370 likes | 513 Views
Walking The Social Media Tightrope. Understanding the Risks That Surround Social Media May 26, 2011. Presented by: Barry S. Herrin, JD, CHPS, FACHE Smith Moore Leatherwood LLP P: 877-404-7466 x1027 barry.herrin@smithmoorelaw.com. Presented by: Terrill Johnson Harris, JD
E N D
Walking The Social Media Tightrope Understanding the Risks That Surround Social Media May 26, 2011 Presented by: Barry S. Herrin, JD, CHPS, FACHE Smith Moore Leatherwood LLP P: 877-404-7466 x1027 barry.herrin@smithmoorelaw.com Presented by: Terrill Johnson Harris, JD Smith Moore Leatherwood LLP P: 336-378-5383 terri.harris@smithmoorelaw.com To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click “Ask.” After you click Ask, the button name will change to “Edit.” Questions will be queued and most will be answered at the end of the meeting as time allows.
Health Care Provider’s Gambit Walking the line between: Poor bedside manners Appropriate, in person social pleasantries The online world of social media
Stats • Facebook • Now has 500 million users • Is the most visited site on the Internet • Average Facebook user has 130 “friends” • Each month the site accumulates more than 20 billion bits of information and 3 billion photos
Stats • Facebook’s “Gifting Theory” • When participants consensually contribute their social and personal data to the electronic storage system, they freely consent to provide the data. • Social networking provides a radically transparent Internet experience where nothing is confidential… • Or is it?
PHI – Protected Health Information • Health care providers have a continuing obligation to protect PHI both during and following treatment of a patient. • This obligation is not negated by a patient’s own disclosure of their condition to an online audience through any media available.
HIPAA • The HIPAA Privacy Rule provides federal protections for PHI held by covered entities and gives patients an array of rights with respect to that information. • At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes – RELEASES TO SOCIAL MEDIA SITES ARE NOT AMONG THEM. • The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to ensure the confidentiality, integrity, and availability of electronic protected health information.
Facebook, MySpace, LinkedIn • Health care provider creates a social media profile • As a corporation • As an individual professional • Provider and patient encouraged to “friend” one another • Such registering appears to be within the societal norm • But may be fraught with danger…
Facebook, MySpace, LinkedIn • Depending on the platform/security, the public at large • May be able to determine the identity of online friends • Could reasonably infer that the person is a patient of the provider • This assumption may create a violation of a person’s privacy rights
Facebook, MySpace, LinkedIn • The mere existence of a physician/patient relationship can be considered PHI: • Mental health treatment • Substance abuse treatment • Sensitive treatment (abortion, impotence, cancer, etc.)
Blogging • Blogging by patients often includes details of medical conditions and treatments • www.caringbridge.org • www.carepages.com • Patients may not understand or appreciate the potential for unauthorized disclosure and should be notified regarding security limitations for these blogs if the agency suggests using such blogs.
Blogging • A naïve healthcare provider may assume that posting on these blogs means the patient is waiving his or her right to have their provider safeguard the privacy of their PHI, and so replies or discusses the condition and procedure. • This assumption and online response violate the patient’s privacy rights under HIPAA.
Advanced Camera Technology and Privacy • Ease of snapping photos, uploading, and viewing increases with every new device invented. • We rarely question posing for or posting a photo online. • Health care facilities and providers however • must guard against posting any picture of a patient • during treatment (even at home) • inside a health care facility
Advanced Camera Technology and Privacy • Photos of patients during treatment • constitute an invasion of privacy • could be protected health information under HIPAA • Imperative that written policies regarding the use of all cameras, especially cell phone and PDA cameras, are adopted and enforced
Advanced Camera Technology and Privacy • Illustration • A hospice nurse has treated a patient for a long time and the two become good friends. • They have their picture taken together at the patient’s home. • The patient passes away. • The grieving nurse posts the picture online through a social media account and indicates that she is saddened by the loss of her “favorite patient”.
Advanced Camera Technology and Privacy • Her online expression is perfectly normal for a human being • But completely inappropriate in a professional relationship between patient and provider
Advanced Camera Technology and Privacy • The nurse’s innocent post could constitute • A violation of HIPAA (even without name being used) if any other PHI is included such as • Date of death • Cause of death • Fact about nature of treatment
Advanced Camera Technology and Privacy • Study performed at the University of Florida in 2007 and 2009 of all medical students and residents to determine • who had Facebook profiles • and to scan them to determine how many contained representations of protected health information, such as portrayals of people (either in text or pictures), names, dates, or descriptions of procedures.
Advanced Camera Technology and Privacy • Almost half of all eligible students and residents had Facebook profiles (49.8%). • There were 12 instances of potential patient violations, in which students and residents posted photographs of care they provided to individuals.
Advanced Camera Technology and Privacy • Photographs included trainees interacting with identifiable patients, all children, or performing medical examinations or procedures such as vaccinations of children. • While students and residents in this study are posting photographs that are potentially violations of patient privacy, they only seem to make this lapse in the setting of medical mission trips.
Advanced Camera Technology and Privacy • The recommendation was that all trainees need to learn to equate standards of patient privacy in all medical contexts using both legal and ethical arguments to maintain the highest professional principles.
Advanced Camera Technology and Privacy • Three practical guidelines were suggested: • A legal resource for physicians traveling on medical mission trips such as an online list of local laws, or a telephone legal contact, should be established. • Institutions that organize medical mission trips should plan an ethics seminar prior the departure on any trip because the legal and ethical implications may not be intuitive. • At a minimum, traveling physicians should apply the strictest legal standard to any situation.
Advanced Camera Technology and Privacy • Ramifications for health care professionals: • Many employee suspensions or firings after unauthorized release of patient photos • Chief Resident of General Surgery, Mayo Clinic • Firings also related to inappropriate comments or complaints about employer or patients, which can result in loss of future job opportunities (25-75% of employers check social networking sites in hiring process)
Advanced Camera Technology and Privacy • Some facilities have banned the use of any cell phones or laptops under any circumstance by staff or patients. • difficult to enforce • may be counter productive • Others require completion of a form stating that photos will be taken of family members only.
Advanced Camera Technology and Privacy • Other safeguards against privacy violations: • Conspicuously posted signs clearly stating bans or limitations on cell phone or camera usage within facilities so that staff, volunteers and patients are all aware • Training regarding privacy and improper usage
Advanced Camera Technology and Privacy • The inconvenience of safeguards is real • As are the potential costs of violations • Patients may file complaints about privacy violations with the Office for Civil Rights within the Department of Health and Human Services
Avoid Violations • Providers should avoid violating a patient’s PHI when participating in social media by, at a minimum, requiring potential online patient/friends to agree to a written statement indicating that they have read an online disclosure BEFORE an online “friendship” can be started. • Do not comment online without a patient’s express written authorization to do so.
Avoid Violations • HIPAA violations are inevitable unless health care providers • Implement and enforce detailed social networking policies • Manage patient privacy expectations • Integrate those policies with their human resources disciplinary policies
HR Policies Regarding Social Networking • Scrutinize policies regarding the use of e-mail, laptops, and handheld devices to transmit or store PHI • Company policies should address topics including • Definition of “social networking” • Productivity • “Social notworking” • No right to privacy and monitoring • Make clear that computer activity may be viewed without their consent
HR Policies Regarding Social Networking • Identity of user and disclaimers • Confidentiality • Harassment/Discrimination • Recommendations • Social networking outside of work • Discipline • Employer Usage
Penalties • Four new penalty tiers were implemented, effective November 30, 2009 • For violations occurring on or after February 18, 2010: • CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred
Penalties • CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to “reasonable cause” and not willful neglect • Reasonable cause: “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply”
Penalties • CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
Penalties • CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
Penalties • Penalties may be avoided if the entity can demonstrate: • Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. § 1320d-6, or • Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate
Penalties • Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to “reasonable cause,” even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.
Contact Information Barry S. Herrin, JD, CHPS, FACHE 404-962-1027 877-404-7466 x1027 barry.herrin@smithmoorelaw.com www.legalhimformation.com www.healthcarelawnote.com Terrill Johnson Harris, JD 336-378-5383 terri.harris@smithmoorelaw.com