relevant professional experience and training of the individual.

Likewise, there is no specific statistically determined numerical level of identified risk that will constitute a “very small” risk that the subject individual may be identified. The guidance indicates that this risk is dependent upon many factors to be taken into account.  The assessed risk of identification for a particular data set in the context of one environment may not be the same for that data set in a different environment, or for a different data set in the same environment.  Similarly, since technology and the availability of information are rapidly changing, the level of risk for even the same data set in the same environment may change over time.   Thus, the guidance confirms that no specific process must be used to reach a conclusion that the risk of identification is small.

What the expert must do is: (1) evaluate the extent to which the health information itself is identifiable; (2) provide advice on the methods that can be applied to mitigate the risk; (3) consider what data sources may be available (such as voter registration records) for use in identification; and (4) confirm that the identification risk of the resulting product is no more than very small.    This analysis will include such factors as the degree to which the data set can be matched to a data source that reveals the identity of the individuals, such as matching a birthdate and zip code combination in a health record to a birth date and zip code combination in a voter registration record.  The accessibility of the alternative data sources should also be considered by the expert.  For example, the existence in  the data set of patient demographics is high risk, as they potentially can be matched with data that appears in public records, while clinical features and event related time frames pose a much lower risk.  Certain combinations of values may, for similar reasons, increase the risk of identification.

Consistent with this theme, the Privacy Rule also does not prescribe any particular approach to mitigation of any risk of identification that does exist.  The expert should choose from various measures, such as suppression of an entire category of data, supression of some individual records, or generalization of a particular measure into a band of values, when necessary to reduce the risk of identification. The OCR also suggests limiting redisclosure of the data set through agreement as a mitigation methodology.

In sum, the OCR has made clear, through the publication of the de-identification guidance, that the Privacy Rule’s intention is to provide maximum flexibility in the design of data sets containing Protected Health Information, so long as the ultimate goal, limiting the risk that an individual’s PHI will be discovered to a “very small” possibility, is served.

Please join Epstein Becker Green’s Health Care & Life Sciences and Labor & Employment practitioners as we continue to review the Affordable Care Act and its ongoing impact on employers and their group health plans.

In less than a year, employers employing at least 50 full-time employees will be subject to the Employer Shared Responsibility provisions. Under these provisions, if employers do not offer health coverage or do not offer affordable health coverage that provides a minimum level of value to their full-time employees, they may be subject to a tax penalty under the proposed regulations just issued by the Internal Revenue Service.

During this program, Epstein Becker Green practitioners will:

  • Review the basics of the Employer Shared Responsibility provisions and proposed regulations
  • Define employer status under the proposed regulations
  • Clarify the definition of “full-time” employees and dependents who must be offered coverage
  • Discuss the determination of affordable and minimum value coverage
  • Review employer liabilities and penalties

This is the third session in the Employer Affordable Care Act Webinar Series for employers on upcoming rules and regulations implementing the Affordable Care Act.   Please stay tuned for upcoming webinars on:

  • Exchange Implementation
  • Essential Health Benefits
  • Quality Reporting
  • And others…

Epstein Becker Green Presenters:
Mark E. Lutes
Frank C. Morris, Jr.
Adam C. Solander 

Wednesday, January 9, 2013
1:00 – 2:00 pm EST
10:00 – 11:00 am PST

Registration Is Complimentary and Webinar Space Is Limited

Don’t Miss This Opportunity!  To Register, please click here.

Contact Elizabeth Gannon at 202/861-1850 or egannon@ebglaw.com for more information.  If you missed the first two webinars in the New ACA Implementation Regulation series, the audio recording and presentation slides are now available.

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception.  Texas House Bill 300 (“HB 300”) amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on September 1, 2012.  HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act by:

•revising the definition of a “covered entity;”

•increasing mandates on covered entities;

•establishing standards for the use of electronic health records (“EHRs”);

•granting enforcement authority to several state agencies; and

•increasing civil and criminal penalties for the wrongful electronic disclosure of protected health information (“PHI”).

Expanded Definition of Covered Entity

HB 300 significantly expands the definition of a Texas “covered entity” to include not only health care providers, but those entities and individuals who under the “HIPAA Privacy Rule” would be classified as business associates and health care payers.  In addition, the Texas Act’s “covered entity” definition includes governmental units, information or computer management entities, schools, health researchers, health care facility, clinics, and persons who maintain an Internet site. As a result, this revision impacts any entity that conducts business in Texas and collects, uses, and/or stores PHI.

Customized Training Required

Mandatory customized employee training regarding state and federal patient privacy and security laws is another significant change to the Texas Act through the adoption of HB 300.  Training must cover federal and state regulatory requirements as well as include the covered entity’s course of business and employees’ scope of employment as it relates to PHI use and disclosure.   Employees of covered entities must complete training at least once every two years and not later than 60 days post-hire date.   This training requirement is more onerous than the HIPAA Privacy Rule, which does not currently require customized staff training and instead requires that employees be trained “within a reasonable period of time” after hire and after any material changes in applicable policies.

 Release of EHR and Consumer Information

After September 1st, covered entities must provide patients with their electronic EHRs within 15 business days after written request.  The Texas Health and Human Services Commission will soon recommend a standard format for the release of EHRs that is consistent with federal law.  Also, following the Office of Civil Rights’ recent lead, the Texas Attorney General’s website will provide consumer access to public health information.  State agencies will file annual complaint reports to the Texas Attorney General who will then provide an annual report about the complaints to the Texas Legislature.

Scope of Notice of Privacy Practices and Penalties Broadened

The law also broadens the scope of covered entities’ Notice of Privacy Practices or other general notices to inform patients about how their e-PHI is used and disclosed.  Entities (such as business associates that are not required to issue a Notice of Privacy Practices under the Privacy Rule) will soon need to issue a notice if PHI is subject to electronic disclosure.  In addition, HB 300 authorizes civil and criminal penalties for data breaches, depending on the breach’s severity, the covered entity’s compliance program, certification, and its corrective action.

Steps to Adopt HB 300’s Requirements

With the effective date nearing, Texas covered entities should take immediate steps to ensure compliance with these more stringent state requirements. To meet this deadline, covered entities should:

  • ramp up their efforts to provide customized employee training;
  • update their Notice of Privacy Practices; and
  • review and update policies to incorporate the new statutory requirements.

For those healthcare employers that have been resting on your laurels and viewing through rose-colored glasses your entity’s HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health) compliance efforts, the time has come to thoroughly clean your glasses and prepare for increased Office of Civil Rights (“OCR”) enforcement actions.  Speaking at the recent National HIPAA Summit, the OCR’s Director, Leon Rodriguez, announced that the OCR intends to follow the Office of Inspector General’s (“OIG”) vigilant enforcement model for HIPAA violations.  The OCR intends to focus its enforcement efforts on both “common-sense” patient confidentiality and breach violations.  In addition, the OCR continues to work on audits of covered entities.

First OCR HITECH Breach Settlement

Making history as the OCR’s first HITECH Breach Notification violation settlement, Blue Cross Blue Shield (BCBS) of Tennessee recently settled with the OCR for approximately $1.5 million.    The ground-breaking settlement illustrates the OCR’s increased focus on penalizing non-compliant healthcare entities.  Further, it indicates the OCR is effectively working the kinks out of its HITECH breach investigative process and is not afraid to levy hefty fines on those healthcare organizations deemed to be sub-par in their patient privacy and security compliance efforts.  BCBS reported around 57 hard drives containing protected health information (PHI) were stolen from a leased facility.

Fines Levied only Small Fraction of HIPAA Violation Cost

BCBS reportedly spent about $18.5 million on its investigation of the reported HIPAA violations.  Besides the obvious costs of managing its response to the government’s investigation, this hefty price tag included paying for the following:

  • informing patients of their patient information leak;
  • hiring a data recovery specialist to analyze the extent of the breach;
  • review and improvement of the organization’s overall HIPAA compliance; and
  • approximately 500 BCBS employees to assist with the investigation.

Phoenix Physician Group Targeted Through Settlement

 In addition, last month, Cardiac Phoenix Surgery reached a $100,000 settlement with the OCR for failure to properly safeguard its patient information.   The investigation began with a claim that the group posted appointments for its patients on a publicly accessible calendar.  Through its extensive investigation, the OCR discovered the physician group’s general failure to safeguard its PHI through limited policies and other safeguards.

Many physicians and physician groups have long believed they are immune from government scrutiny for general compliance enforcement, including patient confidentiality.   However, the recent settlements should cause physicians and their groups, along with other healthcare entities, to embrace the applicable regulatory requirements to better safeguard protected health information before it is too late.

What Employers Need to Know to Avoid Becoming HIPAA Violation Targets

Both the OCR’s recent enforcement announcement and its settlements serve as wake-up calls to healthcare employers to avoid complacency with their patient privacy and security compliance efforts. Increased government scrutiny is certainly here to stay.  To avoid becoming a target on the OCR’s investigative radar, healthcare facilities and companies should adopt the following objectives:

  • routinely assess their privacy and security policies to evaluate whether there is adequate protection of its PHI under the letter of both state and federal laws and regulations;
  • annual training of staff and other healthcare providers on these requirements; and
  • perform routine risk assessments to identify any potential holes in its HIPAA-related compliance.

By adopting these focused compliance efforts, a healthcare entity may not necessarily escape the OCR’s probing gaze, but will certainly reduce the possibility that a violation will be found, as well as lessen the monetary damage if non-compliance is detected.

 

Kara Maciel, Member of the Epstein Becker Green Labor and Employment, Litigation, and Health Care and Life Sciences  Practices, was recently interviewed by Employment Law360 concerning employer wellness programs. 

According to the article, businesses are turning to wellness programs to curb health care expenses, but programs that aren’t carefully crafted can open employers up to costly privacy and discrimination litigation, attorneys say.  Wellness programs can lead to big savings for employers by targeting behaviors that can cause  conditions that drive up their health care expenditures. But programs that give employers too much  information about their employees can leave employers vulnerable to claims that they have violated the  Health Insurance Portability and Accountability Act, the Americans with Disabilities Act, the Genetic  Information Nondiscrimination Act, and state privacy and nondiscrimination laws, experts say.  “Employers really can open themselves up to a litigation minefield if they do not properly craft their programs in a legally compliant way, with a particular focus on discrimination and privacy issues,”  EpsteinBeckerGreen’s Kara M. Maciel said. 

 Click here to read the entire Employment Law360 article

by Pamela D. Tyner

Social media have become de rigueur globally.  Today, millions maintain connections with their friends, relatives and business acquaintances via Facebook, Twitter, LinkedIn, blogs and YouTube.  Recent studies indicate that social media popularity even predicts polling popularity and the stock market.  Translated to the healthcare arena, healthcare facilities and organizations are now trained to promote their business by communicating effectively via social media.  In addition, patients, physicians and employees of healthcare facilities and organizations frequently communicate and discuss patient status via cell phones, Facebook, YouTube and other social media.  However, many people do not realize that use of these media may compromise health information privacy unless certain protections are implemented to safeguard them.

Invasion of Health Information Privacy

Under the confines of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health (“HITECH”) and state privacy laws, certain protections of protected health information (commonly known as “PHI”) are mandated.  The increased usage of social media to reference patient whereabouts, ailments and treatment plans continues to leave healthcare employers scrambling to implement new forms of encryption, other IT protection and disciplinary actions.

Examples of Social Media and IT Breaching Confidentiality of PHI

From the trenches, here are some recent examples of social media and IT affecting the privacy of PHI:

  • A day in the life of a patient posted on YouTube, posted without consent of other patients and employees of a hospital system.  The Hospital asked for the individual to immediately remove the content from YouTube.  In addition, the Hospital conducted a thorough investigation and notified the patients affected about the breach of their PHI.
  • A patient updates his/her status via Facebook and later discovers the status update informs her Facebook friends that s/he is in the hospital.  The patient complains to the Hospital’s compliance department about a breach of her PHI.  Afterwards, the Hospital investigates the incident and discovers the patient updating the status inadvertently notified Facebook of the individual’s whereabouts.  The facility is in the process of revising its Patient Handbook to include information about updating an individual’s “location update” status while a patient as potentially identifying the individual’s hospital stay.
  • Doctors, nurses and medical students  revealing patient information on Facebook.  Facilities are implementing social media training to medical staff, employees and allied health professionals about the potential breach of confidentiality and/or disciplinary actions that might result from their Facebook updates about patients.
  • A health care institution realizes that its computer encryption system has a loophole through the usage of USB ports.  The institution must scramble to protect its system information while waiting for the software company to fix the loophole.
  • Articles and blogs inform consumers how to mine PHI about others.

Government Action

The National Relations Board has become very active in addressing social media’s impact on the workplace.   In future, it is anticipated that additional government agencies and the court system will jump on the band-wagon and scrutinize social media as it relates to the healthcare environment and patient confidentiality.

Office of Civil Rights Solicits Comments on Mobile Devices and Confidentiality

In early March 2012, the Office of Civil Rights and the ONC Office of the Chief Privacy Officer (OCPO) invited members of the public to provide input on mobile devices’ uses along with comments on current and emerging privacy and security best practices regarding protecting and securing health information while using mobile devices. Public commentary will help inform the OCR and OCPO for future development of an effective and practical way to bring awareness and understanding to those in the clinical sector regarding protecting and securing health information while using mobile devices.  Popular health information technology remains a hot topic for the OCR; a roundtable discussion on mobile devices and safeguarding health information is planned for mid-March.

Lessons Learned and How Healthcare Employers Should React

Healthcare facilities and organizations must act quickly to assess each usage of social media to gauge whether patient confidentiality may be vulnerable to compromise.  Due to the rapid evolution of social media technology, healthcare facilities and organizations’ social media and employee disciplinary policies must be scrutinized frequently for uniformity within their corporate compliance program.  In addition, these entities must analyze and implement clear guidelines outlining how its physicians and allied health professionals may be constructively redirected and/or advised on the proper usage of social media to facilitate efficient communication concerning patients without compromising PHI confidentiality.