Presentation on theme: "HIPAA AND SOCIAL MEDIA “TIPS TO AVOID HIPAA VIOLATIONS ”"— Presentation transcript:
HIPAA AND SOCIAL MEDIA “TIPS TO AVOID HIPAA VIOLATIONS ”
A SINGLE TYPO RUINED CAREER Think of ex-congressman Anthony Weiner’s blunder on Twitter. He apparently confused a DM (direct message) with a public Twitter post. Had he addressed the intended recipient with the letter D preceding the user name, only that recipient would have had access to the tweet. However, the @ symbol, followed by the user name, was directed at a specific user but visible to anyone on the service. This one-letter typo ruined his career and reputation and harmed his marriage. Social media is fraught with danger!!
Understand the terminology Social Media An umbrella term that encompasses several different types of technology. These different technologies provide combination of media storage, display and communication applications. Each one allows a single person to communicate to a broadly identified group. Different technologies pose different risks and must be addressed thoughtfully. Policies and education should be focused on the communication made, not the brand name.
Facebook Ubiquitous photo, messaging and mail service Technology similar to MySpace, LinkedIn, Sales Force Chatter, etc. 1.11 billion users as of May 1, 2013 Personal information Connections by consent Updates pushed to “friends” Messages – mail, chat, the “Wall” “Tagging” photos and locations in other friend’s photos Additional applications and add-ons – games, surveys, groups, like, dislike
Facebook (cont.) Users have a wide variety of privacy functionalities and can maintain a high level of privacy. Newer or more naïve users may not be aware of privacy functions or risks. Privacy functionalities are constantly in flux. User information is stored and controlled centrally. You choose to share registration information and other information. Your date of birth allows Facebook to show you age appropriate content and advertisements. User controls cannot override corporate decisions – posted information is “out there” forever. Posted information can be stored or saved by other users, especially pictures. Both Facebook and third party application providers collect personal information to share with advertisers and other third parties.
Facebook (cont.) Facebook’s response to questions regarding control of information: When a person shares information on Facebook, they first need to grant a license to use that information so Facebook can show it to the other people they’ve asked us to share it with. Without the license, Facebook couldn’t help people share the information. When information is shared with a friend, two copies of that information is created: one in the person’s sent box and the other in their friend’s inbox. Even if the account is deactivated, the friend still has a copy of that message. Terms have been changed to clarify but not change these issues. Sharing information and also having control of the information so it can be turned off are at odds with each other. No system can enable sharing and then simultaneously allow control what services it is shared with.
Public Information Any content that is available to a public audience is considered public information. This includes: Your name, profile picture and cover photo Gender Your networks (school or workplace) Username and user ID are in the link (URL) to your timeline
Twitter Short bursts of text, links or pictures to thousands, if not millions of “followers.” As of May 7, 2013, 500 million users on Twitter; 135,000 new users/day 58 million tweets/day. Messages limited to 140 characters (Tweets). Tweets are sent through the internet, but may originate from cell phones or text messaging services. Applications add the ability to share links, re-post others’ “Tweets” and to share photos. Data is centrally stored and is not user controlled. Private messages may be sent, but default is public.
Twitter cont. Information sent is forever “out there” and may not be recalled. Shared photos may be used or sold to another entity (TwitPic). Accounts may be faked or hacked and Twitter shares user information with third parties. FTC brought action to force Twitter to improve its security; settled in 2010. The FTC now has a security form for users to complete if someone believes there is a breach. Twitter also has volunteer security researchers to look for security issues.
Case Of Dr. Flea Dr. “Flea” is a pediatrician from the Boston area who began blogging under the name “Flea” about his experiences as a medical malpractice defendant. Plaintiff’s attorney found out; he was exposed on the witness stand. The case settled as a result. The Boston Globe ran a front page news report about the pediatrician’s blogging and all the comments he had made on the blog. His advice about medical blogging: “Every time you post, recite the following like a mantra:” “I AM CUTTING ROPE WITH WHICH TO HANG MYSELF.”
Instant Messaging Permits two users to communicate in real-time via short typed messages aka “chatting” over the Internet. Hosted internally or externally – security levels can vary widely. Chat transcripts may be stored. Frequently available at no charge on smart phones and similar web enabled devices.
Text Messaging Also known as “texting.” Act of typing and sending a short message between two or more mobile phones over a phone network. Inherently insecure. Texts are generally stored on a central server of the cellular provider (or more than one) as well as on both the sending and receiving devices. Also referred to as Short Message Service or SMS.
Social Media Summary Social platforms were created to help people connect with one another, broadcast their ideas, and create stores of personal information online. Services like Facebook, Twitter, YouTube were built for sharing public information, not for confidential information.
TIP 1 – KEEP YOUR PERSONAL AND PROFESSIONAL LIFE SEPARATE Especially when it comes to the Internet. Set up different accounts for communicating with friends and family. Use different passwords to help differentiate the accounts.
TIP 2 – Understand The Technology Understand the platform you are using and how it works (i.e., who may actually see or receive any messages you post) Periodically check your privacy settings, preferably once a week, as they can change.
TIP 3 – Don’t Talk About Patients Never refer to a patient by name or provide information that could identify the patient. Even if the patient’s name is not mentioned, if you provide enough detail that a third party can identify the patient, it is a HIPAA breach. When referencing particular cases, conditions and treatments, be as general as possible. Do not describe specific demographics or populations that can be identified. For example, don’t reference an outbreak of head lice in the 5 th grade class of a small parochial school just outside of Denver; say “grade school children, age 10-11 outside a major city….”
TIP 4 – Never Friend Patients on Facebook In a JAMA study by Dr. Katherine Chretian about Facebook medicine intersection, she states that having a dual relationship with a patient that is financial, social or personal can lead to serious ethical issues that can impair professional judgment. The mere existence of a patient-physician relationship (e.g., having others suspect a Facebook friend is a patient) could be a violation of HIPAA. In addition to being an ethical breach, violations of HIPAA can result in fines up to $250,000 and/or imprisonment.
TIP 5 – Online Posts Never post anything you would be uncomfortable reading re-printed in the newspaper. This can be a helpful test to take before you hit the send button. Take time for thought before posting a blog or sending a tweet. After completing your thoughts or responses, save them as a draft and then read them later before posting. Often e-mails or tweets are an immediate response that lack thought and reflection. REMEMBER: once you hit the send button, it’s a permanent record that cannot be retracted.
TIP 6 – Be Careful Texting Other Healthcare Providers Physicians who text other doctors could be exposing themselves to HIPAA privacy and security violations if their devices are not encrypted for all incoming and outgoing messages/photos. DocbookMD is an app that is a secure mobile communication platform for smartphones and tablet devices. It is designed for physicians. Arkansas Medical Society offers the app. You may go to this website to download: http://www.arkmed.org/resources/docbookmd/ http://www.arkmed.org/resources/docbookmd/ Have to sign a HIPAA Business Associate Agreement before activation. There is remote disabling if the devise is lost or stolen. All messages are saved for 10 years per HITECH recommendations.
Guidelines For Use of Mobile Devices When texting, know the recipient. Inadvertently sending a text containing PHI to the wrong person could be a HIPAA violation. Text or e-mail in private so the text does not have the potential of being seen. Another encryption software is “TigerText” at http://www.tigertext.com/http://www.tigertext.com/ Activate a password on all mobile devices or tablets. Set a limit on numbers of failed login attempts before the device locks. Enable remote wiping of the deice in the event it is lost/stolen. Require password for access to confidential files and apps.
Tip 7 – Know Your Workforce The technology is here to stay. Your workforce uses it on your computer system, on a smart phone and away from work. Social media can create branding, be a communication tool, creates a sense of community, good public relations, be a fundraising tool and can establish the organization as an expert or leader. Your workforce consists of your employees, volunteers, trainees and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether or not they are paid by the Covered Entity. You are responsible for your workforce under HIPAA. Even on social media!
Workforce You are NOT responsible for patients, family members, visitors or others under HIPAA. But... If you invite them to post, then you may be liable. Make sure your workforce knows and understands: The organization’s philosophy The policies and procedures under HIPAA and have had HIPAA training Where to go with an issue Sign confidentiality agreements Do not use your computers for social media Do not use their smart phones and other devices as part of the job The restrictions on photography and cell phones
A social media HIPAA violation occurs? Must notify the individual(s) involved. May need to notify HHS of breach. The challenge is mitigation of the effect of the disclosure. The answer depends on the social media involved, but every effort must be made to mitigate the harm and document. Request the workforce member to remove posting. Reality is that once something is posted, it may never go away. What Happens If?
Determine if PHI has been forwarded, copied, emailed, or stored on line. Terms and Conditions of most social networking sites grant the site broad rights to posted data. Facebook: “when you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you.” Contact the social media site, cite HIPAA and request assistance in removing the material. Make whatever efforts are possible to trace and remove secondary postings. Use the posting as a teaching opportunity to prevent further violations. Follow the HIPAA Breach Notification Rule. (may access AMIC’s HIPAA Survival Guide for further information). Mitigation
Patient was transferred to a trauma center with a horrific wound due to a MVA. Multiple healthcare providers took pictures on their cell phones. Posted on internet. Investigation could not determine who had posted it. Also found on employee’s home computers. Hospital hired a patent attorney to patent the picture. Picture showed the hospital’s logo on the scrubs of someone standing next to patient. Patient’s face was not shown. No direct patient identification was evidenced except for the unusual circumstances surrounding the accident. Case of Photograph
Picture went viral. Due to uniqueness of photo, brother of patient saw the picture on the internet and was able to identify the patient as his brother as well as which hospital his brother was in at the time the picture was taken. Multiple websites contacted and picture removed. Picture continues to remain on website many years later despite all attempts to remove it. Hospital settled with family for emotional distress. Reported to HHS as a HIPAA violation. Case of Photograph (cont’d)
Access only and disclose only the PHI that you need for your particular purpose – minimum necessary. Dispose of PHI in a secure manner that protects the privacy and security of it (“cradle to grave”). Be aware of your surroundings when discussing or reviewing PHI. Keep documents and records containing PHI secure when/if you take it with you. Analyze risks to confidentiality of PHI (e.g., unprotected files, faxing procedures involving PHI, removal of PHI from office, etc.). Other Tips To Avoid PHI Disclosure
Implement reasonable safeguards that address risks, including the following: Speaking quietly when discussing a patient’s condition in nurses’ areas, hallways, elevators, stairwells, or other public areas. Avoid using a patient’s name in public places; remember sensitivity of “celebrity” patients. Remember: PHI includes oral communications. Isolate or lock file cabinets or rooms containing patient records; limit non- employee access to those areas where PHI kept. Limit amount of information left for patient on an answering machine. Limit amount of information requested on patient sign-in sheets; when these are collected, you must protect them as PHI. Other Tips To Avoid PHI Disclosure
Ensure that information in the chart, on prescriptions, etc. is for the correct patient; immediately notify someone if information is discovered to belong to another patient. Limit which employees may have access to PHI to those with a “need to know.” Destroy PHI in a secure fashion (i.e., shredding) not in trash cans. Include a cover sheet containing a warning that contents include confidential PHI on any faxes containing PHI and confirming correct destination fax number before sending. Log off or otherwise lock any computer containing PHI. Other Tips To Avoid PHI Disclosure
Why? To govern how employees use social media To protect confidential information and prevent improper use of social media To provide protection in litigation To outline disciplinary procedures Develop A Social Media Policy
Social platforms are created to help people connect with each other, broadcast their ideas, and create stores of personal information online. Services like Facebook, Twitter and YouTube were built for sharing, not for secrets. Remember