The ACR legal team tackles the latest medicolegal issues and their effects on radiology.
The ACR’s legal department receives countless calls and emails from members seeking legal guidance and advice. This month, ACR’s legal counsel weighs in on some of the most frequently asked questions about the intersection of radiology and the law.
If you’re wondering if you or your practice could be sued for content that you post on social media, the answer is yes.
As you build your social media sites, understand certain legal implications. Could a patient claim that you or a colleague negligently offered medical advice online through a social media site? That’s possible, though we have not seen any reported cases that involve radiologists’ or radiation oncologists’ interaction with patients via social media. Nonetheless, practices should develop and enforce a social media policy that clearly identifies the boundaries of posts, tweets, and other interactions in cyberspace. See an example of a well-defined policy. Learn more about charting a social media strategy at the ACR 2016 session “Tools for Radiologists and Social Media.”
The legal and reputational stakes of patient portals have increased as more radiology practices offer these tools. Many potential pitfalls center around security. You need to assess whether your portal has proper IT safeguards for protected health information (PHI) that comply with privacy and data security requirements under the Health Information Portability and Accountability Act. One helpful source is ACR’s IT Reference Guide for the Practicing Radiologist.
If patient data in your portal is compromised, that affects patients’ trust in your practice’s ability to protect their PHI. Additionally, HIPAA rules now mandate that once you discover any breach of unsecured PHI, you must report that incident to patients whose PHI may be at risk — and to the Secretary of the U.S. Department of Health and Human Services if the breach affects 500 or more patients. Therefore, your practice or department should engage a qualified IT vendor to perform an assessment of your PACS and other information systems that contain patient data. For specific advice on HIPAA compliance, consult a local attorney in your jurisdiction. (The ACR offers a state-by-state list of health-care lawyers.)
Some practices have inquired about offering an interactive communication tool to inform patients about the next steps in their care after imaging studies or procedures. This may provide a useful resource if the practice incorporates content from patient-centric sites such as RadiologyInfo.org.
However, any online interaction with a patient about her or his particular medical condition could risk establishing a physician-patient relationship, which brings with it potential liability. State licensure boards and courts might regard you to be practicing medicine and serving as a physician of record (meaning your name is on a communication with the patient). That matters because the patient may sue you and claim she or he had a poor outcome based upon statements you made virtually. Therefore, consult with your legal counsel and liability carrier about the benefits and risks of any interactive platform. We will explore these dynamic issues further in an upcoming column.
Employers must act prudently when evaluating potential employees and interacting with current team members based on information found on social media.
In 2015, Virginia, Connecticut, Montana, and Tennessee joined many other states in limiting what an employer may learn about someone through social media. You can find a list of the laws. Laws may prohibit public and private employers from compelling employees and job applicants to disclose their social media account login information or add an employee, supervisor, or administrator to the employee’s or applicant’s social media account as a contact.
Your practice also may not act against or threaten to fire or discipline current employees — or fail to hire prospective employees — for exercising their rights under these laws. However, your group may view information about an individual that is publicly available on his or her social media account.
Under federal law, you also must be careful when taking any adverse employment action against employees for their social media activities. The National Labor Relations Board (NLRB) has concluded that policies that prevent employees from discussing the terms and conditions of their employment, including posting comments that criticize management and posting some types of confidential information on social media sites, may violate employees’ rights under labor laws.
The answer is yes. The federal agency that enforces the HIPAA privacy rules has stated that “covered entities,” such as radiology groups, may use and disclose PHI, including a patient’s entire medical record, for training programs.
ACR members should apply the HIPAA concept of “minimum necessary” if they circulate images that contain PHI. This means that they should use an image with PHI only in a manner that is reasonably necessary to enhance interpretive skills. Consequently, members should remove a patient’s name and medical record number.
However, the safer approach is to de-identify a set of images completely so that no trace of PHI remains. ACR members then may use and share images with colleagues for grand rounds, tumor boards, and other educational venues. Additionally, members may tag a de-identified image with information such as diagnosis and brief clinical history and upload it onto a secure online storage site, such as DropBox, to retrieve later for teaching purposes. If they do so, members should inform hospital management before posting images to avoid any surprises should a risk management official inquire about this use.
Recent corporate moves in health care raise the troubling issue of whether certain companies might try to match up de-identified data files with the corresponding patients using new super-computers such as IBM’s Watson Health. Private companies see huge financial and clinical opportunities in this arena, including potential for personalized medicine. Would efforts to match records with patients violate any federal or state privacy law? The short answer is maybe.
When patients visit a radiology practice to obtain imaging care, practices tend to include in their privacy notices a statement that the patient’s images may be used for generalized educational or quality purposes. As we have indicated, that represents a “health care operations” activity that HIPAA authorizes physicians to undertake without needing to obtain separate patient authorization. Actually, if patients sign the privacy notice, they effectively consent to the practice using their images.
Patients may argue, however, that they did not intend for an outside entity to mine their images and attempt to link them to reports to learn patients’ specific medical conditions. This is a grey area under HIPAA and likely under state privacy and confidentiality laws. However, technological advances will challenge you and your practice to take a hard look at your policies for communicating with patients and handling their PHI.
By Bill Shields, JD, LLM, CAE. and Tom Hoffman, JD, CAE