HIPAA Compliance and Social Media Concerns

September 2013

Presenter: Jennifer A. Dukarski

of Butzel Long

EVERYTHING HAS A PRICE: SOCIAL MEDIA IN THE DIGITAL AGE

HIPAA Compliance and Social Media Concerns

Professional Branding in the Digital AgeDigital media creates virtually limitless

opportunities to promote and protect your brand and products…

Professional Branding in the Digital Age… continued… while leaving an almost limitless

opportunity for employees, customers and others to destroy that brand

Because the internet comes with a price…Online interaction differs from face-to-face communication as people are prone to behave at their worst and forget about consequences. This is the Online Disinhibition Effect!

• You don’t know me (dissociative anonymity) • You can’t see me (invisibility)• You won’t see me until later (asynchronicity)• It’s all going on in my head (solipsisatic introjection)• It’s just a game (dissociative imagination)• There’s no cops (minimizing authority)

The Online Disinhibition Effect, John Suler (2004)

Why Digital Media Matters: Consumers Use Social Media• 42% use social media to access health-related reviews

• More than 80% of 18-24 year olds would share health information through social media

• Almost half (45%) of individuals from 45-64 would share health information over social media

Price Waterhouse Cooper HRI Consumer Survey, 2012

Why Digital Media Matters: What an Employer Does Has Consequences

• We asked or encouraged an employee to use Social Media. – Social media is becoming inseparable

with some job functions. – Some individuals are asked to “host the

company account” or post for the office.

• We have “deep pockets” and an offended party sues us, too.– For example, NBA Referee Bill Spooner

sued AP Reporter Jon Krawczynski and the Associated Press for comments surrounding a questionable call.

THE INTERSECTION OF SOCIAL MEDIA, HIPAA AND BAD JUDGMENT

HIPAA Compliance and Social Media Concerns

An Online Treasure Trove: PII and PHI Personal Identifying Information (PII)

• Individual Social Security Numbers• Addresses• Credit Card Data

Personal Health Information (PHI)• Names• Geographical identifiers smaller than a state• Dates related to an individual• Phone numbers• Fax numbers• Email addresses• Social Security numbers• Medical record numbers• Health insurance beneficiary numbers• Account numbers• Certificate/license numbers

• Vehicle identifiers (including license plates)

• Device identifiers• URLs• IP addresses• Biometrics (finger, retinal and

voice prints)• Full face photos• Other unique identifying

number, characteristic or code

Leaking PII and PHI is easier than you think…• California, April 9, 2010: Nurse photographs stabbing

victim and puts his image (including his face) on Facebook

• Westerly Hospital, Rhode Island, April 21, 2011: Physician tells stories of Emergency Room experiences on Facebook, including details that may allow a third party to determine the individual involved

• Martin Memorial Center, Florida: employees were disciplined after taking and sharing photos of a shark bite victim

• Palisades General Hospital: “George Clooney is here”• Medical Blogs: over 17% of blogs by professionals may

contain sufficient information to establish the identity of a patient

I Lost My Data on the Internet: LabMD and the Federal Trade Commission

8/29/2013: The FTC files a complaint against LabMD for failing to protect medical and other sensitive information over peer-to-peer network (software commonly used to share music, videos and other materials). The complaint alleged that LabMD (who performs medical testing for consumers nationwide) did not take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data, including PHI.

THE RISKS OF BRING YOUR OWN DEVICE

HIPAA Compliance and Social Media Concerns

What is Bring Your Own Device?

• Bring Your Own Device (BYOD) is the policy of allowing employees to bring their own mobile devices (laptops, tablets, smart phones, etc.) to the workplace

• BYOD also may include use of non-company email and document sharing (Drop Box / SharePoint)

BYOD – The facts and statistics

• The average U.S. employee carries 3 mobile devices

• 81% of employees use personal devices at work

• 91% of tablet users and 75% of smart phone users have disabled auto-lock security

• 93% of employees admit to violating policies designed to prevent breaches and noncompliance

• 70% of physicians and health IT specialists use personal mobile devices to access electronic health records

© 2013 Butzel Long

Risking it all on BYOD?

• Cell Phones: A health clinic employee set his personal phone to “auto-forward” his University messages to his Google account. The phone was not password protected. While on vacation, the cell phone went missing.

• Flash Drives: A University professor lost his personal flash drive with ID including social security numbers for over 1000 students.

• Laptops: Just like the theft of a work laptop at Massachusetts Eye and Ear Infirmary that led to a $1.5 M fine to HHS, the theft of data from a personal laptop is equally risky.

• BYO Software/File Sharing: Dropbox, for example, openly admits that it is not HIPAA compliant. The same is true of many cloud-based file sharing programs.

© 2013 Butzel Long

Breaches: BYOD heightens the risk

Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data

• Paper Records accounted for 116 incidents and were involved in 5 major breaches

• Laptops accounted for 111 breaches and were involved in 15 other issues

• Portable Electronic Devices (smart phones, iPads, etc.) accounted for 69 breaches and played a roll in 11 other cases

• Network Servers were the sole cause of 46 breaches and were involved in 13 other cases

• Business Associates accounted for 103 breaches, the equivalent of 1 of every 9 incidents

It may feel like the Wild West…When implementing a strategy to deal with Digital

Media, organizations should consider all of the legal risks involved:

• Other Potential Legal Constraints– Media, Privacy and Communications

• Reputation management• Stored Communications Act

– Labor and Employment• Wage and Hour concerns• Hiring and Firing

– Intellectual Property• Patents, Trademarks and Copyright• Domain Names and Social Media Accounts

– Contractual and Ownership Rights• Ownership of social media followers, contacts, content and websites

– Endorsement and Other Regulatory Concerns

… But a preventative approach can mitigate the risks• Social Media Use Strategies

– Implement or Review and Audit your BYOD Policy– Review and Revise or Adopt a Social Media Policy– Review Your Employee Handbook

• Data Security Strategies (LabMD Takeaways)– Implement and maintain a comprehensive data security program

which includes addressing Business Associate risk– Use readily available measures to identify commonly known and

reasonably foreseeable security risks and vulnerabilities– Use adequate measures to prevent employees from accessing

personal information not needed to perform their jobs– Train employees on basic security practices– Use readily available measures to prevent and detect

unauthorized access to personal information

QUESTIONS ?

Jennifer DukarskiTel: 734.213.3427

Email: dukarski@butzel.com