The Intersection of Social Media, HIPAA and the Workplace

Presented by: Rob Entin, Rebecca Frigy Romine, Tom Kiser

Today’s Topics

Social Media Statistics

Benefits of Social Media in the Workplace

Potential Patient Privacy and Security Social Media Pitfalls, including Real World Examples

Employee Rights

Adopting a Social Media Policy

How Prevalent is Social Media

10 Most Popular Social Media Outlets

Facebook (1.7B)

YouTube (1B)

Twitter (310M)

LinkedIn (255M)

Pinterest (250M)

Google Plus (120M)

Tumblr (110M)

Instragram (100M)

reddit (85M)

VK (80M)

How Prevalent is Social Media? (a/k/a social “not working”)

At the end of 2009, 360 Million users

At the end of 2013, 1.230 Billion users

As of 8/2016, 1.49 Billion users

According to recent Pew Study, 74% of online adults use social networking sites

– Increase in age, increase in education

What does this mean?

The biggest user group is between the age of 20-29 followed by 30-39 year-old group

There are more users 60 and older than 19 and younger

Some more fun facts

Bloggers are older than Facebook users

2015 study, largest group of bloggers is 35-44 years old

5 years ago the largest group was 25-34 years old

Facebook Facts from Pew (Feb. 2014) and Zephoria, Internet Marketing (August 2016) and other sources

People on Facebook

More than 1.71 billion monthly active users

Five new profiles created every second (83 million fake profiles)

50% of active users log on to Facebook in any given day

Average user has 150 friends

People spend over 700 billion minutes per month on Facebook

There are over 900 million objects that people interact with (pages, groups, events and community pages)

Average user is connected to 80 community pages, groups and events

Average user creates 90 pieces of content each month

More than 30 billion pieces of content (web links, news stories, blog posts, notes, photo albums, etc.) shared each month.

If Facebook Were a Country

1. FACEBOOK

2. China

3. India

4. United States

5. Indonesia

6. Brazil

7. Pakistan

8. Nigeria

9. Bangladesh

10. Russia

From Mashable.com

YouTube is huge. Humongous, even. More video content is uploaded to YouTube in a 60- day period than the three major U.S. television networks created in 60 years.

The average YouTube user session is 40 minutes– up from 15 to 25 minutes in 2013

2009 Study by Proofpoint (internet security firm)

Study of companies with over 1000 employees

17% reported issues with internet usage

8% reported had terminated employee due to social media issues – This was double number of

terminations from year before

15% of same companies reported disciplining employees

17% reported terminating employees for misuse of blogs or message boards

Social Media and Hiring (from 2013 HireRight survey)

61 percent of employers use or plan to use social media for candidate recruiting

21 percent use or plan to use social media for background check

Slight drop from 24 percent for background

Benefits of Social Media in the Workplace

Social Media provides another avenue for patient-physician interaction

Social Media provides a forum where both patients and physicians can share information

Social Media provides immediate access to information

Social Media can provide a forum for emotional support

Social Media can provide health surveillance

Privacy Issues

Privacy Laws

Federal and State

Complicated and conflicting patchwork of laws

Special rules for certain industries, activities and data types

Breach notification laws (47 states as of January 1, 2016, others pending)

FTC Enforcement under FTC Act §5 (unfair/deceptive trade practices)

Increased focus on mobile

privacy security and text

message practices

Privacy Laws Specific to Health Care Providers

• The Health Insurance Portability and Accountability

Act of 1996 (HIPAA)

• State Confidentiality Laws

• State Security Breach Notification Laws

HIPAA Basics

The Basic HIPAA Privacy Rule:

A Covered Entity (CE) or its

Business Associate (BA) may not use or disclose

Protected Health Information (PHI) unless the use or disclosure

is specifically permitted by HIPAA.

The HIPAA Security Rule requires all Electronic PHI to be protected.

What is Protected Health Information (PHI)?

Information, that is a subset of health information, including demographic information collected from an individual, in any form, that is created or received by a Covered Entity; relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and that identifies or could be used to identify an individual.

Examples of PHI

Names Addresses (including city,

county and full zip codes) Dates Directly Related to

Patient (including DOB, DOS and all ages over 89)

Telephone Numbers Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers

Account Numbers Certificate/License Numbers VINs, License Plate Numbers Device Identifiers and Serial

Numbers URLs IP Addresses Biometric Identifiers (finger

and voice prints) Full Face Photographic

Images

HIPAA Obligations Related to Use and Disclosure of PHI

Permissible uses and disclosures Disclosures to the Individual are generally permissible

Disclosures for Treatment, Payment, and Health Care Operations are generally permissible without patient authorization

Reasonable safeguards must be used Social media – disclosures are generally made to the public, even if initially directed to

just one individual

Social media is not a secure method of communication

Posts on social media often result in a “Breach” Breach determination is a very fact specific analysis

Violation of an entity’s Social Media Policy does not necessarily mean that there has been a reportable Breach

Reporting a Breach of Unsecured PHI

“Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the PHI

Key initial consideration – Is PHI involved?

If so, then event is presumed a Breach, unless a four factor written risk assessment demonstrates that there is a “low probability that the PHI has been compromised.”

Risk Assessment

Factors that must be considered:

1. Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed

4. The extent to which the risk to the

PHI has been mitigated

Notification Requirements

Notice to Affected Individual – Notice without unreasonable delay and not later than 60 days of discovery of

breach

– Ensure all elements of 45 CFR § 164.404 (content requirements) are included in the notification

– Keep language clear and concise

Notice to the Secretary of HHS – If under 500, report annually within 60 days of end of calendar year when

breach discovered; social media incidents are unlikely to affect more than 500 individuals which requires notice within 60 days of event

– Breach reporting through website: http://www.hhs.gov/ocr/privac

Notice to the Media – Breaches involving social media are unlikely to involve 500 or more individuals

Government Enforcement

OCR can levy civil money penalties up to $1.5 million per year against providers for noncompliance for violations of an identical requirements

OCR can also refer possible criminal

violations of HIPAA to the DOJ

State Attorneys General have

authority to bring civil actions on

behalf of state residents for HIPAA

violations

Consequences of Non-Compliance

Tiered Civil Penalties

State Privacy / Breach Notification Laws

State privacy / breach notification laws vary – Look where the affected patient(s) reside

– May only apply to certain providers, to computerized data or to certain personal information, e.g. social security numbers.

– Uptick in private actions based on state law – negligence, invasion of privacy, etc.

Example: – California’s Health and Safety Code Section 1280.15:

• Requires reporting of any unlawful or authorized access to, or use or disclosure of, a patient’s medical information no later than 15 business days after detection

• May be fined up to $25,000 per patient

*Patients can bring an action under Cal. Civ. Code Section 56.36 and recover $1000 nominal damages even if no economic loss/personal injury.

Physician Obligations Involving Social Media

American Medical Association Opinion 9.124 –

Professionalism in the Use of Social Media

Physicians should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments,

including online, and must refrain from posting identifiable patient information online.

PRIVACY SETTINGS

ARE NOT ABSOLUTE!!

Common Types of Privacy Breaches Involving Social Media

and Recent Examples

Malicious and Undignified Posts

A paramedic posted information on a social media site about a sexual assault victim. Although the victim's name was not disclosed, the paramedic detailed enough information in the post that the media was able to discover the identity of the victim and where she lived. The plaintiff filed a lawsuit against the paramedic and the emergency service he worked for due to privacy violations.

Two nurses took pictures of a patient's x-rays showing a sex device lodged in his rectum with their cell phones and one of the nurses posted the pictures on a social media site. Both nurses were fired but no charges filed because the nurse took down her social media page and no evidence of a HIPAA violation was found. However, the case was turned over to the FBI for investigation.

An emergency medical technician was fired after taking photos with his cell phone of a murder victim and posting them on a social media site. The EMT had to surrender his EMT license and perform 200 hours of community service. The fire station he worked for did not face any charges.

Malicious and Undignified Posts

A few nurses that work together in a hospital emergency department were fired for discussing patients on a social media site. Even though they did not post any identifying information, they still violated the hospital’s policies.

A nursing home employee took a photo of a resident's genitals with a cell phone. The employee sent the photo to a friend who posted it on a social media site. The employee was fired and both were charged with invasion of privacy and conspiracy.

A nurse was fired after posting on her social media page about an alleged cop-killer she treated even though she did not discuss the details of his condition, his name or any other identifying information. This one detail was enough to identify the individual.

Careless or Well-Meaning Posts

A nurse expressed her condolences to a patient’s family regarding the death of a patient in a highly publicized accident. The nurse included in her condolences the fact that the patient helped several other individuals through his organ donation.

A hospital workforce member took a “selfie” of herself and posted the picture on Facebook. In the background, the “selfie” included the OR patient board which included patient names and procedure scheduled.

Posts Related to Professional Practice

A nurse was charged with the unauthorized practice of medicine when she replied to a friend’s post from work stating: “It sounds like you have a migraine; Take two Excedrin Migraine.

A physician replied to a patient’s negative post related to the quality of care the patient received. In his response the physician disclosed information about the patient’s care.

5 Posts Your Privacy Officer Worries About*

5. Anything with a photo of a patient – The fact that a person is a patient is PHI and a full face photograph is an identifier

4. The well-meaning breach – “Happy birthday Sam! I love being your nurse!”

3. The failed attempt at anonymity – “I just took care of my first heart transplant patient!”

2. The rant – “Alcoholic hockey players are so demanding. . .”

1. The HIPAA problem and dignity problem – “I am so tired of bossy patients telling me what to wear!”

*Margaret C. Scavotto, JD, CHC, The Top 5 Social Media Posts Your Privacy Officer Fears Most, (Nov. 12, 2015), http://complianceandethics.org/the-5-social-media-posts-your-privacy-officer-fears-most/

Additional Risks

The employer can be vicariously liable for the acts of its employees

– Creation of unintended patient relationship

– Violation of ethical standards

– Defamation, libel or disparagement

– Discrimination, harassment, hostile work environment

– Intellectual property infringement

– FTC Violations

– Violations of restrictive covenants

– Antitrust

– Tax-exempt limitations on communication

– Security Laws

The NLRB Position

What is Section 7?

Section 7 provides that “employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively . . . And to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.”

Is the Internet the New Water Cooler?

Protected, Concerted Activity

So, what is the test?

Does it affect terms and conditions of employment?

Do co-workers comment? (if no comments, then no concerted activity in some cases)

Can lose protection if comments are, among other things, “opprobrious” or disloyal

Individual gripe—or commenting on terms and conditions?

Decisions are Fact Specific; Not Consistent

Hispanics United of Buffalo, Inc. (Sept. 2, 2011)

Employees could not be fired for posting on wall of co-worker who complained about her co-workers’ performance

Posts by co-workers protected because deal with job performance

Same result where employees posted concerns about employers tax-withholding procedures

Because all relate to shared concerns of employee re: terms and conditions of employment

But, hot dogs?

Knauz, BMW, 358 NLRB 1754 (2012)

Auto dealership employees complain online and post pictures where owners serve hot dogs, cookies and snacks from a warehouse club

Sarcastic comments re: owner going all-out

Vocalizing sentiments of co-workers, so concerted activity

You “like” me, you really “like” me

Triple Play Sports Bar and Grille fires two workers after learning of a discussion on Facebook regarding tax withholdings between several employees

“They can’t do calculations” “Now I owe money . . . Wtf”

One employee “likes” the status

Employer argues that they are “defamatory and disparaging remarks” so lose NLRA protection

NLRB says comments (including “like” are concerted activity and policy was effort to chill speech)

NLRB Also Commenting on Policies

Agency looking to breadth of language-and how terms are defined—or not

Specific exclusion for Section 7 activity

If prohibit confidential information, must define

Can’t prohibit “any comment” that would embarrass, harass or defame

Or that would damage reputation or goodwill

Nurse complains on her Facebook page about coworker who is always absent

Policy too broad

Guidance is good?

Cannot have policy that allows only “appropriate” comments

Be wary of confidentiality because could prohibit discussions of wages

But, if personal gripes only, no violation

Gives general “ok” to policy that prohibits comments which are “vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies”

Consider Language Carefully GC Report Contains some language that has been “approved”

But, consider whether policy prohibits “water cooler” talk

An Example from NLRB website

Phlebotomist posted a number of angry, profane comments on Facebook against coworkers and her employer. The posts indicated that she hated people at work, that they blamed everything on her, and that she wanted to be left alone. A coworker commented that she, too, had gone through a similar situation at work.

What Happens?

Employer discharges phlebotomist, finding the termination was lawful, despite the coworker’s supportive post. The NLRB reasoned that the postings were made solely on the employee’s own behalf, did not involve sharing of common concerns, and contained no language seeking to initiate or induce coworkers to engage in group action.

Adopting a Social Media Policy

Social Media Policy

The first step in implementing a social media policy is conducting a risk analysis

The social media policy should address all the areas of identified risk

The social media policy should state the purpose of the policy up front

The social media policy should define social media

The social media policy should list appropriate uses of social media

Social Media Policy

The social media policy should list the sanctions for violations of the policy

The social media should require immediate notification of policy violations

The social media should include anti-harassment and anti-discrimination provisions

The social media should include an employee rights discussion (consistent with NRLB laws)

Employee training on the policy should occur upon completion of the policy

Social media training should be an ongoing process updated to include all the lessons learned

Policy Considerations

Decide to what extent you want to allow social media use

Specify permissible scope of employee use of social media

Consider monitoring employees use of social media at work

Inform staff that there is no expectation of privacy if using employer’s system

Require separation of personal and professional social media sites

Consider posting the policy on the website

Enforce the policy in a consistent manner

Hypothetical Scenario

A well-known local professional baseball pitcher gets hit in the eye with a ball during the final World Series game and is taken off the field in a stretcher and transported to Local Medical Center. The local team loses the World Series and the local media blames the outcome of the World Series to losing the star pitcher. A staff nurse at Local Medical Center posts on his/her Facebook page that s/he is excited about caring for a professional baseball player but cannot believe that Local Medical Center admitted the player to his/her floor since they are so understaffed and they have no knowledge about caring for eye injuries. Upon reading the Facebook post, two staff members post comments supportive of the staff nurse, while several other staff members “liked” the post.

Is there a HIPAA breach?

Is the post protected speech?

Is “liking” the post protected speech?

Is the nurse engaging in a concerted effort when s/he posts on Facebook?

Are employees engaging in a concerted effort when they comment or “like” the post?

What actions should Local Medical Center take, if any?

Questions?

Please feel free to contact us for more information:

– Rob Entin: rentin@polsinelli.com

– Rebecca Frigy Romine: rromine@polsinelli.com

– Tom Kiser: tkiser@polsinelli.com

Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC