To Record or Not to Record: Should Visits Be Taped?

Recordingphoto2-185x185A patient walks into a physician’s exam room with an ever present smartphone or another digital device. The patient is especially concerned for the information that could be discussed during this visit and wants to be sure that they can remember everything that is discussed and presented during the visit. With that in mind, when the physician walks into the room, the patient asks, “Can I record this visit?” With that question, the physician is not sure how to respond.

Traditionally, the response would often be an absolute refusal to permit recording of a visit. Fears over liability or misapplication of the information at a future time were primary drivers for the response. The liability fears can be summarized as follows: a recording can capture everything that is said; some piece of information could be misstated or mistakenly left out; the missing information was a key issue and was arguably connected to some harm the patient suffered; after suffering the harm the patient listens to the recording and decides to do something against the physician; and lastly the patient uses the recording against the physician in the legal action. That chain of feared events stems from a recording coming back to haunt the physician. The other side of the coin would be a patient listening to what the physician says while at home, not fully comprehending everything or only picking out certain bits of information and pursuing a course of action not suggested by the physician. In both instances, the fear of the physician is that the recording will hurt the patient and then the physician will be blamed.

While that is the traditional response, things are beginning to change. Some physicians are becoming more open and accepting of recordings now. The changing attitude makes sense because recording can be analogized to Open Notes or any other movement to more actively engage and involve patients. From this perspective, a recording can be a tool to help promote better health when the patient spends the majority of their life outside the physician’s office or otherwise interacting with the physician. Arguably a recording could be used to clear dictate out the steps a patient needs to follow or be used as a reminder of issues discussed. The recording could encourage clearer communication and focus on breaking ideas down so everyone really understands.

Before hitting record though, there are still issues to consider. First, is the recording going to occur out in the open. Specifically, is the patient asking the physician if recording is ok, or is the patient doing the recording without the physician’s knowledge? This question anticipates the next point of discussion, a general overview of wiretapping laws, but raises a different question before getting there. If the physician is unaware of what is occurring, is a breach of trust occurring? If one party to a conversation does not know what is happening and later learns what did in fact happen, there can be irreparable damage to the relationship. Since the patient and physician relationship is one fundamentally built upon trust, deliberately undermining that foundation seems counterproductive.

The response to the whether a visit can be recorded question also implicates wiretapping laws. Each state has its own version, so parties will need to know what their own state permits. However, the laws can generally be broken into two categories: one party consent and all party consent. One party consent laws only require one party to a conversation to consent to the recording. In a situation where one party wants to record, that consent will always be present. As such, one party consent laws could permit secret recordings since the party doing the recording is ok with it occurring. All party consent laws require all parties to a conversation to consent to the recording. All party consent laws are the genesis for the message everyone gets when calling any company that says this call may be recorded. The party using that message is notifying of its consent to recording and by staying on the line, the other party is implicitly agreeing to a recording.

Taking the types of wiretapping laws into the physician exam room, knowing what your state allows becomes very important if there is a concern about recording. If the physician is in an all party consent state, then the patient needs to ask and the physician can then decide what to do. In a one party consent law, that option is pretty much rendered moot. What can be done? As with most issues, having a policy can alleviate many of the issues. Developing a policy forces the physician and the practice to think about the issues and determine feelings about recordings. A policy can then be used to proactively inform everyone coming into the practice of what will be permitted. Further, if a patient or other person does not comply with the policy, then a firmer basis exists for taking action to stop the disfavored behavior.

With some of the legal issue on the table, the question still comes back to should a recording be allowed. While some may hope for a clear answer to that question, it really depends. The determination depends upon the feels of the physician and patient and the nature of each relationship. Ultimately, raising the issue and having an open, frank discussion will often be best. That way each side can hear the other out and hopefully come to a consensus.

Posted in Business, Compliance, Health IT, Physicians, State Law | Tagged , , , , , | 1 Comment

Rocket Pace, But To Where?

sea-2312623_640Not a day goes by (or many posts on The Pulse Blog) without a discussion of the rapid increase in data breaches impacting the healthcare industry. Information and statistics in this regard are inescapable. For instance, the so-called “Wall of Shame,” which is the public posting of breaches, recently crossed the 2,000 breach threshold.  The Wall of Shame first came online in 2009 and took almost five years to hit the 1,000 barrier, but just another 3 years to hit 2,000. Clearly, the data show more breaches are happening and more frequently.

The previous statement about more data concerning breaches though is a fairly recent development. While the Wall of Shame has now been around since 2009, there has not been a consistent, comprehensive source for information about healthcare data breaches. Sources are developing though, with the Protenus Breach Barometer being one of my favorites. The Breach Barometer is typically published on a monthly basis and highlights totals of known breaches from the previous month. Tracking the Breach Barometer reveals trends, which were highlighted in the recent mid-year Breach Barometer.

The highlights from the mid-year Breach Barometer are that insider issues and hacking incidents account for the vast majority of incidents. Insider issues can be broken into two large categories: inadvertent mistakes and malicious activities. The inadvertent mistakes could be sending to the wrong address, an email error or some other unintentional act. To some degree, the inadvertent mistakes are unavoidable because no one can be perfect. A key with an inadvertent mistake is to catch the problem early, which can enhance the impact of any resulting mitigating act. While inadvertent mistakes are arguably a part of human nature, preparing individuals with comprehensive, consistent and ongoing education and training may reduce the risk. When individuals are aware of an issue and know how to address it, the likelihood of occurrence can be reduced as well as building in a natural response.

The second side of insider breaches, malicious intent, is harder to control for because, as the name implies, the individual has some bad intent that will motivate attempts to get around defenses. When malicious intent is present, the individual is clearly trying to profit individually or through organized efforts. The bottom line though is a willful disregard for an organization’s policies and the requirements of law and regulation. Awareness of the growing number of malicious intent incidents is the first step in combatting and stopping or preventing. Up until a couple of years ago, stories that individuals were stealing medical information to sell for profit or otherwise taking advantage of trusted information were rare. Unfortunately, that is no longer the case. Multiple times per year a story of a criminal prosecution or other outcome are reported. Further, malicious intent breaches can often take the form of a “small” breach where only one or a few individuals have their information accessed. Many times, such breaches are done because the individuals know each other, or some personal relationship influences a decision. Small breaches were well-documented in a December 2015 ProPublica article, but it is unclear what, if any, change has resulted.

Even though the malicious intent is designed to elude preventive efforts, tools and methods do exist to help address. For instance, organizations would be well advised to regularly monitor and audit medical record access. Such efforts are arguably easier for electronic medical records because a log file is often present and some portions of the review can be automated. However, it is unclear how well such efforts are undertaken. Additionally, specific records, such as a “V.I.P.” patient, could be reviewed when a higher degree of concern could be present. Ensuring access is appropriate is a baseline requirement under HIPAA, so the organizational ask is not going too far.

Hacking, the other major reason for an increased number of data breaches is harder to address. Suffering a hacking attack is largely beyond a single organization’s control. It is a sad but true reality that hackers and other outsiders with bad intent are likely more sophisticated technologically. While the disparity may exist, organizations should not resign themselves to being hacked. Intrusion can be made more difficult by implementing countermeasures, regularly updating and being proactive. Further, no organization should be deluded that it is too small to be attacked. Practices of all sizes, whether single practitioners to multi-state systems, have been attacked and will continue to be attacked.

Despite the increasing frequency of attacks and reports, it is a time for optimism. Why is optimism justified? Because data breaches (though usually just hacking or ransomware) garner major news headlines and are a topic of frequent discussion. Additionally, more sources are quantifying, examining and breaking down the breaches. As such, the explosion of healthcare data is not just the medical information, but how that information is being used and how it is vulnerable. As more analyses are conducted and distributed, all will benefit. A data breach is not suffered by an organization alone and quiet, but, for better or worse, out in the open. The ability to collectively learn from each incident is one of the reasons for optimism about the future. The first step to doing something is to be aware.

What will happen in the future? No answer can be known today. However, my honest feeling is that healthcare as an industry and organizations as individuals do care about protecting healthcare information. No one is satisfied with a reality where more than one breach per day is occurring. Such consistent failings of trust are not acceptable, especially when that reality can be influenced through easily controlled actions. It is easy to complain and highlight the issues without applauding the everyday work that is improving the situation. It is important not to forget the progress that has been made and the efforts that are ongoing. It is impossible to expect that all breaches will be stopped, but we should at least bring the number down and that groundwork exists.

Posted in Healthcare, HIPAA, Physicians, Regulations | Tagged , , , , , | 1 Comment

HIPAA: Healthcare’s Favorite Scapegoat

bandana-2347444_640Stop if you’ve heard either of these or some other variation before: I can’t tell you anything about that patient because of HIPAA or I can’t give you a copy of your medical records because of HIPAA or HIPAA doesn’t let me say anything. Throwing up HIPAA as an excuse to prevent the free and usually justified flow of medical information is all too common place in healthcare. These issues have been forefront of mind because of a recent back and forth on Twitter that included a combination of providers, lawyers, patients and other individuals. The common thread throughout the discussion was that HIPAA is used a barrier with an alarming degree of frequency.

The means by which HIPAA is raised as a barrier may vary, but the underlying premise is always the same: a requested action cannot occur because HIPAA privacy and/or security requirements allegedly prohibit the desired action. A fundamental question is why HIPAA is so frequently used as an excuse. Is misunderstanding or a lack of understanding of HIPAA so widespread? Is the use of HIPAA as an excuse a sign of laziness or not caring about individual rights? Does too much fear exist surrounding the fallout from a potential violation? The exact question and answer will likely never be known (since it is unlikely that anyone will admit the true reasons), but it is also unnecessary to know the question and/or answer.

The mere fact that the issue exists should be the impetus to drive for change. HIPAA, when properly understood, facilitates many of the outcomes that it is used to prevent. HIPAA does contain a myriad of privacy and security requirements, but those requirements enable common sense usage and are not intended to prevent the delivery or coordination of care as is so often asserted.

One step in removing HIPAA as an excuse is for the impacted parties to be fully aware of what HIPAA does and what it allows. Arming one’s self with a working knowledge of HIPAA promotes the ability to call out a party or individual when that party tries to use HIPAA in the wrong way. Such knowledge is both a means of self-help and promoting awareness. If the erring party is not taking appropriate steps to become educated or misinterprets a requirement, then the correct information can be presented to them. The fact that conversations identifying and diving into these issues are occurring on social media and elsewhere is a positive sign.

It is acknowledged that shining a bright light on the misconceptions surrounding HIPAA is not a cure-all approach. In fact, even when presented with the right and required path to take, resistance can be expected.

That leads into another step, which is to continue making educational and informational materials available. If correct and accurate information about HIPAA becomes readily available and hard to miss, the opportunities to accessing such information and materials also increase. The more chances there are to drink from the fountain of knowledge, hopefully the more individuals will actually do so. The other old axiom of you can lead a horse to water, but you can’t force the horse to drink also applies, but there is always the chance that optimism will prevail.

The Office for Civil Rights and Office for the National Coordinator of Health Information Technology are walking the educational walk. The past few years have seen a relative explosion in the production of resources and tools.  These resources and tools attempt to remedy misconceptions and ensure a well-rounded understanding. As such, the resources consider how HIPAA applies to newer technologies or realities, while staying true to truths that have existed since HIPAA was first enacted. That fact reveals one of the issues though, the resources are not spreading new information, but speaking to certain HIPAA basics.

The frustration over non-compliance can be seen in the publicly announced enforcement actions. Many of those settlements find pervasive and fundamental non-compliance issues. However, the settlements also do not address so-called “smaller” issues such as breaches impacting fewer than 500 individuals or failures to grant access. Those problems are often addressed outside the public eye.

With all of these issues, maybe the time is ripe for a grassroots movement to dispel many of the myths surrounding HIPAA and its perceived role as a barrier in healthcare. Many platforms exist to promote such a movement, none with more potential power than social media.  Social media enables the quick and widespread dissemination of information, calling out of bad actors, and means of pushing for a response. The question here is whether enough of a public issue exists, though that can arguably be driven by putting the issue out. Regardless, if more people create resources that can address HIPAA questions and show how it is misstated, then the excuse will hopefully become harder and harder to use.

For the time being, the scapegoat will remain. It can only be hoped that this unfortunate reality will change soon. In the meantime, continue spreading the message as to how HIPAA really operates.

Posted in Business, Compliance, Healthcare, HIPAA, Regulations | Tagged , , , , | 1 Comment