Start With The Law: An Interview on HIPAA and Social Media with Paul Hales

Paul Hales

Paul Hales

This is the fourth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Paul Hales is an attorney from St. Louis, who specializes entirely in HIPAA law. Mr. Hales’ comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. Mr. Hales gives us some background on the Act.

Hales: We have to start with the law. My focus is on enabling practitioners to make use of social media and comply with the law. HIPAA was passed in 1996 with two objectives;

  1. To be able to keep insurance when switching from one provider to another.
  2. To have a uniform code for information and payment

It has had further additions since.

  • The privacy regulations were added in 2003. 
  • The HIPAA security rule was added in 2005 
  • HITECH was passed in 2009. 
  • In 2013, the Omnibus rule was added to HIPAA to extend liability to “business associates”.

What is a business associate?

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

What are common areas in which covered entities and businesses associates fail to meet HIPAA compliance?

  • Protected Health Information (PHI) is made up of 18 identifiers, including but not limited to name, e-mail address, full face photos, and date of birth. 
  • Under HIPAA, every health care practice or organization must designate a privacy officer. The privacy officer must perform a risk-analysis.
  • Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of privacy rights and practices with respect to patients’ personal health information.

What about when a patient posts their own information on a blog, social media channel, or place page operated by the practice?

It’s important to look at how HIPAA defines a website, which is any site that provides information about a covered entity’s services or benefits. Therefore, if a patient posts their own information to a site that’s owned by the practice, that is unauthorized PHI on the practice’s site. The practice has to obtain HIPAA authorization before allowing any patient content to be published to its sites.

What is necessary in a HIPAA authorization?

HIPAA Authorizations have six core elements:

  1.  A specific and meaningful description of the information to be used or disclosed.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the persons(s), or class of persons, to whom the covered entity may make the requested use or disclosure (i.e., the intended recipients).
  4. Description of each purpose of the requested use or disclosure. 
  5. Must contain an expiration date or an expiration event.
  6. The signature of the individual and the date.

 

A HIPAA authorization must also include three statements.

  1. Individual’s right to revoke the Authorization.
  2. Clarification that the covered entity is not permitted to condition the provision of treatment on the execution of a valid Authorization. 
  3. Explanation that there is a potential that the information may be re-disclosed by the recipient of the information and that the recipient may not be required to comply with the Privacy Rule.

What should fertility practices be conscious of right now to minimize risk of HIPAA violations?

Recently, there has been more enforcement, and soon there will be audits. On February 16, 2016 the Office of Civil Rights (OCR) settled an enforcement action against Complete P.T., Pool & Land Physical Therapy, Inc. for impermissibly disclosing patient information in the form of testimonials on their website. HIPAA is a very extensive law. There is a lot of information on the internet that is simply wrong. HIPAA regulations are very demanding and products cannot ensure compliance. No product can be HIPAA compliant. It’s how a covered entity uses a product that makes it compliant or not.

Paul Hales is an attorney who provides legal services and consultation regarding HIPAA compliance. His software, the HIPAA e-tool helps covered entities and business associates with a complete HIPAA compliance solution. If you’re interested in an educational webinar with Mr. Hales, you can register here.