From the Contributor’s Corner: Hospital Policies on Social Medial Use by Employees

Health Wolters Kluwer Law & Business will periodically feature posts from outside contributors who are members of our Advisory Board. Today’s post comes from Kristine Chung Salcedo.

Many companies have enacted social media policies that govern employees’ online behavior on websites such as Facebook, Twitter, and Blogger. Some of these policies impose disciplinary action against employees who criticize their employers. For example, an employee who complains about his manager on Facebook may receive a verbal reprimand. However, a broad rule prohibiting employees from disparaging their employers could violate the National Labor Relations Act (NLRA), according to two National Labor Relations Board (NLRB) decisions issued in September 2012 (Costco Wholesale Corp., 358 NLRB No. 106 (Sept. 7, 2012); Knauz BMW, 358 NLRB No. 164 (Sept. 28, 2012)).

Section 7 of the NLRA protects an employee’s right to engage in “concerted activities” for the purpose of “collective bargaining, or for other mutual aid or protection.” Section 8 prohibits an employer from interfering with or restraining employees who are exercising their Section 7 rights.

According to the NLRB, employees’ statements criticizing their employers or their work conditions would be protected under Section 7 of the NLRA. Therefore, a hospital policy broadly prohibiting employees from criticizing the hospital or otherwise damaging the hospital’s reputation would violate Section 8 of the NLRA. A single blog post or tweet may be protected even if no other employee responds or joins the discussion. Further, even hospitals without unions must ensure that their policies comply with the NLRA. Hospitals should therefore seek the advice of legal counsel, and reexamine their employee handbooks and social media policies in light of the recent developments.

Kristine Chung Salcedo, Esq., is a compliance analyst at the corporate headquarters of Cancer Treatment Centers of America, where she focuses on physician and hospital compliance, HIPAA, health reform, and billing compliance. Prior to her current position, Kristine worked as a writer analyst in the Health Law department of Wolters Kluwer. There, she researched and developed content for a number of health care compliance publications and applications. Kristine is a member of the American Health Lawyers Association and the Health Care Compliance Association. She obtained her undergraduate degree from Barnard College, Columbia University, and her law degree from the University of Wisconsin Law School.

OCR Issues Advance Release of HIPAA Privacy and Security Rules

The HHS Office of Civil Rights (OCR) has issued an advance release of a final rule that amends the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5), and sec.105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA) (P.L. 110-233). According to HHS, this final rule is needed to strengthen the privacy and security protections established under HIPAA for individuals’ health information maintained in electronic health records (EHR) and other formats. The final rule, which becomes effective March 26, 2013, (1) strengthens the privacy and security protection for individuals’ health information, (2) modifies the Breach Notification Rule of the HITECH Act to address public comment received on the interim final rule, (3) modifies the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing the GINA provisions, and (4) modifies other HIPAA Privacy, Security, Breach Notification, and Enforcement Rules to improve their workability and effectiveness and increase flexibility for, and decrease the burden on the regulated entities.

HHS’ Announcement

In its news release announcing the final rule, HHS said that the HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. Explaining that some of the largest breaches reported to HHS have involved business associates of covered entities, HHS noted that this final rule expands many of the HIPAA privacy and security requirements to include business associates that receive protected health information (PHI) (see below). HHS also said that individual rights are expanded in important ways, as described below.

Modifications to the HIPAA Privacy and Security Rules

Under the final rule, business associates of covered entities will be directly liable for compliance with certain HIPAA Privacy and Security Rules requirements. The final rule modifies a number of definitions to address the HITECH Act provisions, including the definition of business associates. The following additional entities will be considered “business associates:” Patient Safety Organizations, Health Information Organizations, E-prescribing Gateways, other persons that provide data transmission services with respect to protected health information (PHI) to a covered entity and require routine access to PHI, and persons who offer a personal health record to one or more individuals on behalf of a covered entity. The definition of business associate also will include a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

In addition, the final rule will strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization. The final rule will further expand individuals’ rights to receive electronic copies of their health information and restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full. The final rule also (1) requires modifications to, and redistribution of, a covered entity’s notice of privacy practices; (2) modifies individuals’ authorization and other requirements to facilitate research and disclosure of child immunization proof to schools; and (3) enables access to decedent information by family members or others who were involved in the care or payment for care prior to the decedent’s death and historians without the need to find a personal representative of the deceased individual to authorize the disclosure.

Amendments to the Enforcement Rule

The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to the enforcement process, including the rules governing investigations by HHS, the process and grounds for establishing the amount of a civil money penalty when a violation of a HIPAA Rule has been found, and the procedures for hearings and appeals when the covered entity challenges a violation determination. OCR has amended the regulations by adopting the HIPAA Enforcement Rule provisions of the HITECH Act that were not adopted in the October 30, 2009 (74 FR 56123), interim final rule, such as addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.

Prior to this final rule, the regulations mandated that the Secretary attempt to resolve indicated violations of the HIPAA Rules by informal means; however, the final rule now provides the Secretary with the discretion to resolve violations due to willful neglect to reflect the HITECH Act provisions.

In addition, the final rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the HITECH Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. In addition, the HITECH Act’s breach notification rule’s “harm” threshold will be replaced with a more objective standard, supplanting the interim final rule published on August 25, 2009 (74 FR 42962).

Amendments Mandated By GINA

The final rule will amend the HIPAA Privacy Rule to clarify that genetic information is health information. In addition, the final rule will prohibit group health plans, health insurance issuers (including HMOs), and Medicare supplemental policy issuers that are considered covered entities under the HIPAA Privacy Rules (with the exception of long term care plans) from using or disclosing genetic information for underwriting purposes (see Interim final rule published October 7, 2009 (74 FR 51664)).

Compliance Date

Covered entities and business associates of all sizes will have 180 days beyond the March 26th effective date (September 13, 2013) to comply with most of the new requirements or modifications to the HIPAA Rules, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. OCR noted that going forward, covered entities and business entities would be required to comply with any modifications to the HIPAA rules within 180 days unless otherwise specifically stated. In addition, covered entities and business associates must continue to comply with the rules as they existed under the interim final rule until the effective date or compliance requirements of this final rule.

To Combat Obesity, America Declares War On Soda

It’s no secret that America is obese.  According to the Centers for Disease Control, 35.7% of adults and 17% of children in this country fall into that category.  As a nation, we are struggling to come to terms with the problem.  At one end of the spectrum, clothing manufacturers are trying to make us feel good about ourselves by vanity sizing our clothes to make us believe that we really are a size 4.  At the other end, government bodies are imposing rules limiting what the food industry can allow us to put in our bodies.  The latest target in that vein?  Sugary drinks.

Link to Obesity

According to ABC, the average American drinks about 45 gallons’ worth of soft drinks each year.  An eight-ounce can of soda contains the equivalent of six sugar cubes,  but McDonald’s, for example, sells soda in 16, 21, and 32 ounce sizes.  Various studies have linked sugar in soda and fruit drinks to obesity, demonstrating that children who drink sugary drinks are more likely to gain weight than children who drink non-sugary drinks, and that consumption of sugary beverages may actually increase a person’s genetic predisposition to gain weight. So just switch to diet beverages, right?

Not so fast. Other studies have suggested that drinking diet beverages may cause people to crave more sweet items, contributing to weight gain; on the flip side, it’s possible that people with weight problems are choosing to drink diet beverages, a phenomenon one researcher refers to as the “Big Mac and Diet Coke mentality.”  In fact, other studies have demonstrated that drinking diet beverages staves off weight gain.  But they don’t take into consideration the recent study reported by the National Institutes of Health linking diet drinks to depression.  In that study, participants who drank four or more cans of aspartame-sweetened beverages a day were 31 percent more likely to report depression in the future than those who did not drink sweet beverages; those who drank sugar-sweetened beverages were still 22 percent more likely than those who did not to report depression.  The study has not yet been peer-reviewed, but it serves to demonstrate the growing interest in the health risks of sweet-flavored drinks.

NYC’s Beverage Ban

So what’s a nation to do?  The most publicized and controversial tactic is probably New York City’s beverage ban, a city ordinance that will prohibit the sale of sugary beverages larger than 16 ounces in restaurants, street carts, entertainment venues, and sports venues.  Mayor Michael Bloomberg, an advocate of healthy living, is a huge proponent of the law, which he believes will improve the lives of the 58% of New Yorkers who are obese.  Not everyone is happy with the ordinance, however, which will go into effect on March 12th.  Many deplore the creation of a “nanny state,” in which the government regulates our daily activities, but Bloomberg’s team points out that measures requiring restaurants to post calories counts on their menus and eliminating trans fats have been successful.

The American Beverage Association is leading the fight to upend the law.  In September, numerous industry representatives, restaurants, and other businesses filed suit, alleging that the New York City Board of Health did not have the authority to pass the law.  The case is still ongoing.  The city has stated that it will not initially fine businesses that do not comply with the law.  Instead, it will send warning notices for a period of three months, after which it will impose penalties.

Signs of the Times

The New York City ban is just part of the bigger picture.  The News Releases & Statements portion of the American Beverage Association’s website is filled with articles detailing the “industry response” to various studies attacking the detrimental health effects of sugary beverages.  A true sign of the times is the national involvement of an iconic American corporation.  Coca-Cola, as American as apple pie, is on the defensive–or the offensive, depending on how you look at it.  Coke is launching an ad campaign touting its 180 “low- and no-calorie choices,” and encouraging consumers to get active to burn off calories after enjoying regular Coke.

Where does that leave us?  No rational person can doubt that an obesity problem exists.  No one doubts that sedentary lifestyles and overeating are contributing to the epidemic.  But no one can agree on what to do about it.  Is it the government’s place to step in and regulate our food intake, especially if we’re not willing to do it ourselves?  What do you think?