David S. Barmak Health Care Law Blog on Lawyers.com

True Stories

Two
nurses discuss a patient's care and protected health information ("PHI") on
Facebook.

Two
certified nursing assistants discuss the frustrations they have in caring for a
patient on Facebook.

On
Yellowpages.com, an unhappy nurse pretends that she is a patient and blasts the
Director of Nursing by falsely accusing the Director of being an alcoholic.

An
employee posts reviews on Yahoo claiming that the nursing home puts profits over
quality of care.

A
physician "tweets" colleagues about surgical cases.

Social Networking

Every
month there are hundreds of millions of visitors to Facebook, YouTube, Twitter
and LinkedIn as well as instant messaging and Webmail. These communications are
called Social networking. These social networking tools have enabled
individuals to form instantaneous connections which are called communities and
enable the spreading of PHI information in a flash.

Risks

Privacy
and Security of PHI are too often a second thought when it comes to social
networking opportunities. These social networking technologies usually do not
encrypt the electronic data. Encryption usually is in place for text messaging
within the same carrier network but once the text messaging goes outside the
network, there is no longer any encryption protection. And of course, theft
through interception and illegal use of this data by third parties for their own
unlawful monetary gain is always a concern.

Additional
Risks

Social
networking can lead to PHI breaches and inappropriate disclosures of patient
information as well as medical identity theft. Another risk is that there is no
audit trail so if a problem does develop, there's no way to track the
communications and determine what happened, by whom and what protective system
to put in place. As a result, social networking is a very risk communication
phenomenon: instant PHI sharing with minimal protections of privacy and
security. Smart phones have already changed the way we live: instant texting,
email and photographs can immediately be communicated to one or more individuals
including immediate posting on the Internet. Health care providers are
struggling just to know what PHI is inappropriately disclosed between
clinicians, other employees within the provider and anyone outside of the
provider.

I
recommend the following to help protect our patients' PHI from inappropriate
usage of social networking:

• Conduct
  risk analysis/assessment and documentation of the various social media tools and
  how they are being used within an organization.
  
• Ensure
  encryption mechanisms are in place, where possible, for all electronic PHI,
  including portable devices.Do not allow healthcare personnel to use
  personal devices.
  
• Block/prohibit
  all Web sites not permitted for access in the organizational network, or allow
  Web site access based on defined job role (role-based access).
  
• Policies
  and procedures must be created and implemented outlining where, when, and what
  social media tools are permitted, if any, and how they are allowed to be used.
  
• Conduct
  training and education of policies and procedures to all staff.
  
• Ensure
  enforcement of policies and procedures for user accountability.
  
• Monitor
  all Internet and social media activity on a regular basis to assist in overall
  management for optimal outcomes.
  
• Evaluate
  policies and organizational needs regularly to ensure up-to-date practices
  relevant with the technology.

The consequences of not protecting our resident's PHI from
inappropriate social networking can be devastating: HIPAA privacy rule and
security rule as well as various state laws all have consequences for unlawful
disclosure of PHI for both the provider and in some situations the individual
practitioner. The Health Information Technology for Economic and Clinical
Health (HITECH) Act has added to HIPAA protections and penalties, in particular
requiring business associates to have their own HIPAA programs. Aside from legal
repercussions, unlawful breaches of PHI through social networking can lead to
losses of reputation and trust within the community. We must educate our
employees and vendors as to the potential harm to all of us and especially to
our patients.

For further information go to www.barmak.com