It was not that long
ago when an employee at the University of Cincinnati Medical Center was fired
for posting a patient's protected health information (PHI) on Facebook. The
employee had posted a screenshot of a patient's medical record showing her name
and her diagnosis of syphilis.
The employee who was
fired from the University of Cincinnati Medical Center for posting the medical
record posted the screenshot of the medical records in a closed member Facebook
group. Even though the employee thought she was sharing the information in a
closed group, the information quickly became public. Not that it matters,
whether she posted in a closed group or as a public post, either way, the
disclosure is a breach.
While this is an
obvious example of a HIPAA breach, and an obvious no-no, it does provide us
with a good example of why PHI should not be shared on Social Media unless you
are authorized to do so. And as we have mentioned in a previous article, if you
wouldn't say your comment in public, then don't put it on social media. If
there is any doubt at all about a certain post, picture or comment then check
with your compliance officer or even a colleague before publishing.
Below are 5 additional tips to consider prior to
posting on social media sites:
1. Know
the difference between personal and professional use.
Personal use of social media is often referred to as social media use on an account that is registered to an individual that is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, practice, or provider. You may have language in place in a social medial policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain the professional use of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be posted, etc.
2. Understand
if there are any risks involved with what you are about to post.
Whether you are posting on your personal account or on a professional account, it is important to understand if there are any risks. For example, if you post something there may be a risk of receiving negative feedback from the public. Or there may be a risk of sharing proprietary information or content that could get into the hands of someone with malicious intent. Some tips to mitigate risk include posting accurate information; respectfully disagreeing with negative comments; etc.
3. Do
not post any PHI without authorization! Even then, be extremely cautious.
Imagine a patient asks you to take a photo with him. You decide it is a cute photo, so you post it to Facebook. If you have authorization from the patient, there wouldn't be an issue under HIPAA. If you do not have the authorization, it would be considered a breach under HIPAA. Therefore, when photos or patient information will be used for purposes other than Treatment, Payment, and Operations (TPO), a valid HIPAA authorization must be obtained from the patient or the patient's legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.
4. When
posting a response to a question use limited information and suggest another
communication method.
If a patient asks you
a question on a social media platform that could potentially lead to a
disclosure of PHI, it would be best to suggest the patient contact you using
another form, a more private form of communication. It is important to limit
unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing
or discussing PHI that is not essential to the task at hand.
When posting on your
personal social media account, if it is something you don't want the public to
know or access, it is also a good idea to communicate with a private form of
communication. This includes when sharing information in "private"
groups.
5. Remember,
communication on social media is powerful.
Just recently, the power of social media has been on full display. Social media allows for information to be communicated almost instantly to a broad audience and maybe communicated throughout the world. Understand when you work for a professional organization what you post on your personal social media sites may potentially have an impact on your professional reputation. Before posting somethings, consider what if any impact what you are sharing could impact you or your organization in any way.
If you have any
questions, please feel free to reach us by phone toll-free at 855-427-0427 or
send us an email at support@healthcarecompliancepros.com.