A patient of Elite Dental Services of Dallas, Texas left a review of the practice on Yelp, a business directory service out of San Francisco. The patient had complained to the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) that Elite had responded to her review by improperly disclosing her last name, medical condition, treatment plan, cost of the services performed, and insurance information. See HHS press release at https://www.hhs.gov/about/news/2019/10/02/dental-practice-pays-10000-settle-social-media-disclosures-of-patients-phi.html. See resolution agreement and corrective action plan, which included an HHS OCR HIPAA fine, at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/elite/index.html.
In its investigation, OCR determined that Elite had made similar improper disclosures on Yelp when responding to patient reviews. Specifically, OCR found the Elite disclosures improper under 45 C.F.R. § 164.502(a); that Elite had not implemented policies and procedures relating to the release of protected health information (“PHI”) on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i); and that Elite had not properly included the matter in its Notice of Privacy Practices, under 45 C.F.R. § 164.520(b).
Note that nowhere does the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) specifically require a social media policy. 45 C.F.R. § 164.530(i) requires covered entities merely to “implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements [of the rules].”
But as this author has said repeatedly, most recently in his book The Complete Guide to HIPAA Policies and Procedures, with accompanying CD of sample policies and procedures, Overland Park, KS: Veterans Press (2013), three categories of policies exist: required (that you must have), addressable (that you must have if your risk analysis demonstrates that they are reasonable and appropriate for your situation), and other (that are not specifically mentioned but that, if you don’t have them when you need them as a security measure, they might as well be addressable). Appendix A of that book follows. It has an (R) parenthetical for required policies, an (A) for addressable ones, and an (O) for all others.
POLICY LISTING
A list of all policies that the author could conceive of follows. That is not to say that some new risk, a new way of providing health services, or a new rule by DHHS will not require a policy not listed below in the future. Develop and use your policies and procedures to do what you can to avoid an HHS OCR HIPAA fine. Check my blog at www.veteranspress.com for a discussion of these events.
The parenthetical after each policy will tell you whether it is required (R), addressable (A), or other (O)―that is, neither required nor addressable but perhaps mandatory to avoid an allegation of willful neglect if you have a breach in that area. To the right of the list are comments to help you assess whether you need such a policy. On the Premium Member Section of my website, I have posted some new “other” policies that changes in threats, technologies, or enforcement have suggested.
| o Access Authorization Policy (A)
|
If you have a number of workforce members, this policy is probably reasonable and appropriate. I find that combining it with other access policies is a good idea because that way your workforce members do not have to wonder whether a particular issue is covered in the Authorization Policy or the Access Establishment Policy. They can go to the overall Access Policy and find the paragraph or part concerning the issue. |
| o Access Control and Validation Procedure (A) | See discussion of Access Authorization Policy immediately above. |
| o Access Establishment and Modification Policy (A)
|
See discussion of Access Authorization Policy immediately above. |
| o Alternate Communications Policy (O) | Probably a good idea if you are a direct service provider, such as a family practice, and may be a good idea if you are a secondary service provider, such as a laboratory. |
| o Authentication (Electronic Signature) Policy (O) | Probably necessary if you have an electronic health record. |
| o Authorization and/or Supervision Policy (A) | See discussion of Access Authorization Policy above. |
| o Breach Notification Policy (O) | One of the more critical policies to have even though it is not expressly required because how you handle breaches is of high importance to HHS auditors and the greatest civil money penalties are reserved for breaches that you do not handle properly. |
| o Business Associate Policy (O) | Necessary if you have a number of departments, all with their own separate business associates. |
| o Cell Phone (or Portable Device) Policy (O) | Necessary if you have a number of workforce members who need to use their cell phones for their duties. |
| o Complaint Procedure (R) | Required. |
| o Contingency Plan (R) | Required. |
| o Data Backup Plan (R) | Required. |
| o Designated Record Set Policy (O) | May be necessary if you have a lot of PHI in different places, such as health records, billing records, and the like, to determine which records qualify as designated record sets that must provide patients certain rights. |
| o De-identification Policy (O) | May be advisable if you conduct research or other activities involving de-identified health information. |
| o Destruction (Disposal) Plan (R) | Required. |
| o Device and Media Control Policy (R) | Required. |
| o Disclosures to Family Members Policy (O) | May be a part of an overall Release of Information/Disclosure Policy, but having it as a separate policy may be helpful if you have a lot of interactions with family members of your patients/clients. |
| o Disclosures to Law Enforcement Policy (O) | May be a part of an overall Release of Information/Disclosure Policy, but having it as a separate policy may be helpful so that your workforce members aren’t stressed out looking through the larger policy when a menacing law enforcement officer is standing in front of them and demanding access NOW! |
| o Disaster Recovery Plan (R) | Required. |
| o Electronic Signature Policy (O) | Probably necessary if you have an electronic health record—that is, essentially same as Authentication Policy, above, although the Authentication Policy is broader in that it may specify time frames for authenticating the chart, and so forth, as well as how to affix a proper electronic signature. |
| o Email Policy (O) | Unless you absolutely prohibit sending email containing PHI (which should be prohibited in writing), an email policy is probably necessary because of the high risk of email. |
| o Emergency Mode Operation Plan (R) | Required. |
| o Evaluation Policy (update of risk analysis) (R) | Although updating your risk analysis is required, arguably you don’t have to have a policy specifying that you are going to do so, but it may be wise to ensure that you get it done. This policy could be part of an overall Health Information Security Plan or a Risk Analysis Policy. |
| o Fax Policy (O) | May be wise if you are sending and/or receiving faxes containing PHI. |
| o Fund-Raising Policy (O) | Only possibly necessary if you conduct fund-raising. |
| o Hybrid Entity Policy (O) | Only possibly necessary if you have covered entity components and non-covered entity components within the same organization. |
| o Information System Activity Review Policy (Audit) (O) | Information System Activity Review is required, but having such a policy is not, in terms. Consider whether you need to specify in a policy what auditing you are doing. |
| o Internet Use Policy (O) | May be wise if you are transmitting PHI, communicating with patients, and so forth over the internet. |
| o Isolating Health Care Clearinghouse Functions Policy (R) | Only necessary if you qualify as a hybrid entity with both provider or health plan functions and also function as a clearinghouse. |
| o Limited Data Set Policy | Only necessary if you use limited data sets for research or other functions. |
| o Log-In Monitoring Policy (A) | May be covered in an Information System Activity Review (Audit) Policy. |
| o Maintenance Plan (A) | Would only seem reasonable and appropriate if you have a lot of changes to your physical security measures. |
| o Marketing Policy (O) | Only necessary if you market your products and services. Such activities as continuity of care, appointment reminders, and prescription refill notices are not marketing. |
| o Media Reuse Policy (R) | Required but could be a part of other policies, such as an overall Security Policy or Destruction Plan. |
| o Medical Records Content Policy (O) | Only tangentially a HIPAA issue, but as a standard of care issue, may be helpful to avoid charting problems and may be helpful from a HIPAA perspective in determining what the medical record system of records in a designated record set consists of. |
| o Minimum Necessary Policy | Required. |
| o Movement of PHI Policy (O) | Not required in terms by HIPAA but is one of the more critical policies because the single biggest category of reported breaches to DHHS is loss or theft of a portable device or media, and many civil money penalties or settlements in lieu thereof involve loss or theft of a portable device or of paper records. |
| o Password Policy (O) | Probably necessary if you allow workforce members to choose their own passwords to ensure that they choose secure ones. |
| o Password Management Policy (A) | This policy differs from the Password Policy, immediately above, in that it covers how the covered entity or business associate will manage passwords. The two could certainly be combined into one policy. |
| o Patient Access Policy (O) | This policy could be part of a Release of Information Policy or could be separate if handling requests for patient access is very common or problematical. |
| o Person or Entity Authentication (R) | Must know who tried to or did access PHI, but such a policy is probably necessary when the covered entity or business associate has a number of workforce members. |
| o Portable Computer Policy (O) | Not mentioned in terms but falls under the Device and Media Controls Standard. Because, however, the single biggest category of reported breaches to DHHS is loss or theft of a portable device or media and many civil money penalties or settlements in lieu thereof involve loss or theft of a portable device or of paper records, such a policy appears necessary if you use such devices. |
| o Privacy of Deceased Patients Policy (O) | Could be included in the Release of Information (Disclosure) Policy, below. |
| o Processing Records Policy (O) | HIPAA does not require such a policy in terms, but besides its utility in simply ensuring proper creation, maintenance, and so forth, of records, it may have HIPAA implications as to contents for the minimum necessary rule (which generally does not apply to medical records use for treatment but does for financial records) and for what constitutes a designated record set. |
| o Processing Requests for an Accounting or an Access Report Policy (O) | May be combined with others, such as the two following, in a patient’s rights policy. Must handle such requests, but HIPAA does not say that you must have a policy how to do so. |
| o Processing Requests for Correction/Amendment Policy (O) | Same as immediately above. |
| o Processing Requests for Restriction Policy (O) | Same as above. |
| o Protection from Malicious Software Policy (A) | Could be contained in other policies, such as an overall Security Plan, Email Policy, Workstation Use Policy (do not upload data or programs without the permission of the security officer), and the like. |
| o Red Flag Policy (O) | Not required by the Red Flag Rule, but HIPAA requires protection of all PHI, not just the clinical, and PHI includes financial and demographic information that could be used for identity theft. Thus, although the Red Flag Rule is inapplicable, HIPAA may imply that such a policy is a good way to protect such data. |
| o Release of Information (Disclosure) Policy (O) | This policy is perhaps the most important policy that is not expressly required by HIPAA. Because the Privacy Rule’s release of information rules are so complex, such a policy is necessary to ensure proper use and disclosure. |
| o Report and Report Response Policy (R) | Required. |
| o Retention Policy (O) | Not required by HIPAA, but may be necessary to retain documents as required by law and professional standards and may have HIPAA implications to ensure that PHI is not improperly disposed of. |
| o Risk Analysis Policy (R) | Risk analysis is not only required but also one of the very most important components of HIPAA compliance, but HIPAA does not require such a policy. Considering the importance of risk analysis, such a policy may be wise to assign responsibility for conducting and updating it, determining when to update it, and specifying how to do it. See the Evaluation Policy, above, which could be combined into this policy. |
| o Sanction Policy (R) | Required. |
| o Security Plan (Health Information Security Plan) (A) | May be reasonable and appropriate for a large or complex organization to set the strategic direction for its security program. |
| o Social Media Policy (O) | Considering the prevalence of social media in today’s world and the risk inherent in having your workforce badmouth a patient on Facebook or Twitter, such a policy seems required as a practical matter if not yet required in terms by HIPAA. |
| o Telemedicine Policy (O) | May be a wise security measure if you practice telemedicine. |
| o Termination Procedure (A) | Will usually be reasonable and appropriate if you have a workforce of any size. |
| o Testing and Revision Procedure (A) | Although this policy is addressable, it seems to be unwise to have disaster and emergency mode operations plans and not test them and revise them, if necessary. |
| o Text Messaging Policy (O) | This policy could be a part of a cell phone or similar policy but may be wise considering the widespread use of text messaging. You may want to simply prohibit texting PHI or, if you permit it, impose security measures on the practice. |
| o Training Policy (O) | May be useful if you have a large workforce with differing needs for HIPAA training. |
| o Work at Home Policy (O) | Besides being helpful for HIPAA security issues, such a policy could cover other compliance issues, such as workers’ compensation liability. |
| o Workforce Clearance Procedure (A) | Would seem reasonable and appropriate if you have a large workforce or particularly sensitive information. |
| o Workstation Use Policy (R) | Required. |
Note that, although health information law in general allows providers to use and disclose health information as necessary to defend themselves, as in a malpractice case or a termination of privileges case, among others, disclosure is authorized only when the matter ripens into a judicial or administrative proceeding, 45 C.F.R. § 164.512(e), not a complaint on social media. That judicial or administrative proceeding also requires a court order, subpoena, discovery request, or other lawful process that meets specified criteria in that rule. A covered entity could also disclose PHI to defend itself in a complaint investigation by OCR or disclose to its legal counsel as necessary to defend itself or otherwise respond under the health care operations authorized disclosure language of 45 C.F.R. § 164.506.
Thus, do not respond to a patient’s social media, newspaper, television, or other attack by disclosing PHI without the individual’s written authorization (which you are very unlikely to get!).
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date so that, among other reasons, you can base your policies and procedures on facts, not guesswork. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, such as a social media policy, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically, on how to write a good policy.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.
