The Intersection of Social Media, HIPAA, and the Workplace
-
Upload
polsinelli-pc -
Category
Law
-
view
119 -
download
2
Transcript of The Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA and the Workplace
Presented by: Rob Entin, Rebecca Frigy Romine, Tom Kiser
Today’s Topics
Social Media Statistics
Benefits of Social Media in the Workplace
Potential Patient Privacy and Security Social Media Pitfalls, including Real World Examples
Employee Rights
Adopting a Social Media Policy
How Prevalent is Social Media
10 Most Popular Social Media Outlets
Facebook (1.7B)
YouTube (1B)
Twitter (310M)
LinkedIn (255M)
Pinterest (250M)
Google Plus (120M)
Tumblr (110M)
Instragram (100M)
reddit (85M)
VK (80M)
How Prevalent is Social Media? (a/k/a social “not working”)
At the end of 2009, 360 Million users
At the end of 2013, 1.230 Billion users
As of 8/2016, 1.49 Billion users
According to recent Pew Study, 74% of online adults use social networking sites
– Increase in age, increase in education
What does this mean?
The biggest user group is between the age of 20-29 followed by 30-39 year-old group
There are more users 60 and older than 19 and younger
Some more fun facts
Bloggers are older than Facebook users
2015 study, largest group of bloggers is 35-44 years old
5 years ago the largest group was 25-34 years old
Facebook Facts from Pew (Feb. 2014) and Zephoria, Internet Marketing (August 2016) and other sources
People on Facebook
More than 1.71 billion monthly active users
Five new profiles created every second (83 million fake profiles)
50% of active users log on to Facebook in any given day
Average user has 150 friends
People spend over 700 billion minutes per month on Facebook
There are over 900 million objects that people interact with (pages, groups, events and community pages)
Average user is connected to 80 community pages, groups and events
Average user creates 90 pieces of content each month
More than 30 billion pieces of content (web links, news stories, blog posts, notes, photo albums, etc.) shared each month.
If Facebook Were a Country
1. FACEBOOK
2. China
3. India
4. United States
5. Indonesia
6. Brazil
7. Pakistan
8. Nigeria
9. Bangladesh
10. Russia
From Mashable.com
YouTube is huge. Humongous, even. More video content is uploaded to YouTube in a 60- day period than the three major U.S. television networks created in 60 years.
The average YouTube user session is 40 minutes– up from 15 to 25 minutes in 2013
2009 Study by Proofpoint (internet security firm)
Study of companies with over 1000 employees
17% reported issues with internet usage
8% reported had terminated employee due to social media issues – This was double number of
terminations from year before
15% of same companies reported disciplining employees
17% reported terminating employees for misuse of blogs or message boards
Social Media and Hiring (from 2013 HireRight survey)
61 percent of employers use or plan to use social media for candidate recruiting
21 percent use or plan to use social media for background check
Slight drop from 24 percent for background
Benefits of Social Media in the Workplace
Social Media provides another avenue for patient-physician interaction
Social Media provides a forum where both patients and physicians can share information
Social Media provides immediate access to information
Social Media can provide a forum for emotional support
Social Media can provide health surveillance
Privacy Issues
Privacy Laws
Federal and State
Complicated and conflicting patchwork of laws
Special rules for certain industries, activities and data types
Breach notification laws (47 states as of January 1, 2016, others pending)
FTC Enforcement under FTC Act §5 (unfair/deceptive trade practices)
Increased focus on mobile
privacy security and text
message practices
Privacy Laws Specific to Health Care Providers
• The Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
• State Confidentiality Laws
• State Security Breach Notification Laws
HIPAA Basics
The Basic HIPAA Privacy Rule:
A Covered Entity (CE) or its
Business Associate (BA) may not use or disclose
Protected Health Information (PHI) unless the use or disclosure
is specifically permitted by HIPAA.
The HIPAA Security Rule requires all Electronic PHI to be protected.
What is Protected Health Information (PHI)?
Information, that is a subset of health information, including demographic information collected from an individual, in any form, that is created or received by a Covered Entity; relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and that identifies or could be used to identify an individual.
Examples of PHI
Names Addresses (including city,
county and full zip codes) Dates Directly Related to
Patient (including DOB, DOS and all ages over 89)
Telephone Numbers Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers
Account Numbers Certificate/License Numbers VINs, License Plate Numbers Device Identifiers and Serial
Numbers URLs IP Addresses Biometric Identifiers (finger
and voice prints) Full Face Photographic
Images
HIPAA Obligations Related to Use and Disclosure of PHI
Permissible uses and disclosures Disclosures to the Individual are generally permissible
Disclosures for Treatment, Payment, and Health Care Operations are generally permissible without patient authorization
Reasonable safeguards must be used Social media – disclosures are generally made to the public, even if initially directed to
just one individual
Social media is not a secure method of communication
Posts on social media often result in a “Breach” Breach determination is a very fact specific analysis
Violation of an entity’s Social Media Policy does not necessarily mean that there has been a reportable Breach
Reporting a Breach of Unsecured PHI
“Breach” means the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the PHI
Key initial consideration – Is PHI involved?
If so, then event is presumed a Breach, unless a four factor written risk assessment demonstrates that there is a “low probability that the PHI has been compromised.”
Risk Assessment
Factors that must be considered:
1. Nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the
PHI has been mitigated
Notification Requirements
Notice to Affected Individual – Notice without unreasonable delay and not later than 60 days of discovery of
breach
– Ensure all elements of 45 CFR § 164.404 (content requirements) are included in the notification
– Keep language clear and concise
Notice to the Secretary of HHS – If under 500, report annually within 60 days of end of calendar year when
breach discovered; social media incidents are unlikely to affect more than 500 individuals which requires notice within 60 days of event
– Breach reporting through website: http://www.hhs.gov/ocr/privac
Notice to the Media – Breaches involving social media are unlikely to involve 500 or more individuals
Government Enforcement
OCR can levy civil money penalties up to $1.5 million per year against providers for noncompliance for violations of an identical requirements
OCR can also refer possible criminal
violations of HIPAA to the DOJ
State Attorneys General have
authority to bring civil actions on
behalf of state residents for HIPAA
violations
Consequences of Non-Compliance
Tiered Civil Penalties
State Privacy / Breach Notification Laws
State privacy / breach notification laws vary – Look where the affected patient(s) reside
– May only apply to certain providers, to computerized data or to certain personal information, e.g. social security numbers.
– Uptick in private actions based on state law – negligence, invasion of privacy, etc.
Example: – California’s Health and Safety Code Section 1280.15:
• Requires reporting of any unlawful or authorized access to, or use or disclosure of, a patient’s medical information no later than 15 business days after detection
• May be fined up to $25,000 per patient
*Patients can bring an action under Cal. Civ. Code Section 56.36 and recover $1000 nominal damages even if no economic loss/personal injury.
Physician Obligations Involving Social Media
American Medical Association Opinion 9.124 –
Professionalism in the Use of Social Media
Physicians should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments,
including online, and must refrain from posting identifiable patient information online.
PRIVACY SETTINGS
ARE NOT ABSOLUTE!!
Common Types of Privacy Breaches Involving Social Media
and Recent Examples
Malicious and Undignified Posts
A paramedic posted information on a social media site about a sexual assault victim. Although the victim's name was not disclosed, the paramedic detailed enough information in the post that the media was able to discover the identity of the victim and where she lived. The plaintiff filed a lawsuit against the paramedic and the emergency service he worked for due to privacy violations.
Two nurses took pictures of a patient's x-rays showing a sex device lodged in his rectum with their cell phones and one of the nurses posted the pictures on a social media site. Both nurses were fired but no charges filed because the nurse took down her social media page and no evidence of a HIPAA violation was found. However, the case was turned over to the FBI for investigation.
An emergency medical technician was fired after taking photos with his cell phone of a murder victim and posting them on a social media site. The EMT had to surrender his EMT license and perform 200 hours of community service. The fire station he worked for did not face any charges.
Malicious and Undignified Posts
A few nurses that work together in a hospital emergency department were fired for discussing patients on a social media site. Even though they did not post any identifying information, they still violated the hospital’s policies.
A nursing home employee took a photo of a resident's genitals with a cell phone. The employee sent the photo to a friend who posted it on a social media site. The employee was fired and both were charged with invasion of privacy and conspiracy.
A nurse was fired after posting on her social media page about an alleged cop-killer she treated even though she did not discuss the details of his condition, his name or any other identifying information. This one detail was enough to identify the individual.
Careless or Well-Meaning Posts
A nurse expressed her condolences to a patient’s family regarding the death of a patient in a highly publicized accident. The nurse included in her condolences the fact that the patient helped several other individuals through his organ donation.
A hospital workforce member took a “selfie” of herself and posted the picture on Facebook. In the background, the “selfie” included the OR patient board which included patient names and procedure scheduled.
Posts Related to Professional Practice
A nurse was charged with the unauthorized practice of medicine when she replied to a friend’s post from work stating: “It sounds like you have a migraine; Take two Excedrin Migraine.
A physician replied to a patient’s negative post related to the quality of care the patient received. In his response the physician disclosed information about the patient’s care.
5 Posts Your Privacy Officer Worries About*
5. Anything with a photo of a patient – The fact that a person is a patient is PHI and a full face photograph is an identifier
4. The well-meaning breach – “Happy birthday Sam! I love being your nurse!”
3. The failed attempt at anonymity – “I just took care of my first heart transplant patient!”
2. The rant – “Alcoholic hockey players are so demanding. . .”
1. The HIPAA problem and dignity problem – “I am so tired of bossy patients telling me what to wear!”
*Margaret C. Scavotto, JD, CHC, The Top 5 Social Media Posts Your Privacy Officer Fears Most, (Nov. 12, 2015), http://complianceandethics.org/the-5-social-media-posts-your-privacy-officer-fears-most/
Additional Risks
The employer can be vicariously liable for the acts of its employees
– Creation of unintended patient relationship
– Violation of ethical standards
– Defamation, libel or disparagement
– Discrimination, harassment, hostile work environment
– Intellectual property infringement
– FTC Violations
– Violations of restrictive covenants
– Antitrust
– Tax-exempt limitations on communication
– Security Laws
The NLRB Position
What is Section 7?
Section 7 provides that “employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively . . . And to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.”
Is the Internet the New Water Cooler?
Protected, Concerted Activity
So, what is the test?
Does it affect terms and conditions of employment?
Do co-workers comment? (if no comments, then no concerted activity in some cases)
Can lose protection if comments are, among other things, “opprobrious” or disloyal
Individual gripe—or commenting on terms and conditions?
Decisions are Fact Specific; Not Consistent
Hispanics United of Buffalo, Inc. (Sept. 2, 2011)
Employees could not be fired for posting on wall of co-worker who complained about her co-workers’ performance
Posts by co-workers protected because deal with job performance
Same result where employees posted concerns about employers tax-withholding procedures
Because all relate to shared concerns of employee re: terms and conditions of employment
But, hot dogs?
Knauz, BMW, 358 NLRB 1754 (2012)
Auto dealership employees complain online and post pictures where owners serve hot dogs, cookies and snacks from a warehouse club
Sarcastic comments re: owner going all-out
Vocalizing sentiments of co-workers, so concerted activity
You “like” me, you really “like” me
Triple Play Sports Bar and Grille fires two workers after learning of a discussion on Facebook regarding tax withholdings between several employees
“They can’t do calculations” “Now I owe money . . . Wtf”
One employee “likes” the status
Employer argues that they are “defamatory and disparaging remarks” so lose NLRA protection
NLRB says comments (including “like” are concerted activity and policy was effort to chill speech)
NLRB Also Commenting on Policies
Agency looking to breadth of language-and how terms are defined—or not
Specific exclusion for Section 7 activity
If prohibit confidential information, must define
Can’t prohibit “any comment” that would embarrass, harass or defame
Or that would damage reputation or goodwill
Nurse complains on her Facebook page about coworker who is always absent
Policy too broad
Guidance is good?
Cannot have policy that allows only “appropriate” comments
Be wary of confidentiality because could prohibit discussions of wages
But, if personal gripes only, no violation
Gives general “ok” to policy that prohibits comments which are “vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies”
Consider Language Carefully GC Report Contains some language that has been “approved”
But, consider whether policy prohibits “water cooler” talk
An Example from NLRB website
Phlebotomist posted a number of angry, profane comments on Facebook against coworkers and her employer. The posts indicated that she hated people at work, that they blamed everything on her, and that she wanted to be left alone. A coworker commented that she, too, had gone through a similar situation at work.
What Happens?
Employer discharges phlebotomist, finding the termination was lawful, despite the coworker’s supportive post. The NLRB reasoned that the postings were made solely on the employee’s own behalf, did not involve sharing of common concerns, and contained no language seeking to initiate or induce coworkers to engage in group action.
Adopting a Social Media Policy
Social Media Policy
The first step in implementing a social media policy is conducting a risk analysis
The social media policy should address all the areas of identified risk
The social media policy should state the purpose of the policy up front
The social media policy should define social media
The social media policy should list appropriate uses of social media
Social Media Policy
The social media policy should list the sanctions for violations of the policy
The social media should require immediate notification of policy violations
The social media should include anti-harassment and anti-discrimination provisions
The social media should include an employee rights discussion (consistent with NRLB laws)
Employee training on the policy should occur upon completion of the policy
Social media training should be an ongoing process updated to include all the lessons learned
Policy Considerations
Decide to what extent you want to allow social media use
Specify permissible scope of employee use of social media
Consider monitoring employees use of social media at work
Inform staff that there is no expectation of privacy if using employer’s system
Require separation of personal and professional social media sites
Consider posting the policy on the website
Enforce the policy in a consistent manner
Hypothetical Scenario
A well-known local professional baseball pitcher gets hit in the eye with a ball during the final World Series game and is taken off the field in a stretcher and transported to Local Medical Center. The local team loses the World Series and the local media blames the outcome of the World Series to losing the star pitcher. A staff nurse at Local Medical Center posts on his/her Facebook page that s/he is excited about caring for a professional baseball player but cannot believe that Local Medical Center admitted the player to his/her floor since they are so understaffed and they have no knowledge about caring for eye injuries. Upon reading the Facebook post, two staff members post comments supportive of the staff nurse, while several other staff members “liked” the post.
Is there a HIPAA breach?
Is the post protected speech?
Is “liking” the post protected speech?
Is the nurse engaging in a concerted effort when s/he posts on Facebook?
Are employees engaging in a concerted effort when they comment or “like” the post?
What actions should Local Medical Center take, if any?
Questions?
Please feel free to contact us for more information:
– Rob Entin: [email protected]
– Rebecca Frigy Romine: [email protected]
– Tom Kiser: [email protected]
Polsinelli provides this material for informational purposes only. The material provided herein is general and is not intended to be legal advice. Nothing herein should be relied upon or used without consulting a lawyer to consider your specific circumstances, possible changes to applicable laws, rules and regulations and other legal issues. Receipt of this material does not establish an attorney-client relationship. Polsinelli is very proud of the results we obtain for our clients, but you should know that past results do not guarantee future results; that every case is different and must be judged on its own merits; and that the choice of a lawyer is an important decision and should not be based solely upon advertisements. © 2016 Polsinelli PC. In California, Polsinelli LLP. Polsinelli is a registered mark of Polsinelli PC