Diane Evans

During a recent virtual conference, federal officials offered refreshing new context for why privacy regulations matter. Rules aside, privacy is fundamentally about treating people with dignity and respect.

For long-term care organizations, the message resonates. In addition to the normal challenges of protecting healthcare data, nursing care providers face the heightened risk of social media abuses against residents.  Think about an aide, cell phone in hand, standing before a resident covered in feces, or naked in the shower. 

Yes, such compromising images get shared with friends. In a defining 2016 memo,  the Centers for Medicare & Medicaid  Services classified this kind of demeaning social media activity as “mental abuse.”

More recently, a blog post on the website of The Joint Commission offers humiliating real-life examples. As the Commission puts it, social media posts about residents violate “more codes than you could ever imagine.”  And of course, such unauthorized posts violate privacy under the Health Insurance Portability and Accountability Act.

As the feds pointed out during their recent conference, the goal of privacy and cybersecurity precautions should be about protecting the people who entrust their care to a chosen healthcare provider. The regulations offer baseline standards for doing the right thing by putting basic cybersecurity measures in place.

Ultimately, the idea is to create a culture of vigilance, so that across an organization, staff members at all levels understand how individuals can  be compromised by unauthorized uses of their private information. 

Beyond demeaning depictions on social media, think about the potential for identity theft leading to false insurance claims or credit card fraud. Or, consider how embarrassing personal information can damage a person’s reputation — regardless of age.

The challenge is to protect private information in every place where it resides. Beyond electronic records systems, that includes emails, text messages, portable media, electronic devices, fax machines, remote work places and paper files. 

Where to begin? Well, here are some essential steps toward a comprehensive privacy approach: 

  • Take inventory of all places where private information can potentially be, and decide on a plan for how to protect information in each place it exists;
  • Train staff members, so they truly understand the higher purpose of protecting privacy — and the job consequences for willful violations;
  • Adopt and implement solid security policies, and make sure they are carried out through everyday practices that meet policy objectives.

Policy is the starting point. But it’s what happens on a daily basis that determines whether the policy is meaningfully executed.

For long-term care providers, the stakes of a privacy breach can be high.  

A violation of consumer trust can harm an organization’s reputation.

In cases of significant data breaches, potential fines, lawsuits and disruption of services typically cost millions of dollars.  

The smart thing is to put simple precautions in place and make them part of daily routines.  As one landmark study concluded:  Simple steps, like hand sanitizer, go a long way in preventing big problems.  

Finally, it is important to note that in protecting consumers, providers protect their own pocketbooks.

As of last year, the Feds announced an annual cap on HIPAA fines for organizations making good-faith efforts to comply with regulations. That cap is now at $25,600 a year per violation for organizations acting in good faith — compared to $1.75 million for those in blatant noncompliance. That’s  a 6000% difference for doing the right versus wrong thing. 

Diane Evans is publisher of MyHIPAA Guide, a HIPAA consultancy and privacy management service.