no commentThe allergy practice settlement that was recently announced will be known as the “no comment” settlement in my mind.  As always, there are lessons to be learned from this announcement and the way OCR handled it.  This settlement brings up a lot of discussions about handling patient public comments.

HIPAA For MSPs by David Sims Should Have Said No Comment
00:00:00 00:00:00

This announcement added a new twist to the ones we have seen lately.  In this case, it boils down to a few issues.

  1. Talking to the media about patients is never a good idea without authorization.
  2. When someone screws up no matter who they are you have to apply your sanction policy
  3. If you get a notice from OCR about an investigation you should take immediate action to address the case.

Here is the gist of the case.

Patient has some issue bring a service dog into an allergy clinic.  The patient got angry enough that they filed a complaint with HHS for civil rights violations.  Then, they talked to a reporter about the complaint.  The reporter calls the office to get a statement.  What happens next is why it became a HIPAA issue.

The request for comment to the office prompted two things to happen:

  1. The privacy officer said don’t comment or say no comment.
  2. The doctor unloaded with a reporter which prompted the call

At this point, both DOJ and OCR told them we are looking into what is going on here.  When that happened another HIPAA problem emerged.  This second HIPAA issue is what really pushed this one into the “make an example out of them” pile.  They did nothing concerning the violation the doctor made.  There were zero sanctions enforced after a blatant disregard for patient privacy laws.

OCR points out that not only did they do nothing when it happened, but they still did nothing when they were notified of the investigation.  This is an important point we should all pay attention to in the future.  If there is an investigation notification, you should review everything and make sure you do now anything you didn’t do when the incident occurred, like sanction the staff member for their infraction.

There were several articles about the no comment case that talked about the 3 doctor group paying 6 figures.  Those articles miss the real points that OCR is trying to make from this example.  The points here are that:

  1. You can’t talk publicly about information or people that you know through your job.
  2. If there is a HIPAA violation you must sanction the workforce member(s) no matter who that may be.

Another important point this one brings up is at what point can we defend ourselves from this type of attack.  Especially, when they are unwarranted and relentless like some can be on social media and review sites.  While this may be a concern for many it is probably still not a good idea to engage those folks.

The need to respond to criticism is used against humans over time.  “Don’t call my baby ugly” is not a defense when it comes to privacy laws, however.  Often, this comes up when people are basically trolling doctors, practices, businesses, or individuals online.  If the person who is making noise is someone that is known to you through your job then you really should not say anything to them or about them publicly.  If they give you consent you can but what troll would do that!?

Most trolls that do this stuff are only emboldened by the responses.  It is very hard to shut them down.  You are probably better off getting others to do positive responses that addressing the negative one.

Another issue is responding to positive ones with details that you shouldn’t include.  If someone gives you a glowing review or thanks you for being awesome the best response is something like:

Thank you for your kind words”.   If you reply with something like “We love having you as a patient” you have now released PHI about that person.  Who knows how that could come back and bite you in the you-know-where.

Finally, let’s talk about the CAP.  This one is two years but it focuses on developing policies and procedures and enforcing them.  Most things are all about privacy rules and making sure the staff understands what is IIHI and PHI.  But buried down in there you see the security rule quietly lurking.

Instructions and Procedures that address appropriate administrative, technical and physical safeguards to protect PHI from any intentional or unintentional use or disclosure (a) that define PHI as it relates to IIHI and (b) for media inquiries.

As we have pointed out before, these corrective action plans or CAPs have the clause in them that if you don’t stick to the plan you go back to the penalty phase of enforcement.  That means “do you remember what we told you the amount we could actually set as fine for you over this?”  Well yes, we will go back to that because you failed to hold up your end of the bargain.

No comment is the easiest way to go if you feel that you can’t just say nothing.  But as Mike Birbiglia says in a very hysterical comedy bit What I should have said was nothing.