Podcast: Discussing the Implications of Healthcare Privacy Violations
In this episode of our “Florida Capital Conversations” podcast series, healthcare attorneys Mia McKown, Eddie Williams and Shannon Hartsfield discuss how privacy violations can put a healthcare practitioner's license at risk. This conversation covers the types of privacy violations that warrant a complaint, how those complaints are filed and what physicians should do if a complaint is filed against them. They also offer guidance on the best ways to avoid potential violations.
This Tallahassee-based podcast series takes a look at the many different aspects of state and local government through the lens of experienced legal professionals. These candid conversations offer a seat at the table to everyone who listens.
Mia McKown: Hi, this is Mia McKown with Holland & Knight. Thank you so much for joining us for another episode of Florida Capital Conversations. Today with me, I have Eddie Williams and Shannon Hartsfield, and we're going to be talking about how privacy violations can put a healthcare practitioner's license at risk.
How Privacy Violations Can Put a Healthcare Practitioner's License at Risk
Eddie Williams: Hey, Mia. One of the issues that we — Shannon and I — often deal with in the HIPAA privacy world is where providers, they may have a HIPAA violation, and some of the plaintiffs try to sue the physician for that HIPAA violation under HIPAA. And of course, HIPAA doesn't provide a private right of action. But does that mean that the healthcare provider is off the hook as it relates to their license?
Mia McKown: No, that's a that's a really good question. Just looking at it from Florida's perspective, for example, and as, as you know, we often tell our clients, if you can comply with the law in Florida, you're pretty good nationwide because we have such strict requirements. Florida, I think you eventually, you start really at our Constitution. And in our Constitution, they specifically provide a right to privacy to every Floridian. So that's an expectation. And when it comes to Florida medical records, we have laws that protect the patient's right to keep their medical records confidential. And in those laws, they're only to be disclosed to people that need to know the information or that the patient has given consent. And there are strict rules on how that is to be provided to the person. And what happens, though, as we know, because we represent these clients, because we get those panicked calls, that accidents happen, that there has been some type of disclosure, common mistakes, Shannon — and you can add to this list, because I know you and I have helped clients with certain things — that they have failed to store the patient information and records securely. This is a big one: talking about or communicating patient information with others. We have been in institutions or facilities where we're standing there, they don't know who we are and we're there to do an onsite inspection, and we can hear them talking about other residents where we should not be hearing that information. Using a personal email account or computer to access patient information, leaving the patient information open and accessible on your computer if your computer screen is not turned away from someone that has come to the window for information. Another big one, snooping. Having personnel that should not have access to the information. They're getting unauthorized patient information through their snooping. Permitting employees to share logins of other employees is another potential issue. And then another one is posting patient information on websites or social media. Shannon, what are your thoughts on some of this?
Just looking at it from Florida's perspective, for example, and as, as you know, we often tell our clients, if you can comply with the law in Florida, you're pretty good nationwide because we have such strict requirements.
Shannon Hartsfield: It can really trip up physicians. Patients can go on Yelp or wherever and spout off about their physician and say all kinds of things. And unfortunately, under HIPAA, the physician is constrained. Physicians, these are covered entities under HIPAA, can only use and disclose patient information for purposes of treatment, payment or healthcare operations. And so defending their reputation on social media is a disclosure to the whole wide world. And unfortunately, it's not permissible without patient authorization. So the most they can do, they should do, is just say something like "We don't discuss these types of matters on this platform. Please give us a call at," and, you know, give the number. So that can be frustrating for them. And the temptation is obviously to disclose patient information or defend yourself, but that's probably an easy way to get a complaint with the Florida Board of Medicine if that were to happen.
Mia McKown: Right. And I think traditionally before technology and our means of communication got so digital, we used to think just, you know, speaking out of turn where you're at a dinner party or something of that nature, and they talk about a patient. I mean, that, you know, that was kind of how the violation worked 20, 25 years ago. But some of the examples that we talked about today, they are just normal course of business. And it's not really necessarily that there's some kind of bad actor. It's just accidents happen. But the, the way they govern our practitioners, the healthcare practitioners, they are governed by the Department of Health. And each board, such as the medical board, the osteopath board, the board of nursing, they all have their own disciplinary regulatory guidelines. But the Department of Health, which oversees all of those healthcare practitioners, have their own rules and regulations that apply across the board to every profession. And in particular, Chapter 456 specifically classifies that failing to maintain the confidentiality of a patient as being unprofessional and it could be subject to discipline. And so Eddie to your, all that to get to this point that this is where a practitioner, if there's been a disclosure or a privacy violation, that they can be held accountable on their license.
How to Proceed When a Complaint Is Filed
Shannon Hartsfield: When a physician gets a complaint, what should they do? Besides panic? They probably shouldn't panic.
Eddie Williams: Should they just ignore it?
Mia McKown: No, they cannot ignore it. And often what will happen with the process — and what's interesting is sometimes where we have seen this, and in my experience, is someone, there's been a potential medical malpractice situation — a lot of times the plaintiffs lawyers will have their patients initiate a complaint with the board, whether it's privacy, any type of thing that they can potentially allege to get a process started and have the Department of Health discipline the doctor, which then helps, or the nurse, which helps their case. So a complaint is filed. In my experience, I have very rarely, I would say almost never, when a complaint comes in, is the matter just closed and they do nothing with it. The only time I've seen it closed is where they were filing a complaint against a nurse and they served it on the board of medicine. And the board of medicine said, we don't have any authority over that. But all they did was direct it to the nursing board. So an investigator will be assigned, they're going to do a notice of investigation and send that to the healthcare practitioner, whether it's the doctor, the nurse, the chiropractor. And you're going to be given an opportunity to respond. And when I say you, I mean the healthcare practitioner. A lot of times the investigators, Eddie, will get you on the phone and have you think that they're your friend and get you talking and providing information that you don't necessarily want out there. What I counsel clients to do is to contact an attorney such as the three of us or someone that they work with that can help them frame the response. You know, we've talked about in other episodes that privacy issues and policies and procedures that you have in place, the electronic, how the information is stored, is all super technical, and frankly, some of the practitioners don't even know how the information is protected and you need someone to help you guide through the process and that you provide the correct written response about what happened, what the policies and procedures are. And I usually do not want, or advise, my client to talk directly to the investigator. I would rather it be in writing so that you are responding just enough and not providing more information than they need. Then at that point, the investigator really does not make a call on what happens. If they feel, they gather information, they're going to talk to the complainant, they're going to talk to the doctor, they're going to get policies and procedures. They're going to bundle all of that up together and send it to a probable cause panel who will then look at it and make a determination, has there been a violation of one of our practice rules or our statute or violation of safe confidentiality or someone's privacy. If they believe that there is probable cause, which is not saying that they know 100 percent, right, that the person did it. It's just do we think that this is a potential violation? It looks like it is. Therefore, they are going to file what's then an administrative complaint. Now, here's where it gets really, really important because — and this is the kind of stuff, Shannon, I know that makes you very, very nervous when clients come, it's like immediately, what's the deadline? When did you receive that complaint? Because I think I've trained you, Shannon, how many days do you have to respond to the complaint?
What I counsel clients to do is to contact an attorney such as the three of us or someone that they work with that can help them frame the response. You know, we've talked about in other episodes that privacy issues and policies and procedures that you have in place, the electronic, how the information is stored, is all super technical, and frankly, some of the practitioners don't even know how the information is protected and you need someone to help you guide through the process and that you provide the correct written response about what happened, what the policies and procedures are.
Shannon Hartsfield: 21.
Mia McKown: Yes, 21 days. You have 21 days to respond to that complaint. And that timeframe is extremely important because it's often jurisdictional. And if you don't respond till the 23rd day or the 24th day, then the allegations in that complaint are deemed admitted.
Making the Complaint Public Record
Eddie Williams: Mia, at what stage during all of this process does this information become a public record? You know, a lot of times in the industry, credentialing parties, they're trying to determine whether a doctor can be hired, whether, you know, they need to make some changes. You know, they're having to disclose information. So at what point does this, these complaints and the hearing, does that come become a public record?
Mia McKown: If a board determines probable cause, Eddie, that's a very good question. Once they determine probable cause, then everything becomes public record. The complaint that was filed, the investigative file, can be become public record. The administrative complaint becomes public record. If you enter into a settlement agreement or there's a final order that is issued as a part of that, those documents will become public record once probable cause is determined. If the licensing board does not determine that probable cause exists, then that complaint that was filed, the investigative file, will remain exempt from the public record. As to the administrative complaint, you have a couple of options. Normally, most people, especially with, that have a good regulatory history with their particular board, that they've not been in trouble, have not been dinged for other things, the board is simply going to be seeking maybe a letter of concern, some additional continuing education, as well as a fine that would be paid and the cost for the investigation. And that's usually going to resolve the issue. When you, for example, with the Board of Medicine, however, if you've had more than one offense, it's possible that the board could issue an actual reprimand or even suspend your license. So these violations of protecting the privacy not only are important for your business, protecting your business, it's also important for protecting your individual license to make sure that you aren't disciplined.
Once they determine probable cause, then everything becomes public record. The complaint that was filed, the investigative file, can be become public record. The administrative complaint becomes public record. If you enter into a settlement agreement or there's a final order that is issued as a part of that, those documents will become public record once probable cause is determined.
Tips for Avoiding a Violation
Shannon Hartsfield: Mia, how can you avoid violations?
Mia McKown: Well an isolated violation, Shannon, may not lead to discipline. You do have to be aware, what I think where the board's really going to get concerned, where they might trigger that reprimand that I talked about or suspension of your license, if they can show what they call a deficient practice or a history of repeated violations, where you've done it on more than one occasion and it's just you're simply sloppy, your staff is sloppy. They've had multiple complaints about the same physician for the same thing. So the best way to avoid those types of violations is on your front end with very strict policies as to how this information is to be maintained. And also, this is critical, regular training with your staff. I know that many of our clients, whether it's physician practice groups, nursing homes, assisted living facilities, they have daily, what they call daily meetings, and almost with every single meeting that they have, we encourage them to encompass some type of training. And it doesn't have to be intensive, but just reminders of how they're supposed to be maintaining the EMR, making sure that they are in private, and that when they're on the phone with someone, that another resident or patient is not present. That constant training is the best, I think the best source and the best way to keep violations from happening. It's also going to be something that the regulatory body is going to look at and see that you were careful about it. They recognize that sometimes accidents do happen, and if you can show and document the training and vet your policies and how careful you are, that's going to go a long way to hopefully prevent any type of finding that you have, you know, that you are a repeat violator. But again, if you have any type of these questions, if you get something from your regulatory body, I think it's important to consult with your internal either office manager, risk manager, in-house counsel to help you frame these responses, because you want to make sure that you're providing all the accurate information but not disclosing too much at the same time.
That constant training is the best, I think the best source and the best way to keep violations from happening. It's also going to be something that the regulatory body is going to look at and see that you were careful about it.
Shannon Hartsfield: Well, thanks, Mia. That was really informative. And I know this information is very, very important. So thank you for sharing it.
Mia McKown: Thank you so much for joining us today as we talked a little bit about how privacy violations can impact your license with your regulatory board. Shannon, Eddie, thanks again for your time. And we look forward to another episode of Florida Capital Conversations.