Meet the HIPPO HIPAA Expert
Omen Safavi, J.D.
Omen Safavi is licensed attorney, who is admitted to the Tennessee Bar. Omen manages the operations of a Maternal Fetal Medicine practice in Austin, Texas.
He is a graduate of the Saint Louis University School of Law, which has been the number one Health Law program in the United States, as ranked by U.S. News and World Report, from 1990-2014. Omen serves as the Director of Compliance for HIPPO Data Storage.
We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.
In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:
As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance: Individuals’ Right under HIPAA to Access their Health Information | HHS.gov
The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.
If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.
If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request. A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.
The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)
As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.
Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now).
The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may represent PokéStops where players may find and capture Pokémon (“pocket monster” characters) that appear on the player’s phone superimposed over images of the real-world location when in augmented reality (AR) mode, and “Gyms” where they can virtually battle other players. Niantic, Inc., a Google spinoff, developed the game and based its PokéStops and Gyms on user-contributed locations (“portals”) from its previous augmented reality game, Ingress. These sites include businesses, parks, public buildings, museums, churches, private homes, and yes, even hospitals.
When players encounter Pokémon, they can take screen shots using their phone’s camera, which in AR mode will also capture whatever is in the background at the time. Naturally, this is giving hospitals and other healthcare facilities some concerns about safety, privacy, and maintaining a peaceful healing environment. Indeed, in extreme cases of “invasion by Pokémon GO players,” the law of tort or criminal trespass could possibly be invoked by a health care facility in many jurisdictions. Simply stated, the action of trespass can be maintained against anyone who interferes with the right of ownership or possession of land, whether the invasion is by a person or by something that a person has set in motion. However, such an action would undoubtedly create a media sensation and must be carefully considered before undertaking it
The game has already made headlines for contributing to incidents where deeply-absorbed players have been injured by following their phones into the path of danger. The Advisory Board reports that the game has directed players near a hospital’s helipad Amid ‘Pokémon Go’ craze, hospitals say game players could jeopardize patient safety. Healthcare Business and Technology reports “The sheer amount of unauthorized visitors has raised safety concerns about everything from security issues to increased germ exposure that heightens patients’ risk of infections.” Pokemon Go causes problems for hospitals: How to respond.
Ban it? Embrace it?
Accordingly, some hospitals have asked players to avoid their campuses or banned the game outright. Others have forbidden their staffs from playing the game while on site, according to Healthcare IT News. The game appeals to a surprisingly wide age group since many adults have fond memories of playing the original Nintendo game in the mid-1990’s.
For HIPAA purposes, the use of smartphone cameras in the game can be problematic. At a recent meeting of the Healthcare Council of Western Pennsylvania, compliance officers reported that they had discovered PokéStops in their facility near patient care areas where records were potentially visible. Hospitals certainly do not want to encourage or permit individuals to wander their halls who are not there to obtain care or visit patients they know.
Many hospitals have policies on use of cameras or camera phones on campus, and those policies should be reviewed and recirculated to staff as well as communicated to patients and visitors in light of the popularity of the game.
Some children’s hospitals, however, are big fans of the game and its ability to motivate hospitalized kids to be more physically active and socially interactive. USA Today reports:
In the past, young patients at C.S. Mott Children’s Hospital in Ann Arbor, Mich., shuffled down the hallways without speaking to each other, but now it’s not uncommon to see them stop and talk near a Pokémon Go hotspot.
Advocate Children’s hospital in Oak Lawn/Park Ridge, IL tweeted a photo of a young patient playing the game with the caption “Luke’s mom says @Pokemon Go has been a lifesaver to get him out of his hospital room and moving around!” We hope they had Luke’s mom’s permission for the tweet. Toronto’s Sunnybrook Hospital tweeted : “We love that #PokemonGO encourages exercise! Remember: stay alert & safe. Can’t catch ’em all from a hospital bed.” Of course HIPAA is not an issue in Canada, but there is Ontario’s Personal Health Information Protection Act (PHIPA). And a meme is circulating featuring an anime-style nurse which reads “
Hey Pokémon Go players. Have extra lures? Then drive to your nearest Children’s Hospital and drop the lure there. There are plenty of kids who would love to go out and collect Pokémon, but they are stuck in bed, so this will help them.”
(Lures are markers players can collect and distribute within the game that help attract Pokémon).
Wipe yourself off the map?
Hospitals are not the only unwilling hosts of PokéStops and Gyms. The Holocaust Museum and Arlington National Cemetery are among locations that are included in the game’s map. As a result of objections, Niantic has set up a link to a form on its web site through which you can request removal of a PokéStop or Gym. It is not clear how long it will take for the company to remove an unwelcome site.
It’s common these days for technology to outpace policy, but it’s a good idea to understand this sudden craze and decide how to approach it in your organization.
The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).
Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.
Some of the tips provided by Litten and Kline in the article include the following:
Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situations.”
Litten: Make sure that the practice’s designated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.“
Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.”
Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emergency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, document that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.”
Kline: Don’t discriminate. “So clinicians exercising their professional discretion in informing friends and family members need to be gender neutral and objective.”
Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
Kline and Litten: Highlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.’”
Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.
This web site is not intended to be, and you should not rely on any materials on this blog as a source of legal advice. Postings to this web site have been prepared for informational purposes only.
Transmission or receipt of information contained in this web site does not create an attorney-client relationship. No assurance is given that any correspondence, via e-mail or otherwise, between you and the author of this blog resulting from your receipt of information from this web site will be secure or treated as confidential or privileged. The transmission or delivery of any correspondence will not create an attorney-client relationship between you and the author of this blog. Please do not send the author any confidential information. Legal advice must be tailored to the specific circumstances of each situation, so nothing in this blog should be used as a substitute for the advice of qualified legal counsel in your jurisdiction familiar with your particular situation.
The author assumes no responsibility for the accuracy or timeliness of any information contained in this web site.
This blog is not intended to serve as an advertisement or solicitation of legal or any other business. In particular, the author does not intend or desire to solicit through this blog the business of anyone in any state or other jurisdiction where this web site can be accessed.