Privacy Officers are spending more and more time conducting HIPAA breach analyses on employee social media posts. Here's 5 posts your Privacy Officer really does not want to see:
5. Anything with a photo of a patient. Anything.
The fact that someone is a patient is PHI. Unless that patient signs an authorization allowing their photo to be shared, this is risky territory when it comes to HIPAA and social media. With Instagram, Twitter, Facebook and smart phones, we are living in a world of pictures--and thus a world of potential HIPAA violations at work.
4. The well-meaning breach.
Happy birthday Millie! I love being your nurse!
Sadly, posts fueled by the best of intentions can still pose a HIPAA problem. Does Millie want the whole world knowing that she is a patient of this nurse? What if this nurse specializes in a certain illness--in that case, does Millie want the whole world knowing she has that illness?
3. The failed attempt at anonymity.
Treated a pregnant teen tonight for an overdose. So sad...
With the incredible connectivity and searchability that the internet brings, it is really hard to keep comments about health care truly anonymous. This is particularly true in smaller communities, and when sensitive facts or treatments are used.
2. The rant.
Alcoholic hockey players are so grumpy...
Much like the "anonymous" posts, PHI often leaks out when employees turn to the internet to rant. When patients are discussed--even indirectly--employers often find themselves researching a potential HIPAA breach.
1. The HIPAA problem AND the dignity problem.
Tired of cranky patients who argue with me over which shirt to wear!
These types of posts are horrifying not just to your Privacy Officer, but to your Compliance Officer as well. What if this patient, or a relative, saw this post? How would he or she feel about being seen as "cranky"? While this post might seem fairly benign, one can imagine statements with even more serious implications for patient dignity/resident rights.
What can we do?
Help your employees get it right:
- Implement a social media policy.
- Train employees to recognize PHI.
- Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
- Train some more! Keep HIPAA and social media top of mind.
- Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.
Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).