Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel Long.

Similar presentations


Presentation on theme: "HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel Long."— Presentation transcript:

1 HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel Long

2 EVERYTHING HAS A PRICE: SOCIAL MEDIA IN THE DIGITAL AGE HIPAA Compliance and Social Media Concerns

3 Professional Branding in the Digital Age Digital media creates virtually limitless opportunities to promote and protect your brand and products…

4 Professional Branding in the Digital Age… continued … while leaving an almost limitless opportunity for employees, customers and others to destroy that brand

5 Because the internet comes with a price… Online interaction differs from face-to-face communication as people are prone to behave at their worst and forget about consequences. This is the Online Disinhibition Effect! You don’t know me (dissociative anonymity) You can’t see me (invisibility) You won’t see me until later (asynchronicity) It’s all going on in my head (solipsisatic introjection) It’s just a game (dissociative imagination) There’s no cops (minimizing authority) The Online Disinhibition Effect, John Suler (2004)

6 Why Digital Media Matters: Consumers Use Social Media 42% use social media to access health-related reviews More than 80% of year olds would share health information through social media Almost half (45%) of individuals from would share health information over social media Price Waterhouse Cooper HRI Consumer Survey, 2012

7 Why Digital Media Matters: What an Employer Does Has Consequences We asked or encouraged an employee to use Social Media. – Social media is becoming inseparable with some job functions. – Some individuals are asked to “host the company account” or post for the office. We have “deep pockets” and an offended party sues us, too. – For example, NBA Referee Bill Spooner sued AP Reporter Jon Krawczynski and the Associated Press for comments surrounding a questionable call.

8 THE INTERSECTION OF SOCIAL MEDIA, HIPAA AND BAD JUDGMENT HIPAA Compliance and Social Media Concerns

9 An Online Treasure Trove: PII and PHI Personal Identifying Information (PII) Individual Social Security Numbers Addresses Credit Card Data Personal Health Information (PHI) Names Geographical identifiers smaller than a state Dates related to an individual Phone numbers Fax numbers addresses Social Security numbers Medical record numbers Health insurance beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers (including license plates) Device identifiers URLs IP addresses Biometrics (finger, retinal and voice prints) Full face photos Other unique identifying number, characteristic or code

10 Leaking PII and PHI is easier than you think… California, April 9, 2010: Nurse photographs stabbing victim and puts his image (including his face) on Facebook Westerly Hospital, Rhode Island, April 21, 2011: Physician tells stories of Emergency Room experiences on Facebook, including details that may allow a third party to determine the individual involved Martin Memorial Center, Florida: employees were disciplined after taking and sharing photos of a shark bite victim Palisades General Hospital: “George Clooney is here” Medical Blogs: over 17% of blogs by professionals may contain sufficient information to establish the identity of a patient

11 I Lost My Data on the Internet: LabMD and the Federal Trade Commission 8/29/2013: The FTC files a complaint against LabMD for failing to protect medical and other sensitive information over peer-to-peer network (software commonly used to share music, videos and other materials). The complaint alleged that LabMD (who performs medical testing for consumers nationwide) did not take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data, including PHI.

12 THE RISKS OF BRING YOUR OWN DEVICE HIPAA Compliance and Social Media Concerns

13 What is Bring Your Own Device? Bring Your Own Device (BYOD) is the policy of allowing employees to bring their own mobile devices (laptops, tablets, smart phones, etc.) to the workplace BYOD also may include use of non-company and document sharing (Drop Box / SharePoint)

14 BYOD – The facts and statistics The average U.S. employee carries 3 mobile devices 81% of employees use personal devices at work 91% of tablet users and 75% of smart phone users have disabled auto-lock security 93% of employees admit to violating policies designed to prevent breaches and noncompliance 70% of physicians and health IT specialists use personal mobile devices to access electronic health records © 2013 Butzel Long

15 Risking it all on BYOD? Cell Phones: A health clinic employee set his personal phone to “auto-forward” his University messages to his Google account. The phone was not password protected. While on vacation, the cell phone went missing. Flash Drives: A University professor lost his personal flash drive with ID including social security numbers for over 1000 students. Laptops: Just like the theft of a work laptop at Massachusetts Eye and Ear Infirmary that led to a $1.5 M fine to HHS, the theft of data from a personal laptop is equally risky. BYO Software/File Sharing: Dropbox, for example, openly admits that it is not HIPAA compliant. The same is true of many cloud-based file sharing programs. © 2013 Butzel Long

16 Breaches: BYOD heightens the risk Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data Paper Records accounted for 116 incidents and were involved in 5 major breaches Laptops accounted for 111 breaches and were involved in 15 other issues Portable Electronic Devices (smart phones, iPads, etc.) accounted for 69 breaches and played a roll in 11 other cases Network Servers were the sole cause of 46 breaches and were involved in 13 other cases Business Associates accounted for 103 breaches, the equivalent of 1 of every 9 incidents

17 It may feel like the Wild West… When implementing a strategy to deal with Digital Media, organizations should consider all of the legal risks involved: Other Potential Legal Constraints – Media, Privacy and Communications Reputation management Stored Communications Act – Labor and Employment Wage and Hour concerns Hiring and Firing – Intellectual Property Patents, Trademarks and Copyright Domain Names and Social Media Accounts – Contractual and Ownership Rights Ownership of social media followers, contacts, content and websites – Endorsement and Other Regulatory Concerns

18 … But a preventative approach can mitigate the risks Social Media Use Strategies – Implement or Review and Audit your BYOD Policy – Review and Revise or Adopt a Social Media Policy – Review Your Employee Handbook Data Security Strategies (LabMD Takeaways) – Implement and maintain a comprehensive data security program which includes addressing Business Associate risk – Use readily available measures to identify commonly known and reasonably foreseeable security risks and vulnerabilities – Use adequate measures to prevent employees from accessing personal information not needed to perform their jobs – Train employees on basic security practices – Use readily available measures to prevent and detect unauthorized access to personal information

19 QUESTIONS ? Jennifer Dukarski Tel:


Download ppt "HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel Long."

Similar presentations


Ads by Google