Here’s a new HIPAA cartoon. This cartoon is about protected health information (PHI). In the HIPAA regulations, the definition of PHI is quite complicated, as it is splintered into at least three separate parts that appear in HIPAA’s definitions section. Pursuant to HIPAA, 45 CFR 160.103:
Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Recently, I created two new HIPAA training resources.
I created a 1-page visual summary of HIPAA, which I call the HIPAA Whiteboard. The idea was to summarize HIPAA in a concise and visually-engaging way. You can download a PDF handout version here. We’ve been licensing it to many organizations for training and awareness purposes.
HIPAA Interactive Whiteboard
I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard. When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way. Trainees can learn at their own pace. This program is designed to be very short — it is about 5 minutes long.
It can readily be used on internal websites to raise awareness and teach basic information about HIPAA. It can also be used in learning management systems.
At the end of 2017, the OCR logged just under $20 million in fines for HIPAA violations from 10 enforcement actions with monetary penalties. In 2016, the total in penalties was roughly the same amount but from 15 organizations.
Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2017:
Lessons from 2017
Devices, devices, devices . . .
Quite a number of cases involved failure to implement safeguards for PHI on mobile devices. The best fix is to superglue devices to staff. Short of doing that, organizations should recognize that mobile devices frequently get lost or stolen, so there should be heightened security controls when PHI is accessible on these devices.
Several cases involved failing to provide timely notice or to act promptly after problems were discovered. In politics, it’s often not the scandal, but the coverup that fells politicians. In the world of HIPAA, it’s often not the incident, but the response that leads to organizations being penalized.
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
A Not-So-Far-Fetched Seinfeld Episode
In a Seinfeld episode called “The Package” from 1996 (click here to see the scene), airing just months after HIPAA was passed, Elaine goes to see a doctor for a rash.
Ransomware has been sickening healthcare institutions. It has become a plague.
By Daniel J. Solove
ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts about health privacy and security:
By Daniel J. Solove
Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.
“HIPAA?” the doctors will ask.
“Yes, HIPAA,” I confess.
And then the doctor’s face turns grim. At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease. Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.” It’s about as bad as “stink eye.”