#hipaaandbeyond: legal issues in social media · 3/17/2015 2 social media defined websites and...
TRANSCRIPT
3/17/2015
1
#HIPAAandBEYOND:Legal Issues in Social Media
CAREEN MARTIN
ATTORNEY
NILAN JOHNSON LEWIS PA
MINNEAPOLIS, MINNESOTA
Overview Understanding social media Social Media Pros Don’t Ban it But Respect It: Legal Risks Why your Social Media Policy Is Not Sufficient
Myths NLRB
Patient Complaints on Social Media Other Policy Considerations Policy Checklist Practice Round: HIPAA Violation or Not?
3/17/2015
2
Social Media Defined Websites and applications that enable users to create and share content or
to participate in social networking To uninitiated, frequent communication about mundane seems silly, but:
New norm – internet users spend more time on social media sites than any other
More powerful than traditional communication instantaneous reaches millionsworld-wide constantMobile
Examples of Social Media
Facebook: Facebook is a free social networking website that allows registered users to create profiles, upload photos and video, send messages and keep in touch Wall posts Different levels of
publication and engagement per settings
Depending on privacy settings, may be available on web
3/17/2015
3
Blogs A blog is a web site on which someone writes about personal opinions,
stories, activities, and experiences (e.g. Caring Bridge)
Includes “Members only” discussions, which aren’t really
Twitter is a free social networking microblogging service that allows registered members to broadcast short update posts called tweets.
140 Characters or less
Followers choose you
Public and searchable
3/17/2015
4
Instagram is an online mobile photo-sharing, video-sharing and social networking service that enables its users to take pictures and videos, and share them on a variety of social networking platforms, such as Facebook, Twitter, Tumblr and Flickr.
Snapchat Snapchat uses the device's camera to
capture Snaps to send them. The app allows the sender to draw or insert text on the Snap and determine how many seconds (1-10) the recipient can view it before the file disappears from the recipient's device.
3/17/2015
5
Who’s Using It?
77 percent of workers have a FB account and nearly 2/3 of those employees access their accounts during work hours
90% physicians use at least one site for personal use and over 65% for professional purposes
Social Media Pros Communicate with patients as customers and engage them where they sit
Patients connect with other people suffering from the same illness or condition (Patientslikeme)
Patients can share information and experiences
Improved results because of better informed patients
Increased productivity due to patient knowledge
More patient/provider interaction
Instantaneous communication in emergency situations, such as drug recall
Growing your business
Physicians can share insights about medicine and specific cases at Sermo, online doctors’ lounge
Young consumers prefer businesses with social media presence; how they communicate
3/17/2015
6
Don’t Ban It
It’s here to stay
Protect your reputation and control what is being said Employees
Patients
Your employees are already using it
Mitigate the risk
Legal Risks
HIPAA
Employers that are Covered Entities face direct liability for the acts of any member of their workforce that violates the HIPAA privacy and security regulations
Includes employees, volunteers, trainees, any other person whose conduct is under the direct control of the Covered Entity, whether or not paid by the Covered Entity
Liability under HIPAA ($1.5 million per year)
State Attorneys General
3/17/2015
7
PROTECTED HEALTH INFORMATION (PHI) DEFINED
Information That is created or received by a health
care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
Identifies That identifies the individual; or
With respect to which there is a reasonable basis to believe the information can be used to identify the individual
Transmitted Electronically
Legal Risks Beyond HIPAA Not technically a HIPAA violation . . .
But may violate your social media policy State privacy laws
Yath vs. Fairview Clinics, et. al. Does your state require written consent?
Private cause of action Employers liable for the conduct of employees acting within the
scope of employment
Publication of private facts Negligence Breach of duty of confidentiality Defamation
3/17/2015
8
Legal Risks Beyond HIPAA
Reputational threat for the organization
Professional licensure issues for the health professionals
Doctor who treats a patient over social media
Professional boundaries patients initiating contact blurs lines
Licensing Board (unprofessional conduct)
Evidence in malpractice suits
Why Your Social Media Policy Is Not Sufficient
Majority of publicized social media HIPAA violations take place on personal Facebook and Twitter
The majority of violations do not involve clear cut bad actors
The road to hell is paved with good intentions
Birthday cake example
Proud providers example
Venting after a long day
Everyone has a camera and uses it
Comments – the original post is not a problem, but the comments could be
3/17/2015
9
Mitigate the Risk Your employees are already on social media
Go beyond “do not use” in your policies and training Understand the nature and purpose of social media: to share
Pause before posting
The J.T. rules #1 and #2
Understand the technology and platform
DM and IM
Privacy settings
Do not post anything you don’t want to see on the front page of the newspaper
Address Social Media Myths (the gray area) . . .
Social Media Myths
Myth: It’s Private
Reality: Once it’s on the internet, nothing is private
Privacy settings matter
Sharing and retweeting
Commenting
Twitter @ and .
FB wall
3/17/2015
10
Social Media Myths
Myth: It’s okay if I don’t use a name (or I de-identify)
Reality: Even without a name it may be a HIPAA violation Can someone piece it together and identify the
patient? De-identified isn’t always de-identified
Posting a de-identified picture might not be a HIPAA violation, but that doesn’t mean it’s a good idea Amputated leg example
Social Media Myths
Myth: I Can Delete It
Reality: Nothing is Ever Truly Deleted
Screen shots
Twitter Trolls
3/17/2015
11
Social Media Myths
Myth: The patient posted PHI first, so it’s okay
Reality: Still a potential HIPAA violation
Difference between patient disclosing and provider disclosing
UCLA hospital banned cellphones when a patient posted a group picture
Followed incident involving employees accessing Britney Spears EHR
Beware the comment on the patient or friend post
What do you gain?
Patient Complaints
HIPAA Privacy Rule: even if a patient publically discloses PHI, a provider may violate by disclosing same information
Wall posts
No control over who posts on your wall
Employees should not respond to patient complaints
Policy should provide a pre-scripted response to patient complaints reiterating compassion, privacy, and instructing the patient how to submit a private message.
3/17/2015
12
Other Considerations for your Social Media Policy
National Labor Relations Board (NLRB) active with respect to employee rights and social media policies
NLRB guidance on whether employee social media use constitutes protected “concerted activity” or unprotected “individual griping”
NLRB guidance on social media policies - employer must include specific examples of illegal or unprotected conduct in its policy to prevent the policy from being unlawfully overbroad under the NLRA
Report of Acting Gen. Counsel Concerning Social Media Cases, OM 12-59 (May 30, 2012)
Checklist for Social Media Policy Extend existing compliance policies to explicitly include the use of social
networking sites and other Internet activities Apply to both on and off-duty social media conduct Emphasize professional behavior Include specific examples Emphasize how even small seemingly innocuous disclosures can
constitute a violation Distribute social networking policies and reminders Employees must sign a written acknowledgement of Social Media Policy The policy should contain wording so as to apply to current and future
social media platforms Remind employees that even if the patient is not identified by name or
by the medical record number the information the employee discloses may identify that patient
3/17/2015
13
Practice RoundHIPAA Violation or Not?
HIPAA Violation or Not?
60 year old man admitted to the ER with stab wounds and slit throat. Reportedly hospital staff take photographs of the dying man and post them to Facebook.
3/17/2015
14
HIPAA Violation or Not?
Nurses began using Facebook to provide unauthorized shift change updates to coworkers. They did not use patient names, but used enough specifics about patients so that incoming nurses could prepare for shift.
HIPAA Violation or Not?
Nursing student posted a photo showing her posing, smiling, over a placenta in a plastic tray, while holding up the umbilical cord in her gloved hand.
3/17/2015
15
HIPAA Violation or Not?
Facebook post:“Ever have one of those days where you'd like to slap the ever loving bat snot out of a patient who is just being a jerk because they can? Nurses shouldn't have to take abuse from you just because you are sick. In fact, it makes me less motivated to make sure your call light gets answered every time when I know that the minute I step into the room I'll be greeted by a deluge of insults.”
HIPAA Violation or Not?
Local newspaper publishes a story about patient’s courageous battle overcoming cancer. Physician tweets the link and states “So proud to be a part of this miracle.”
3/17/2015
16
HIPAA Violation or Not?
EMT on Facebook “Three weeks ago I took a lady our age to the hospital after being
raped at knife point, by a caucasion [sic] male of average build. The eerie thing here is that we took a female cop with us to the hospital and the victim could only keep stating on [sic] how green her assailant’s eyes were when asked to describe him. This took place at approximately [address] . . . Additionally her description was very detailed considering the horrible event. Black ski mask, two pairs of gloves, very yellow teeth, whispered all commands, smelled of bourbon and cigarettes . . . “
HIPAA Violation or Not?
Emergency Room nurse reposts photo of a messy but empty trauma room that had been used to treat a man hit by a New York subway and posted it with the caption “#Man vs 6 Train.”
No patient in the room, no identifiable information. Reposted from someone else’s Instagram
3/17/2015
17
HIPAA Violation or Not?
As a licensed practical nurse for more than 20 years, Bob knew the importance of safeguarding a patient’s privacy and confidentiality. One day, he used his personal cell phone to take photos of Claire, a resident in the group home where he worked. Bob received permission from Claire’s brother to take the photo since she was unable to give consent due to her mental and physical condition. That evening, Bob ran into William, a former employee of the group home. While catching up, he showed William the photo of Claire and discussed her condition with him.
HIPAA Violation or Not?
Twitter Post:“So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now three hours late for her induction. May I show up late for her delivery?”