Human beings are social creatures. We take tremendous pleasure in sharing our world with others. There is no better evidence than to look at the social media revolution that has taken place over the last few years. Often, when we see something cool, we want to share it with other people. As healthcare providers in an age where digital information can be just as viral as the viruses we treat, it is of the utmost importance to understand the implications of our social media posts.
So where does sharing something cool become troublesome? When you violate Health Insurance Portability and Accountability Act of 1996 (HIPAA). Social media has the power to amplify somebody’s lapse of judgment to the point where the content is seen by millions around the world in just a matter of minutes. Prior to social media, the error may have not spread to much more than a handful of people—often avoiding implications—it now is often brought front and center to the public’s regulatory eye. It becomes very easy for a potential HIPPA violation to occur and get noticed. It is quite impressive that upon HIPAA creation, disks were floppy and websites were rag tag, and we now find ourselves in the midst of massive multi-million dollar penalties served to entities violating the act.
According to U.S. Department of Health and Human Services, HIPAA called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. This means that because protected health information is a major HIPAA theme, it needs to be accurately defined. Defined in the law, “health information” means any information, whether oral or recorded in any form or medium, that:
“(A) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
“(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”1
What does this mean for you?
So for the average OD, what does HIPAA mean? Most impactful, the Privacy Rule will require optometrists to inform patients about how their information can be used and what their privacy rights are. It also means setting up and implementing privacy procedures for our practices that outline and detail how a patient's protected health information (PHI) is appropriately used and adequately protected. An employee will need to take responsibility that this procedure is adopted and adhered to. For most of our small private practices, an office manager or other responsible employee will work fine. This person can also serve as a contact for handling complaints and HIPAA concerns. An employee must review these policies and document they understand. For most small private practices, this will suffice as adequate employee training. Finally, the patient’s records need to be secured. The authoritative source for guidance is http://www.hhs.gov/ocr/privacy.2