Breaking Compliance News Blog

Are your employees tweeting their way to a HIPAA violation?

Posted by Margaret Scavotto, JD, CHC on 3/2/14 3:25 AM

Find me on:

Like it or not, social media use in the workplace is inevitable. A report by SilkRoad Technology found that 75% of employees check personal social media at least once a day on their mobile devices during working hours, and 60% access it multiple times.

 This report also found that almost half of employees use social media to connect with co-workers or customers.

Without education and policies from their employers, health care employees can get into trouble, putting their employers at risk of HIPAA penalties. For example:

  • Nurses working for a healthcare system used Facebook to share unauthorized shift changes with their co-workers. The nurses used Facebook as a convenient mode of communication; however these shift changes were visible to the nurses’ Facebook friends. While no patient names were posted, the nurses posted patient details to help the incoming nurses prepare for the shift—that’s PHI.
  • A medical center employee tweeted the following to a public figure: “Schedule regular medical exams like everyone else instead of paying [medical center] employees over time to do it when clinics are usually closed.” This tweet publicly announced that public figure was a patient of this provider.
  • A nurse posted a Facebook rant about an alleged “cop killer” she treated. Without using the patient’s’ name, she revealed enough details for the media to identify him—and where he was receiving treatment.

I doubt that any of the employees in the above examples knew they created HIPAA violations when they made these posts. Social media is such an integral part of the way we communicate, that it can be hard to realize that informal communications can implicate HIPAA.

As social media is used more and more for personal and work use, employee policies and training are crucial. Here are some tips to help your employees avoid social media gaffes that could cost them—and you—a costly HIPAA settlement:

  • Implement a social media policy that addresses both prohibited and permitted uses of social media. Social media can be a powerful tool for marketing and other work-related purposes; help your employees understand the difference between appropriate and inappropriate uses.
  • Make your social media policy apply to Facebook, Twitter, YouTube, blogs, etc.—both on and off duty.
  • Remind employees that information sent over social media is often unencrypted, and unsecured. Plus, Facebook and other privacy policies give social media sites the right to use all information posted for their own purposes.
  • Train, train, train. Illustrate how seemingly innocent postings can violate the law. Explain that omitting a patient’s name does not guarantee the patient can’t be identified. Use your newsletter to advance employees’ understanding of privacy issues.

Download MPA's HIPAA & Social Media Roadmap

 

Topics: HIPAA, Social Media

Read the Breaking Compliance News Blog disclaimer here.