Preparing for HIPAA Compliance Audits: An Interview with Valerie Breslin Montague

By Griffin Jones

This is the sixth interview in a series exploring the implications of the Health Insurance Portability and Accountability Act (HIPAA) as it relates to digital media.

Valerie Breslin Montague

Valerie Breslin Montague

Valerie Breslin Montague is an attorney who specializes in HIPAA in Chicago, IL. Ms. Montague’s comments do not contain legal advice, but they do educate us about some of the risks that face fertility centers with respect to HIPAA and social media. I started the interview with a topic that we are all very interested in--what are the implications when patients include their own information on a practice’s website, blog, place page, or social media channel?

Montague: Generally, under federal and state privacy laws, when a patient is forthcoming with their own information, that’s not a disclosure by the practice. Anything posted by the patient would be their disclosure. With that said, it would be wise for practices to include that publicly in their social media policy. Patients should know that social media channels and review sites are public places, and anything posted on the internet should be considered permanent. The practice should inform the public that they do not have control over who can see that information, once posted. When responding to patient comments, it would be wise to do so in a general manner (such as “thank you” or “we appreciate that”). I wouldn’t confirm the patient’s visit, or add any new information.

Is there a danger of disclosing the physician-patient relationship even if it’s a basic acknowledgement of the comment?

I don’t think there’s any guidance here, but I don’t believe that’s something that would be enforced as a HIPAA violation. I think the government would have a hard time arguing that was a breach of PHI. If the government wanted to be very overreaching, I suppose they could, but I don’t see a very big risk there. The practice wouldn’t want to do anything to amplify or further share the patient’s message, such as adding a hash tag, tagging another person, or retweeting or sharing the post, without a proper HIPAA authorization.  The practice can directly message or e-mail the commenter, to ask them to complete a HIPAA authorization. Then they can share the posted content for purposes agreed upon in the authorization.

Why don’t the department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) issue guidelines on practice engagement on digital media?

Hopefully OCR will in the near future but its focus now is on enforcement and audits.

Tell us about the pending round of HIPAA compliance audits.

OCR has been warning of a second round of audits for more than a year. The first round of HIPAA compliance audits took place in 2012. This time, the audit will include both covered entities (healthcare providers and health insurers) and their “business associates” (EHR providers, billing companies, etc.) The agency has said they will audit a large scope of entities from large health systems to small practices.

What are common vulnerabilities that might be exposed for healthcare providers during these audits?

 It’s very common to have HIPAA policies in place for privacy obligations. Providers have been doing a pretty good job of keeping up in that respect. Some smaller or newer business associates may need more help. Where I’m concerned that many people may fail to meet compliance is their requirement to do a security risk assessment. They need to check the security of everything that impacts PHI. Once strengths and weaknesses have been analyzed, a risk management plan has to be implemented.

Not having a “business associate” contract in place is also a risk for both the healthcare provider and the business associate. The arrangement, not the agreement, determines if the relationship exists, and both parties are culpable if a signed contract is not in place.

What should healthcare providers be doing right now to ensure HIPAA compliance?

Providers should be prepared for risks before any incidents might occur. It is much easier to correct security weaknesses before an audit or investigation, and much more difficult to do so in the midst of one. Our firm (Nixon Peabody) works with providers and their vendors to review HIPAA compliance programs and implement any necessary updates before issues arise. OCR will definitely investigate any mass breach that involves over five hundred people and they may investigate smaller breaches and complaints, especially if it is a high profile case.

 It’s important to be proactive to determine where your practice stands, relative to compliance, before a complaint or breach requires it.

Valerie Breslin Montague focuses her practice on regulatory compliance, nonprofit governance and tax exemption, and HIPAA/health information privacy and security. She is a partner at the firm, Nixon Peabody, in Chicago. If you would like to learn more about HIPAA compliance and risk management, you can contact her here.