As we enter the last half of summer and the temperatures start to give us some reprieve from the heat (hopefully), there is no better time than now to review your data privacy practices. Over the past few months, we have seen a startling trend with many of our clients’ security and privacy measures as it relates to protected health information (“PHI”). So that you can avoid similar mistakes, below please find two examples of privacy pitfalls that we have recently come across:
- Personal Cell Phone Use. We have discovered a number of clients who use their personal cell phones to take treatment-related photos or to communicate with patients by text regarding their treatment or clinical needs. We cannot stress this enough, if you are taking treatment-related photos or communicating with patients in writing on your personal cell phone, stop immediately. This has the potential to expose you and your personal phone to potential headaches down the road on multiple fronts. First, if any type of litigation ever ensues relating to a patient with whom you communicated in writing from your personal phone, the data on your phone could be discoverable by the opposing party or subject to subpoena by a third party. Second, written communications with patients regarding treatment and treatment-related patient photos are almost always PHI, and thus must be securely stored. Your personal phone is not a secure method of storing PHI as required by applicable data privacy regulations, especially if others may have access to it. If your phone is lost, stolen or hacked, any PHI on the device could be exposed, which may trigger breach notification requirements to affected patients and government regulators. Third, and importantly, patient communications and photos must be kept in the patient’s record. Failure to transfer them (which few do) could result in allegations of deficient recordkeeping.If you are using your personal phone as indicated above, let us talk you through safer methods for communicating with patients moving forward, to ensure that your personal data is protected and your patient records are complete.
- Notice of Privacy Practices. Included within the many requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), as amended, is the obligation to make your Notice of Privacy Practices (“Notice”) available to your patients. As you may already know, the Notice must advise patients on how you use and share their PHI. What you may not know is where and how the Notice must be posted and made available to your patients. Below is a high-level summary of the Notice’s posting requirements, which we are happy to help you develop and implement:
- You must post the Notice in a clear and prominent location at the office.
- You must have copies of the Notice available upon a patient’s request.
- You must prominently post the Notice on your web site and make it available electronically through the web site.
- For new patients, you must provide a copy of the Notice (hard copy or electronic) and obtain an acknowledgment of receipt no later than the date of the first service delivery.
Getting up to speed with these trending data privacy pitfalls can help you avoid sweating over how your PHI is handled, even if the heat does not relent.