Size Doesn’t Always Matter with Social Media and PHI Breaches
What do you get when you mix an employee engaging in social media and add a dash of PHI (Protected Health Information)?
Breach time bomb?
It is well known that social media is flourishing. It is also known that employees participate in one of many social media outlets: Facebook, Snap Chat, Instagram, Twitter, just to name a few. Rarely is an employee without their smartphone, making PHI disclosures effortless and quick.
How does an organization protect themselves against an employee posting patients PHI?
Implement or update a Social Media Policy;
Develop and promote “Rules of Engagement" protocol for the entire workforce;
Communicate and train each member of the workforce regarding Social Media;
Document the training that educates the company workforce; and,
Create a confidential hotline, or email address, where inappropriate actions by other workforce members can be reported.
Recently, I reported on an employee of University of Cincinnati Medical Center (UCMC) who posted on Facebook an image of a pregnant woman’s medical records. The post revealed she had maternal syphilis, prompting the patient to sue the hospital and the employee. The employee was fired after making the post. The judge ruled that UCMC was not liable for the privacy violation because the employee, who worked in the hospital’s financial services department, went outside the scope of her employment in accessing the information. Subsequently, the hospital was dropped from the law suit. “UCMC had a policy. It was violated,” according to Judge Luebbers of the Hamilton County Common Court who presided over the lawsuit.
UCMC had polices to prevent this type of PHI breach. The judge was provided documentation that the hospital had done their due diligence to mitigate this breach.
Since 2003, when the Office for Civil Rights (OCR) started keeping records, they reported that the “OCR has received over 121,576 HIPAA complaints and has initiated over 929 compliance reviews.” Of those reviews, the top two most-investigated compliance issues:
Impermissible uses and disclosures of protected health information; and,
Lack of safeguards of protected health information.
Organizations should have current polices surrounding the use of social media and revisit the Rules of Engagement more than annually with the workforce. The bad news is that there is not a technical solution for preventing social media breaches. Organizations have to rely on people to do the right thing.
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.