It's no secret that the HIPAA hammer is here to stay. The HITECH Act of 2009 increased HIPAA penalties, and the Federal government has been doling them out liberally. As the use of social media expands, health care providers and their employees need to consider the consequences of posting information that could identify a patient. These consequences include penalties under HIPAA, privacy laws and even criminal laws...and making the headlines.
The line between public and private is thin
Social media gaffs run the gamut from malicious to ignorant. The following examples from news headlines reveal why providers should care what their employees are doing with their work computers, home computers and smart phones:
- A temporary staffer working at Providence Holy Cross Medical Center in Mission Hills, CA posted a photo of a medical record listing on Facebook and commented (rudely) on the patient's condition. The staffer believed this was appropriate because "It's just Facebook" and "I'll post what I want...."
- The NJ Attorney General's Medicaid Fraud Control Unit charged two SNF CNAs with invasion of privacy and conspiracy for posting a (humiliating) photo of a resident on Facebook.
- A New York City EMT posted a photo of a murder victim on his Facebook page.
- A paramedic posted information on his MySpace page about a rape victim he transported to the hospital. Although he didn't use the patient's name, he used enough detail for the media to locate the victim. The victim sued the EMT and his employer.
MPA TIPS for educating employees:
- Explain that omitting a patient's name does not guarantee that the patient cannot be identified.
- Remind employees that information sent over social media is often unencrypted-and unsecured. Plus, Facebook and other privacy policies give the social media site the right to use all information posted for their own purposes.
- Enforce a social media policy that applies to Facebook, Twitter, YouTube, blogs, etc.--both on and off duty.
- Illustrate how seemingly innocent postings can violate the law.
- Use your newsletter to advance employees' understanding of privacy issues.