Protect Your Assets with a Social Media Policy
Even if your organization avoids social media, your staff may be a HIPAA liability.
Inappropriate use of social media can cause HIPAA violations, even if your company has avoided an official presence on popular social media venues (e.g., Twitter, Facebook, etc.). Despite company efforts to avoid social media, if your staff is on it actively, you have reason to be concerned. Staff members using social media in the office or discussing work online could subject your practice to a HIPAA security breach or, even worse, a fine or a lawsuit.
Social Media Basics
Social media tools allow people to share information, photographs, and videos on the Internet. Often, you’ll hear of posts “going viral,” meaning the post is being seen and spread by tens of thousands of individuals, if not millions. Even if a post doesn’t go viral, when something has been posted in social media, it’s nearly impossible to delete before other users download and share the post with their friends and followers.
“Selfies” — photos of yourself taken with a smartphone and posted to a social media site — are all the rage. People snap selfies while they’re stuck in traffic, after a new haircut, all dressed up for a night on the town, holding a baby, flexing in a mirror … and even at the office. While the social significance of these posts can be debated, healthcare employers are rightly concerned with the office selfie.
Selfie Backgrounds May Violate HIPAA
Concerns with office selfies are due to high-resolution cameras smartphones now feature, and what is captured in the entire image. If a photo is uploaded to social media and saved in its original, high-resolution format, the poster’s friends and public have the ability to view the photo in its original format. These high-quality images make it simple for anyone to see clearly the selfie-taker, as well as all the information in the background of the photo.
For example, Figure 1 shows Trish, a volleyball coach at Fordham University, who had her conference’s standings written on the whiteboard in the background over her left shoulder. While the whiteboard is over 15 feet away from her desk, her iPhone picked up the writing quite easily, as shown in Figure 2. What if this was your office and the whiteboard contained patient information or other sensitive data?
HIPAA Privacy Violation Examples
Here are a few real examples of selfies and social media postings that should not have been taken or posted:
Joan Rivers’ physician allegedly took a selfie in the procedure room while Rivers was under anesthesia, leading to questions about the physician’s professionalism and competency.
An off-duty employee of Spectrum Health Systems took a photo of an attractive woman in the emergency room and posted it on Facebook. He was fired, along with all of the employees who “liked” the post.
An emergency room technician at Abington Health was posting patient information and X-rays to Twitter. She was fired.
Implement Social Media Policy
Medical practices would do well to adopt a Social Media Policy. Recommended core components are:
Think Before Posting: After something is posted on the Internet, it’s no longer within your control. Even if you delete it later, it may still be available via an electronic medium and will have your name attached to it. Please consider the consequences of such communication and understand that you are responsible for what you post.
Privacy Concerns: Governed by HIPAA, staff is obligated to guard against the exposure of protected health information (PHI). Posts to social media should never contain confidential company data, including PHI.
Monitor Activity: The practice has the right to monitor unauthorized disclosure of information, as well as postings that may affect the reputation of the company.
Respect Company Time and Property: Company computers and the time you spend on them are paid for by and are for the benefit of the company. Use of this equipment for social media activity is to be treated as any other use of equipment, such as telephones and/or email.
Reporting: All employees are to immediately report any violations, or possible or perceived violations, of this policy to their supervisor.
Discipline: The organization will investigate and respond to all reports of violations of the Social Media Policy and other related policies. Violation of this policy may result in disciplinary action up to and including termination.
For more information on the Security Rule and the HITECH Act, and for a complimentary Social Media Policy, visit: www.HIPAASecurityHelp.com.
Brian Shrift, CISSP, HCISPP, is president and founder of Precision Business Solutions, which brings information technology solutions to clients throughout west-central Pennsylvania. He obtained Certified Information Systems Security Professional (CISSP) and HealthCare Information Security Privacy Practitioner (HCISPP) certification to better meet the needs of clients in the healthcare industry. His guidance and initiative drives Precision Business Solutions to develop a more simplified and sure-fire process for helping healthcare clients become HIPAA Security Rule compliant.