HIPAA AND SOCIAL MEDIA

“TIPS TO AVOID HIPAA VIOLATIONS”

A SINGLE TYPO RUINED CAREER Think of ex-congressman Anthony Weiner’s blunder on Twitter. He apparently confused a DM (direct message) with a public Twitter post. Had he addressed the intended recipient with the letter D preceding the user

name, only that recipient would have had access to the tweet. However, the @ symbol, followed by the user name, was directed at a specific user

but visible to anyone on the service. This one-letter typo ruined his career and reputation and harmed his marriage. Social media is fraught with danger!!

Understand the terminology

Social Media An umbrella term that encompasses several different types of technology. These different technologies provide combination of media storage, display

and communication applications. Each allow a single person to communicate to a broadly identified group. Different technologies pose different risks and must be addressed

thoughtfully. Policies and education should be focused on the communication made, not

the brand name.

Facebook Ubiquitous photo, messaging and mail service Technology similar to MySpace, LinkedIn, Sales Force Chatter, etc. 1.11 billion users as of May 1, 2013 Personal information Connections by consent Updates pushed to “friends” Messages – mail, chat, the “Wall” “Tagging” photos and locations in other friend’s photos Additional applications and add ons – games, surveys, groups, like, dislike

Facebook (cont.) Users have a wide variety of privacy functionalities and can maintain a

high level of privacy. Newer or more naïve users may not be aware of privacy functions, risks. Privacy functionalities are constantly in flux. User information is stored and controlled centrally. Registration

information and information you choose to share. DOB allows Facebook to show you age appropriate content and advertisements.

User controls cannot override corporate decisions – posted information is “out there” forever.

Posted information can be stored or saved by other users, especially pictures

Both Facebook and third party application providers collect personal information to share with advertisers and other third parties.

Facebook (cont.) Facebook’s response to questions regarding control of information:

When a person shares information on Facebook, they first need to grant a license to use that information so Facebook can show it to the other people they’ve asked us to share it with. Without the license, Facebook couldn’t help people share the information.

When information is shared with a friend, two copies of that information is created: in the person’s sent box and the other in their friend’s inbox. Even if the account is deactivated, the friend still has a copy of that message.

Terms have been changed to clarify these issues. Sharing information and also having control of the information so it can

be turned off are at odds with each other. No system can enable sharing and then simultaneously allow control

what services it is shared with.

Public Information Any content that is available to a public audience is considered public

information.

This includes: Your name, profile picture and cover photo Gender Lists your networks (school or workplace) Username and user ID are in the link (URL) to your timeline

Twitter Short bursts of text, links or pictures to thousands, if not millions of

“followers.” As of May 7, 2013, 500 million users on Twitter; 135,000 new users/day 58 million tweets/day. Messages limited to 140 characters (Tweets). Tweets are sent through the internet, but may originate from cell phones or

text messaging services. Applications add the ability to share links, re-post others’ “Tweets” and to

share photos. Data is centrally stored and is not user controlled. Private messages may be

sent, but default is public.

Twitter cont. Information sent is forever “out there” and may not be recalled. Shared photos may be used or sold to another entity (TwitPic). Accounts may be faked or hacked and Twitter shares user information with

third parties. FTC brought action to force Twitter to improve its security, settled in 2010. The FTC now has a security form for users to complete if believed there is a

breach. Also have volunteer security researchers to look for security issues.

Blogs A discussion or informational site published on the World Wide Web

consisting of discrete entries (posts). Web logs or “blogs” allow users to post an online multi-media journal on a

specific topic or topics of general interest. A majority are interactive allowing visitors to leave comments and message

each other. Considered social networking. May be operated on a personal website or blog hosting site. Content is almost always public. Hosted content is subject to hosting companies terms of use, may not be

entirely controlled by poster. Greater control, but is still subject to copying and storage Blogs may be hacked or faked.

Instant Messaging Permits two users to communicate in real-time via short typed messages

aka “chatting” over the Internet. Hosted internally or externally – security levels can vary widely. Chat transcripts may be stored. Frequently available at no charge on smart phones and similar web enabled

devices.

Text Messaging Also known as “texting.” Act of typing and sending a short message and/or photos between two or

more mobile phones over a phone network. Inherently insecure. Texts are generally stored on a central server of the cellular provider (or

more than one) as well as on both the sending and receiving devices. Also referred to as Short Message Service or SMS.

Social Media Summary

Social platforms were created to help people connect with one another, broadcast their ideas, and create stores of personal information online.

Services like Facebook, Twitter, YouTube were built for sharing public information, not for confidential information.

Case Of Dr. FleaDr. “Flea” is a pediatrician from the Boston area who began blogging under the name “Flea” about his experiences as a medical malpractice defendant.Plaintiff’s attorney found out; he was exposed on the witness stand.The case settled as a result.The Boston Globe ran a front page news report about the pediatrician’s blogging and all the comments he had made on the blog.His advice about medical blogging:

“Every time you post, recite the following like a mantra:”“I AM CUTTING ROPE WITH WHICH TO HANG MYSELF.”

A new RN in a clinic texted her boyfriend about a pt., a mutual friend, who had visited the clinic.

She did not use the patient’s name, but only the procedure.

After 5 years, the now ex-boyfriend, threatened to use the text on his cell in child support litigation.

PHI Texted

She informed the physician and office manager. Patient had to be informed of text. Done face-to-

face. Patient very angry and threatened to sue. Nurse placed on leave without pay. Later resigned. Boyfriend’s text – no control other than to ask that

he remove it from cell. Reportable breach. No idea if boyfriend sent text to anyone else.

TEXTED PHI

TIP 1 – KEEP YOUR PERSONAL AND PROFESSIONAL LIFE SEPARATE

Especially when it comes to the Internet.

Set up different accounts for communicating with friends and family.

Use different passwords to help differentiate the accounts.

TIP 2 – Understand The Technology

Understand the platform you are using and how it works (i.e., who may actually see or receive any messages you post)

Periodically check your privacy settings, preferably once a week, as they can change.

TIP 3 – Don’t Talk About Patients Never refer to a patient by name or provide information that could identify

the patient. Even if the patient’s name is not mentioned, if you provide enough detail that a third party can identify the patient it is a HIPAA breach.

When referencing particular cases, conditions and treatments, be as general as possible. Do not describe specific demographics or populations that can be identified.

For example, don’t reference an outbreak of head lice in the 5th grade class of a private school in Little Rock; say “grade school children, age 10-11 in a major city….”

TIP 4 – Never Friend Patients on Facebook

In a JAMA study by Dr. Katherine Chretian about Facebook medicine intersection, she states that having a dual relationship with a patient that is financial, social or personal can lead to serious ethical issues that can impair professional judgment.

The mere existence of a patient-physician relationship (e.g., having others suspect a Facebook friend is a patient) could be a violation of HIPAA.

In addition to being an ethical breach, violations of HIPAA can result in fines up to $250,000 and/or imprisonment.

TIP 5 – Online Posts Never post anything you would be uncomfortable reading re-printed in the

newspaper. This can be a helpful test to take before you hit the send button. Take time for thought before posting a blog or sending a tweet. After completing your thoughts or responses, save them as a draft and then

read them later before posting. Often e-mails or tweets are an immediate response that lack thought and

reflection. REMEMBER: once you hit the send button, it’s a permanent record that

cannot be retracted.

TIP 6 – Be Careful Texting Other Healthcare Providers

Physicians who text other doctors could be exposing themselves to HIPAA privacy and security violations if their devices are not encrypted for all incoming and outgoing messages/photos.

DocbookMD is an app that is a secure mobile communication platform for smartphones and tablet devices.

Designed for physicians. Arkansas Medical Society offers app. May go to this website to download:

http://www.arkmed.org/resources/docbookmd/ Have to sign a HIPAA Business Associate Agreement before activation. There is remote disabling if the devise is lost or stolen. All messages are saved for 10 years per HITECH recommendations.

Guidelines For Use of Mobile Devices

When texting, know the recipient. Inadvertently sending a text containing PHI to the wrong person could be a HIPAA violation.

Text or e-mail in private so the text does not have the potential of being seen.

Another encryption software is “TigerText” at http://www.tigertext.com/ Activate a password on any mobile device or tablet. Set limit on number of failed login attempts before device locks. Enable remote wiping of the deice in the event it is lost/stolen. Require password for access to confidential files and apps.

Tip 7 – Know Your Workforce The technology is here to stay. Your workforce uses it on your computer

system, on a smart phone and away from work. Social media can create branding, be a communication tool, creates a sense

of community, good public relations, fundraising tool and can establish the organization as an expert or leader.

Your workforce consists of your employees, volunteers, trainees and other persons whose conduct, in the performance of work for a Covered Entity, is under the direct control of such entity, whether or not they are paid by the CE.

You are responsible for your workforce under HIPAA. Even on social media!

Workforce You are not responsible for patients, family members, visitors or others

under HIPAA. But . . . If you invite them to post, then you may be liable. Make sure your workforce knows and understands:

The organization’s philosophy The policies and procedures under HIPAA and have had HIPAA training Where to go with an issue Sign confidentiality agreements Do not use your computers for social media Do not use their smart phones and other devices as part of the job The restrictions on photography and cell phones

Clinic employee posted patient’s appointment notice on patient’s spouse’s Facebook page.

PHI: patient’s name, physician’s name, date and time of appointment

Breach. Sanction: employee was terminated.

Case

A social media HIPAA violation occurs?

1. Must notify the individual(s) involved. 2. May need to notify HHS of breach. 3. The challenge is mitigation of the effect of the disclosure. 4. The answer depends on the social media involved, but every effort must

be made to mitigate the harm and document. 5. Request the workforce member to remove posting. 6. Reality is that once something is posted, it may never go away.

What Happens If?

8. Determine if PHI has been forwarded, copied, emailed, stored on line. 9. Terms and Conditions of most social networking sites grant the site broad rights

to posted data. Facebook: “when you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you.”

10. Contact the social media site, cite HIPAA and request assistance in removing the material.

11. Make whatever efforts are possible to trace and remove secondary postings. 12. Use the posting as a teaching opportunity to prevent further violations.

Mitigation

Patient was transferred to a trauma center with a horrific wound due to a MVA.Multiple healthcare providers took pictures on their cell phones.Posted on internet. Investigation could not determine who had posted it.Also found on employee’s home computers.Hospital hired a patent attorney to patent the picture.Picture showed the hospital’s logo on the scrubs of someone standing next to patient.Patient’s face was not shown.

Case

Picture went viral. Due to uniqueness of photo, brother of patient saw the picture on the internet and

was able to identify the patient as his brother as well as which hospital his brother was in at the time the picture was taken.

Multiple websites contacted and picture removed. Picture continues to remain on website many years later despite all attempts to

remove it. Hospital settled with family for emotional distress. Reported to HHS as a HIPAA violation.

Case

Access only the PHI that you need for your particular purpose – minimum necessary.

Disclose only the PHI that you must for the particular purpose – minimum necessary.

Dispose of PHI in a secure manner that protects the privacy and security of it (“cradle to grave”).

Be aware of your surroundings when discussing or reviewing PHI. Keep documents and records containing PHI secure when/if you take it with you. Analyze risks to confidentiality of PHI (e.g., unprotected files, faxing procedures

involving PHI, removal of PHI from office, etc.).

Other Tips To Avoid PHI Disclosure

Implement reasonable safeguards that address risks, including the following:

Speaking quietly when discussing a patient’s condition in nurses’ areas, hallways, elevators, stairwells, or other public areas.

Avoid using a patient’s name in public places; remember sensitivity of “celebrity” patients. Remember: PHI includes oral communications.

Isolate or lock file cabinets or rooms containing patient records; limit non-employee access to those areas where PHI kept.

Limit amount of information left for patient on an answering machine. Limit amount of information requested on patient sign-in sheets; when these

are collected, you must protect them as PHI.

Other Tips To Avoid PHI Disclosure

Ensure that information in the chart, on prescriptions, etc. is for the correct patient; immediately notify someone if information if discovered to belong to another patient.

Limit which employees may have access to PHI to those with a “need to know.” Destroy PHI in a secure fashion (i.e., shredding) not in trash cans. Include a cover sheet containing a warning that contents include confidential PHI

on any faxes containing PHI and confirming correct destination fax number before sending.

Log off or otherwise lock any computer containing PHI.

Other Tips To Avoid PHI Disclosure

Social platforms are created to help people connect with each other, broadcast their ideas, and create stores of personal information online.

Services like Facebook, Twitter and YouTube were built for sharing, not for secrets.

Remember

Why? To govern how employees use social media To protect confidential information and prevent improper use of social media To provide protection in litigation To outline disciplinary procedures

Develop A Social Media Policy