Friday, March 14, 2014
HIPAA and Social Media - A Match Not Made in Heaven
HIPAA can make those in charge of healthcare compliance nervous. Particularly when paired with the cultural obsession - yes, we said it, obsession - with social media. Just like the title said, this coupling is not a match made in Heaven.
In fact, a health care business needs to stay at the top of their game when it comes to social media. Corporate branding, specialty treatments, doctors and staff, hospitals, patient care - you name it, the public has an insatiable need to know. And to compete and succeed in today’s business marketplace, healthcare businesses have to be online. Here we are, after all!
On top of that, there are Facebook and Twitter and Google plus pages where users - that’s your patients - and staff can leave comments. Every comment, every question is a potential HIPAA violation in the making. This is a slippery slope of social media to traverse. You need the exposure and you can be wary of it too, where HIPAA compliance is concerned. Pick your potential poison: Linked In? Google +, Twitter, Facebook, Instagram?
Who Uses Social Media?
Here’s the social media skinny: close to ninety percent of doctors and other medical staff use at least one social media outlet for personal use, and sixty-five plus percent employ such sites professionally. Much potential for business, for positive patient-doctor interactions, for establishing patient communities. But also much potential for it to all go awry.
Everyone knows that HIPAA violations can be costly indeed. Fines. Repairing damage. Even possible prison sentences loom. And yet we still have situations where a nurse posts a patient’s picture on Facebook, or a doctor delineates his treatment process through tweets. Instagram photos of wounds? Invading privacy on dating sites? Facebook status report on a long and grueling day with details included?
Not only are these instances examples of bad decisions, decisions that caused law suits, job loss, and more - they are also examples of instances in which an employer is also liable for employee conduct. Responsibility extends a very large net. An employer could indeed be liable for health information disclosures via social media.
It’s vital to prevent these situations from occurring in the first place, but how?
Establishing Social Media Policy
At MedTrainer, we can help you establish a proactive social media policy that’s realistic and effective. Managing social media is key, and setting up rules to follow that are reasonable and firm is all a part of that process. That very necessary process.
Of course establishing that policy is not an end in and of itself. You also have to get the news to your staff and employees, and make sure they acknowledge it’s existence.
Notify employees, and make sure they notify you that they’ve read the policy. Make sure they know that personal accounts are every bit as much of a liability as if they post on the company website or Facebook page. Social media has effectively blurred all personal and professional boundaries. Just noting the location of one’s workplace can lead all too easily to some type of HIPAA violation. Training your employees to avoid this possibility is vital. And once again, MedTrainer is on the forefront of establishing and illuminating policies that reflect this need.
Remember, employees are going to be on social media no matter what you do. It’s a lifestyle. But effectively managing their social media interactions means adaptation. Adapt your business. Train your employees. Specialized health care social media training will save you time, money, and the possibility of social media compliance catastrophe.
It’s also very important to be aware of where the risks lie for your health care facility. Keep track of potential areas for violation. Establish an automated program that helps you manage and monitor your online presence and that of employees. It’s not hard - but it takes planning and organization. And it’s worth the time invested.
With tracking in place, you can view, monitor, respond and react intelligently before a problem occurs or gets out of hand. Policy on social media comes first, followed by training staff, and utilizing appropriate monitoring systems. Social media has changed the way the world communicates. You need to change the way your personal world of health care communicates to keep up with this transition.
Don’t think social media isn’t a monster of a phenomenon with the potential to be a monster of a problem. Note that Facebook includes 800 million active users, LinkedIn, over 135 million members, Twitter trends occupying news feeds world wide. Your employees social networking can and will create legal issues unless you design and implement polices that are appropriate regarding social networking use.
Whether you’re a doctor, dentist, pharmacist, or veterinarian your practice is at risk for HIPAA violation in ways you couldn’t have imagined ten, even five years ago. Processing, storing, handling private data is always a risk. Today it’s a risk with worldwide exposure as a potential downside.
Since you very well can be made liable for the conduct of staff while your employees are within the scope of your employment, you know what’s coming next with HIPAA violations. You can be held liable for an employee’s disclosure.
We said it before, but we’ll say it again, the way to prevent this costly, time consuming, and legally nightmarish occurrence is to establish rules, disseminate them, make sure they are read, and make sure they’re complied with. Sounds basic? Or does it sound overwhelming? Probably some of both!
Covered Entities = You!
But working now to educate employees and enforce rules will help prevent future heartaches and headaches. Remember, employers that serve as “covered entities” through HIPAA guidelines will face direct liability for the acts of their workforce. Are you a covered entity? Likely yes, as this refers to health-care providers and health plans, employees, volunteers, trainees, and contractors.
As such you and all of these individuals are expressly prohibited from using or disclosing identifiable health information - without a written consent from the individuals to whom that personal health information concerns. And even such authorization is received, that doesn’t make you bullet proof. It must contain language that specifically complies with HIPAA.
Let’s look at some examples. There’s the classic pitfall of personal social media pages discussing their work day - and including health care they’ve performed or witnessed that even without naming names can be expressly related to a specific patient. Postings of this nature would have to be very general indeed not to be suspect.
Make sure employees know - and you know - that omitting the name of a patient is absolutely NOT a guarantee that the patient can’t be identified. A unique situation, the date of a situation, the location of a situation - all of these can lead to HIPAA violations with identification of that patient.
In certain cases even limited disclosure of information can lead to the pursuit of the actual names of patients by news sources or personal acquaintances which lead at the very least to charges of negligence that pose a threat to health care facilities in terms of legal action, financial action, and reputation.
It isn’t just about money - although that can be onerous enough. There can be sanctions that go beyond massive civil penalties and damages, and that reputation thing? Very costly. Would you personally trust someone with your care if they had, however inadvertently, exposed your private healthcare to the world?
While few people laugh off these possibilities, sometimes employees and employers themselves don’t take this potential situation seriously enough. And yet avoiding the very premise of such a situation is so important.
At MedTrainer we know that you can navigate these treacherous social media waters only by creating and distributing clear company policy about social networking and HIPAA.
You must absolutely extend your compliance rules regarding social networking explicitly. Identify and call out sites such as Facebook, Twitter, and more. Address blogging. Emphasize that both on duty and off duty social networking can be potentially damaging. Profess professionalism, include examples.
And if you don’t have the time to implement these policies yourself, get help. At MedTrainer we can provide assistance that can prevent costly fines, legal ramifications, and your working reputation. We can help you enforce employee access and acknowledgment of these policies.
The only solution to the unhealthy entwining of social networking and HIPPA guidelines and regulations is a clearly defined and successfully disseminated policy about compliance both on and off the job.
Social network this: share a blog, save a practice!