by Medical Justice | May 26, 2017 | Blog, HIPAA, Legal
A Texas physician who performs aesthetic treatments recently agreed to disciplinary action by the Board of Medicine. In 2015, a patient underwent a series of non-invasive laser treatments with Dr. Tinuade Olugesugun-Gbadeham. Around May 27, 2015, the patient made a video testimonial on the results of these procedures. The patient gave consent to have photos and videos taken – though authorization was limited to “anonymous use for the purposes of medical audit, education, and promotion.”
The patient’s video was posted to the doctor’s Facebook page with full face shots. No attempt to mask the patient’s identity.
The video suggested the patient was happy with the procedures.
But, soon after, all was different.
Two months later, the patient replied to the Facebook post saying “OK, I’ll make my Comment! Beware! Send me a personal message, and I’ll share my experience with this crap!”
Not a happy camper.
The patient disputed some of the charges for the procedure with her credit card company – and this may have fueled the deteriorating doctor-patient relationship.
Dr. Tinuade Olugesugun-Gbadeham and the patient exchanged a number of emails.
Around August 19, 2015, the doctor allegedly responded to the patient via email, “‘The contrast between your printed words and your video-taped testimonial are completely contradictory. …This video result, when posted as a response to your next slanderous comment about the Dr. O Lift on social media, will be just as damaging to YOUR professional reputation. Let this communication serve as our formal legal notice to you regarding these matters.” Just so we’re clear here. The doctor is writing this to the patient.
The patient then explicitly directed the doctor to remove the online video testimonial.
The saga continued.
Around August 29, 2015 and September 14, 2015, the patient filed police reports alleging that the doctor was harassing her in retaliation for a billing dispute by posting a videotape taken of her in her undergarments on Facebook and YouTube and by sending a copy of the videotape to her credit card company (challenging the chargeback).
On September 14, 2015, the doctor emailed the patient indicating that she would continue to post and distribute the patient’s videotape and that the patient would regret reporting anything against the doctor. The doctor allegedly wrote ], “I will damage your professional reputation, and you will be humiliated!” In addition, “[P]eople will see your glowing testimonial and your body, enjoy your Hi-Def video! Enjoy as others will do the same.” Just so we’re clear here again. The doctor is writing this to the patient.
The patient filed a complaint with the Texas Medical Board arguing she suffered burns during the first procedure. She also claimed she was overbilled and was disputing some of the charges with her credit card company.
The Texas Medical Board concuded the posting of the video was a HIPAA violation and was unprofessional. The Board also ruled that an email containing the link to a posting of the video sent to the patient in an “unsecured format” was ALSO a confidentiality breach and was unprofessional.
The Texas Medical Board continued with its laundry list. They also concluded Dr. Olusegun-Gbadehan sent the video to the merchant processing company in response to the billing dispute as evidence that the patient initially appeared to be happy with the treatment, but this too was a violation of the patient’s privacy. Piling on indeed.
Although patients cannot sue directly based on HIPAA, the case still lingers on.
The patient sued Dr. Tinuade Olugesugun-Gbadeham for mental anguish, physical pain, and suffering. This is being packaged as a health care liability claim claiming the publication of the video and subsequent correspondence via email were intended to damage the patient’s personal and professional reputation.
A handful of comments…
Get the appropriate consent for photographs/videos. We have generic consents for photographs/videos. Just ask.
Honor those consents. If the consent asks that pictures/videos be de-identified, make sure the pictures cannot be tied back to the individual patient. This often is more than just putting a stripe over the patient’s eyes. For example, if the if the photo includes an unusual shoulder tattoo, that is a potentially identifying mark.
HIPAA does actually allow you to send limited protected health information without the patient’s authorization to address a financial dispute. HIPAA is a federal law. And a given state may have more stringent requirements than the federal baseline. But, in addressing a financial dispute, little needs to be sent. For example, that the patient signed a credit card receipt authorizing for a specific procedure to be done on a specific date; and indeed that procedure was done. There’s no need to send a videotape of the patient in undergarments waxing eloquently (no pun intended) about how great the procedure was. The credit card company is not adjudicating whether the patient has buyer’s remorse. Merely whether the payment was authorized.
If a patient asks you to remove an online photo/video and it is within your reasonable control to make it happen, just do it. HIPAA allows patients to withdraw their authorization to disclose protected health information. Obviously if the patient’s photo is published in a national magazine, you cannot reasonably recall each copy. But, if it is on your Facebook page, you can honor the request.
Like many things, disputes over money can escalate into World War Three. Such disputes can often be pre-empted with targeted diplomacy.
What do you think?
Feeling the pressure? Learn how we can protect you…
We know your time is valuable. Spend a few minutes with us and discover how membership protects what’s important to good medical practice – and does away with what’s detrimental…
by Medical Justice | Mar 29, 2017 | Blog, HIPAA
Ars Technica and the Minneapolis Star Tribune recently reported that Mayo Clinic is considering prioritizing patient care with private insurance over those with Medicare and Medicaid.
The Minnesota Department of Human Services (which oversees Minnesota Medicaid), stated:
“Fundamentally, it’s our expectation at DHS that Mayo Clinic will serve our enrollees in public programs on an equal standing with any other Minnesotan that walks in their door…We have a lot of questions for Mayo Clinic about how and if and through what process this directive from Dr. Noseworthy (Mayo’s CEO) is being implemented across their system.”
No need to speculate about the reasons. It’s about cash flow.
Dr. Noseworthy said in a video to Mayo employees:
“We’re asking…if a patient has commercial insurance, or they’re Medicaid or Medicare patients and they’re equal, that we prioritize the commercial insured patients enough so…we can be financially strong at the end of the year.”
Mayo has stated ~50% of its patients are beneficiaries of government programs. And Mayo has had a recent surge of 3.7% in Medicaid patients.
“If we don’t grow our commercially insured patients, we won’t have income at the end of the year to pay our staff, pay the pensions, and so on…So, we’re looking for a really mild or modest change of a couple percentage points to shift that balance.”
In 2016, Mayo reported $475 million in profit (or more accurately net operating income).
Whether or not Mayo makes a profit is not the point of this post. If any healthcare institution cannot make a profit and pay its bills, it will soon be unable to provide services for anyone.
The point is how Mayo delivered its message.
Mayo Clinic posts a document Rights and Responsibilities of Patients on its website which includes this term:
“Access to care: Individuals shall be given impartial access to treatment or accommodations that are available or medically indicated regardless of race, creed, sex, national origin, cultural or spiritual values, disability or source of payment.”
PR 101: Before you launch a program that will likely be controversial, make sure it jives with your organization’s pre-existing messaging.
It will be interesting to see how this plays out.
Feeling the pressure? Learn how we can protect you…
We know your time is valuable. Spend a few minutes with us and discover how membership protects what’s important to good medical practice – and does away with what’s detrimental…
by Medical Justice | Sep 11, 2015 | HIPAA, Medical Justice Articles
We continue with our series of general educational articles penned by one attorney, an MD, JD, giving you a view of the world through a malpractice plaintiff attorney’s eyes. This attorney is a seasoned veteran. The series includes a number of pearls on how to stay out of harm’s way. While I do not necessarily agree with 100% of the details of every article, I think the messages are salient, on target, and fully relevant. Please give us your feedback – and let us know if you find the series helpful. Finally, these articles are not intended as specific legal advice. For that, please consult with an attorney licensed to practice in your state.
“That’s a HIPAA Violation!”
We’ve all dealt with them – the facilities, physicians and office workers so zealous about HIPAA regulations that they bring your practice to a grinding halt.
In reality, most time-sucking things they mandate is based on their misunderstanding of the law.
Let’s look at a few tales from the trenches to see how you can make your own life easier and still stay on the right side of HIPAA.
1. My partner says that because of HIPAA we can’t have a sign-in sheet at the front desk. Even if it is not left out, the next patient can still see the names of the prior sign-ins when it is handed to them for them to sign in. This is making it harder for the admin to track patients and for us to follow how we are doing in terms of seeing patients on schedule. So now everyone is annoyed.
HIPAA requires you to take reasonable precautions to minimize the release of Protected Health Information (PHI) in the course of your office’s work. But it does not require absolute confidentiality because that would make it literally impossible to function. So it all depends on what your sign-in sheet says. A medical fact only becomes PHI when it can be identified as being associated to a given patient. As long as the sheet only lists the name and time, only the most minimal PHI is revealed – that that person is a patient of yours. It is the written equivalent of seeing the person come in the door or sitting in the waiting room but knowing nothing else about them other than that they are there to see you. That level of disclosure is seen as merely incidental to medical care and generally not considered a HIPAA violation.
Taken together with not leaving the sign-in sheet out, recording only the name and time will more than satisfy HIPAA’s requirement that you limit even incidental exposures of PHI.
But, if you have a practice in a sensitive area of medicine, such as high-risk pregnancies or oncology, in which just the fact that the patient is your patient speaks volumes about their medical issues, then you could switch to just logging patients into the computer and skip the sign-in sheet. This will still let you do the tracking you need without any disclosures at all other than to staff.
So, your partner is unnecessarily restricting your work flow. You should instead treat HIPAA’s basic allowance of incidental disclosures of PHI as a floor and let the facts of your own practice set the ceiling.
2. My new admin refuses to call patients by anything other than their first name in the waiting room. She will say “Joe” but not “Mr. Smith” when asking a patient to come with her. She says that at her previous job she was told that this is a HIPAA requirement but I have a lot of patients who consider this disrespectful.
She is over-doing the requirement to minimize incidental exposures of PHI. She can certainly say, “Mr. Smith, come with me please.” What she should never say is “Mr. Smith” – or “Joe” – “the doctor is ready to see you about your syphilitic rash now.”
That Mr. Smith is your patient is an acceptable level of PHI disclosure as long as no other medical information is attached to it.
3. We brought in a HIPAA compliance expert who told us that there should be no discussion of patients outside of a closed room and that even if I have to tell my admin something routine like “Let’s get an LS spine MRI on Mrs. Jones” I have to go into my office and close the door to do so.
I hope that you did not pay too much to that “expert.”
This is again an example of the incidental disclosure of PHI that HIPAA permits, as long as you take reasonable efforts to limit it.
An open crawlspace between rooms that allows sound to easily travel between rooms (so that an entire conversation between you and a patient can be overheard by anyone) can create a HIPAA problem. At the other end of the spectrum, speaking quietly in the open with your admin would not be a HIPAA problem.
4. My office manager instructed the front desk staff to never leave a phone message for a patient about lab results or even to confirm an appointment because if it is overheard by someone else it is a HIPAA violation. The problem is that many of our older patients do not want to use our secure patient portal and ask us to call them.
Your office manager is correct that care should be taken to not leave PHI where it can be accessed by unauthorized individuals. But she is wrong that HIPAA bars leaving a phone message that the patient has agreed to receive.
Just get an authorization from the patient that states the designated number they want messages left. Then you can leave a message.
Of course, you should still take reasonable precautions to make sure that you come under the protections of HIPAA’s allowance for incidental releases of PHI.
First, the caller should not be speaking loudly enough to be heard in the waiting room or by passers-by because the combination of a patient’s name and a clinical fact is PHI. Just tell your staff to speak no more loudly than if they were giving their own credit card information over the phone.
The caller should not plunge in with “Mrs. Green, your A1c level is 5.2” and instead start with “This message is for Mary Green. If you are not Mary Green please hang up.” You obviously cannot control what happens on the other end but this is part of your obligation to minimize the risk of PHI being inappropriately disseminated.
5. I referred a patient with persistent tinnitus to an ENT. Now the ENT refuses to send me her report unless I send her a release from the patient because she says that her findings are new PHI beyond what I sent her.
She is wrong and HIPAA specifically addresses why.
In “Uses and Disclosures for Treatment, Payment, and Health Care Operations” (45 CFR 164.506) the law states that because “Ready access to treatment and efficient payment for health care, both of which require use and disclosure of protected health information, are essential to the effective operation of the health care system…the Privacy Rule permits a covered entity to use and disclose protected health information, with certain limits and protections, for treatment.”
“Treatment” is defined as “the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.”
Sending your patient for evaluation by the specialist and the specialist then communicating the findings to you comes squarely under that provision.
This also applies, for example, in the all-too-common situation of the ER physician who is told by the Records office at another hospital that they will not provide a needed copy of the patient’s prior records without an authorization.
Unlike the ER physician who then has to trudge to the Legal Department to get the matter straightened out, you are in a position to deal preemptively with this problem. Rather than passive-aggressively sending the impeding practitioner a copy of the law – to which he will passive-aggressively reply that that is not his “policy” (remember that HIPAA is permissive on this, not mandating) – just have all your patients sign a release for the consultant to send results and records to you. Have the patient hand that document to the consultant.
6. Our practice’s lawyer says that under the new Omnibus Rule, we have to get Business Associates Agreements with our cleaning company and trash hauler. Is he just trying to create billable work for himself?
I can’t speak to his motivation – he might simply be confused – but he is wrong about what he told you.
HIPAA requires covered entities like your practice to have written agreements with other entities that are not themselves under HIPAA but that intend to receive or work with your practice’s PHI. Your attorney, for example, would be a Business Associate if he works for you on a case in which he comes in contact with PHI, such as a billing matter or a malpractice defense.
The purpose of the Business Associates Agreement is to get those entities to agree they will appropriately safeguard the PHI they receive or create on behalf of the practice. It is why you do not have to personally track every piece of PHI once it leaves your office and goes to a billing company or to your practice’s accountant or to a storage facility.
The most recent Omnibus Rule did increase the scope of which business associates you must have these agreement with. It now includes those entities that merely store the PHI without ever accessing it (any entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity) and also now extends to their subcontractors. But the updated Rule is still only directed to entities that receive the PHI on purpose to deal with it as such as part of their work for you.
A worker for a company that cleans your office or one that dumps your trash may accidentally encounter some PHI but that material was not sent to him as PHI. By contrast, for example, you would need a Business Associate Agreement with a shredding company because the material they are working on is PHI.
If you really wants to dot your i’s and cross your t’s, what may be appropriate for the cleaning company and the trash hauler (although not as lucrative for your attorney) is a confidentiality agreement that says that if their workers come across any medical or financial information, they must immediately return it to the practice and may not copy or use it in any way. This creates a civil right of action for you if it later turns out that a worker misused PHI they happened to encounter and your practice was damaged. Although not required by HIPAA, it is also the sort of belt to go with the suspenders of your Business Associates Agreements that would be good to show to an OCR inspector as proof of how seriously you take these issues.
Of course, you and your staff should be doing all that you can to make sure that PHI is locked away when you leave and is rendered unusable, such as by shredding, when it goes into the garbage.
In summary: Over-zealous HIPAA enforcement usually reflects a lack of understanding of the law, which permits incidental exposures of PHI in the course of practice, communication of PHI to patients by means the patient agrees to, and sharing of PHI with other treaters. HIPAA does not require Business Associates Agreements with every entity that may encounter PHI. However, a practice is responsible for minimizing the risks of a breach in all of these settings.
*** Medical Justice Notes: [HIPAA gets harder and harder to parse each year. It can seem like torture by a thousand paper cuts. Our general counsel, Mike Sacopulos and his organization – Medical Risk Institute, routinely helps clients in a cost effective way with HIPAA audits – before there’s a problem – to keep you out of harm’s way. Mention you subscribe to Medical Justice or Dental Justice to obtain a member discount.]
by Medical Justice | Aug 26, 2011 | HIPAA, Patient privacy
Michael J. Sacopulos, Esq.
Recently, Texas House Bill 300 was signed into law by Texas Governor Rick Perry. The new law, which will become effective on September 1, 2012, expands privacy rights of patients beyond those contained in the HIPAA privacy standards. The law was created in order to better secure patients’ protected health information (PHI) that is sent electronically.
Notably, the new law bans the for profit sale of PHI, requires employees of covered entities to undergo training regarding health privacy law, requires that health care providers supply individuals with access to their PHI within 15 days of a request, increases penalties for the wrongful electronic disclosure of PHI, and requires the Texas Health Services Authority to develop privacy and security standards for the electronic sharing of PHI. Also, the Office of the Attorney General must create a complaint system and maintain a website that includes patients’ medical privacy rights under federal and state law.
House Bill 300 received the support of the Texas Medical Association, which is a physician advocacy group representing over 45,000 physicians in Texas. The complete text of House Bill 300 can be found online at https://www.capitol.state.tx.us/tlodocs/82R/billtext/pdf/HB00300F.pdf
