Ask The Lawyer
By Karen McKeithen Schaede
Have a question about the law?
Send your questions to: KSchaede@ConnorsMorgan.com
Q: I have been told that new guidelines have been issued about patient records. What are those new guidelines?
A: The Office of the National Coordinator for Health Information Technology (ONC) recently issued a report stating that consumers are generally unfamiliar with their rights regarding access to medical records. Staffs of providers also do not always understand what HIPAA does and doesn’t mandate. Often patients and health care providers’ staffs are at odds, and each is trying to struggle through the system.
To improve and promote patient access to their health records, ONC proposed the following:
• Ensure the process for requests is simple and user-friendly.
• Set up an electronic records request system outside of the patient portal.
• If possible, use some e-verification to quickly confirm the requestor’s identity.
• Make sure patients understand they may request their records in different formats.
• In the end, both groups have the same goal – and communication is key.
Q: Is estate planning only for senior citizens and
those who have a lot of money?
A: It’s a common misconception that estate planning is only
for the old or wealthy. Estate planning is a shorthand term for
planning for adult life. As soon as people become an adult at
age 18, they will benefit from estate planning.
Every young adult should have a comprehensive Health
Care Power of Attorney and Health Care Directive, both of
which will designate another to act as:
• a personal representative to make healthcare decisions.
• articulate wishes and directions in the event of
• allow HIPAA to release medical records.
Many young adults should also have a General Durable
Power of Attorney. This document will designate another to
act for the young adult in legal and financial matters. The
General Durable Power of Attorney is essential only when a
young adult owns property in his or her individual name.
These two estate planning tools will not only help protect
a young adult
Q: What are my rights as an employer when I fire
an employee and deal with his/her final pay?
A: When an employee is fired or unexpectedly quits, many
managers and owners let their emotions get the best of them.
They take their frustrations out on the employee who was
fired/quit by deducting as much as they can from his/her final
paycheck. Handling a situation in this manner can be very
risky. The following information should be kept in mind in
such cases to prevent any unnecessary damage to either party.
First, former employees are alumni of your organization
and could potentially do damage to your brand by telling
others how they were treated while working for you. In
the long run, it is better to let the little things go to help
mitigate any hard feelings.
Second, make sure you are on solid footing when making
the deductions: Check your state laws before holding
their final check; have a signed document on file allowing
the deductions. Check your state laws to see who benefits
from the deductions; do not deduct to the point where the
employee’s final pay is below minimum wage for actual time
worked. Check state laws for deducting vacation or PTO.
And, finally, be reasonable.
Q: Can you tell me some things to avoid when
firing an employee?
A: You can fire anyone at any time for any reason or no
reason. This is what employment-at-will is all about. Most
employers, however, try to take the easiest course. And
usually, that is no action – avoidance. They hope things will
improve. If things do not improve, here are five things to
keep in mind.
1) Do not react – plan. Avoid reacting on an emotional
basis. Instead, look at documentation and plan.
2) Avoidance is failing to do what you know you should
do. If the employee is hurting morale and making life
miserable for everyone, it is time for that employee to go.
3) Have witnesses. Make sure someone else is present for all
interactions with an employee when you are considering
disciplinary action. You want to avoid the “he said-she
4) Look at outplacement. Most employers do not want to
pay the money required for outplacement. But the quicker
that bad employee gets a job, the better the legal outlook
is for you.
5) Being proactive is important for your bottom line.
Keep in mind that legal expenses to defend a wrongful
termination claim can cost a great deal of money.
Q: We have an employee who is requesting leave
as an accommodation for a disability. Do I have to
grant this leave?
A: The purpose of the ADA’s reasonable accommodation
rule is to require employers to change the way things are
done so employees with disability can work. Leave, as a
reasonable accommodation, is consistent with this purpose.
The assumption is that the employee would return to work
following the leave period.
An employer must consider providing unpaid leave to an
employee with a disability as a reasonable accommodation
if the employee requires it, as long as it does not create an
undue hardship. This leave does not have to be paid.
What is an undue hardship under ADA?
It is a “significant difficulty or expense incurred by a covered
The government would look at the:
• cost of the accommodation;
• the overall resources of the entity;
• the effect of expenses and resources;
• size of the business;
• type of operation;
• the impact of the accommodation on the ability of other
employees to perform their duties.
Therefore, employers should look at each request on a
case-by-case basis when making a decision on whether to
accommodate an employee.
Q: What is Ransomware and should I be afraid
A: Ransomware is a type of malware used by cybercriminals
to encrypt the data of an organization – such as a medical
or dental office – making the data inaccessible to the
organization. The cybercriminals then demand payment
from the organization to unencrypt the data and release the
Ransomware attacks have quadrupled this year, averaging
4,000 per day, according to the U.S. Justice Department.
HHS has put out a “fact sheet” on “Ransomware and
HIPAA” which treats ransomware as a notice-triggering data
breach by default, unless it is determined via a breach risk
assessment not to constitute or involve such a breach.
Key protections to avoid these attacks include safe,
segregated and reliable backups, as well as patching,
monitoring and training to avoid phishing. If your system is
attacked with Ransomware, contact your IT vendor or inhouse
Make sure you also contact your HIPAA Privacy and
Security officer to evaluate how this situation should be
classified. The issues here are more about the control of
systems than about breaches of personal information. As
always, review your policies and procedures – and update
and educate your workforce as needed.
Q: Do I have to provide a translator for patients?
A: On May 13, 2015, the Office for Civil
Rights (OCR) issued a final rule implementing Section 1557
of the Affordable Care Act (ACA). That section prohibits
discrimination by any health program receiving federal
assistance (“Covered Entities”). This includes those practices
receiving funds from Medicare or Medicaid.
Practices are required to provide access to individuals with
limited English proficiency. This requires practices to post
a nondiscrimination notice to alert individuals to language
assistance services at the practice for free. They must post
notices in at least the top 15 non-English languages spoken in
the state where the practice is located.
The practice must publish the notice in:
(i) significant publications and communications;
(ii) physical locations where the practice interacts with the
(iii) on the practice’s website.
The OCR has released a list of the top 15 languages
spoken in each of the 50 states. A Covered Entity may use
this list when determining the 15 languages required for the
The OCR also provides Covered Entities with
the translated sample nondiscrimination notice and
The deadline to post these notices was October 16, 2016.
Make sure your practice is complying.
Q: We still have not updated our Social Media
Policy. What should we have in the policy?
A: There is a great deal of discussion about social media and
what should and should not be in a policy. The policy should
be a set of guidelines that allow your employees to make good
decisions about how to market your practice.
Look at the categories of confidential information
that employees have access to and could possibly share
inadvertently. Here are some questions to consider:
1- Do you write text?
2- Do you usually post photographs?
3- Do individuals post from personal social media accounts or
from employer-created accounts?
4- What social media accounts do you actually use?
Facebook, LinkedIn, Twitter?
Your social media policy should be easy to read and
understand. The intent should be to make sure employees
know what they can and cannot post. Use phrases everyone
can understand, not language from a statute. The policy
should match your practice values and culture.
Once you develop the policy, make sure all your work force
1- Do a lunch and learn.
2- Have a staff meeting explaining the policy.
3- Monitor the policy and revisit if compliance is poor.
Social media changes constantly so make sure you take a
look often and update as needed.
Q: My doctors like to text protected health
information (PHI) to other nurses and providers
and sometimes with patients. Is this an issue?
A: Yes. Texting is usually an unencrypted form of
communication and can be stopped at any time during
transmission. Text usually find its way to multiple servers and
can be intercepted anywhere along the way. The message may
be saved on servers until it is purged by the server company
Text messages also reside on most devices indefinitely and
when they are backed up. If you would like to see how text
travels, go to http://gizmodo.com/5947906/this-is-how-yourmobile-
So what is the answer? There are several secure text
messaging programs that can be used to secure any PHI.
These typically use servers with secured data centers,
containing safeguards to prevent hacking. Make sure the
software is HIPAA-compliant and affordable for your
These articles are for informational purposes only and not for the purpose of
providing legal advice. You should contact your attorney to obtain advice
with respect to any particular issue or problem. The information contained in
this article does not create an attorney-client relationship between Connors
Morgan PLLC and the reader.