Minefield of Social Media Puts Practices at Risk for HIPAA Privacy Breaches

Nov 15, 2016 at 09:14 am by admin

Communication today is quicker and more convenient than at any time in history. While many people think nothing of frequently texting and posting to social media, those in healthcare professions have a legal and moral obligation to communicate in a way that doesn’t compromise Protected Health Information (PHI). Doing so puts them at risk for harm to their reputation, while also leading to a U.S. Department of Health and Human Service (HHS) investigation that could result in substantial fines for violating the Health Insurance Portability and Accountability Act (HIPAA).

“Using the SMS (Short Message Service) texting application on mobile phones is the most common way healthcare providers could potentially violate HIPAA, without even realizing it,” said Loretta Duncan, FACMPE, senior medical practice consultant, SVMIC, Little Rock.

SMS texting has replaced the days of pagers and is much easier and quicker than talking on the phone. But Duncan said there are several issues regarding texting from a HIPAA standpoint, one being the lack of authentication of the individual receiving the PHI in the text. The HIPAA Security Rule requires that covered entities authenticate that individuals receiving PHI are truly authorized to have access to that information.

Healthcare providers and staff may think this isn’t an issue when they are texting colleagues since they probably have each other’s cell phone number stored in their phone. They may even know that the message has been received if the recipient (for example, the physician) has her read receipts turned on.

“Unfortunately, all that tells the sender is that the physician’s phone received the message,” she said. “What the sender doesn’t know is if anyone else has access to the phone or if the physician has a password on the phone. You don’t know if the phone is locked or if a text message with PHI is viewable on the locked screen. If the physician is at dinner with friends, and the message is viewed by someone unauthorized to view it, then there is a potential breach.”

Duncan highly recommends secure messaging applications that allow communication about patients without risk of HIPAA violations. Some other alternatives to texting include a patient portal, encrypted email and secure messaging.

Neither email nor text messaging are specifically prohibited by HIPAA. However, the HIPAA Security Rule requires appropriate physical, administrative and technical safeguards for all electronic PHI. This includes PHI included in a text message. Also, any device (laptops, smartphones, tablets, USB drives, external hard drives, etc.) used to create, store, transmit or receive PHI must be included in a security risk analysis.

Encryption is not a requirement of the security rule.

“However, PHI that is encrypted is considered secure by HHS,” Duncan said. “We recommend that you consult an IT professional to implement encryption, which is really the best practice at this point in time. It also helps to educate your workforce on how/when to use encrypted email. Teaching patients and staff what is appropriate to relay in an email and how to safely use email as a means of communication is important. Of course, never use free/personal email for transmitting PHI as this can also lead to potential HIPAA violations.

“The goal truly is to protect patient information to the best of the healthcare provider’s ability. The security rule is scalable, meaning that a large organization may have different safeguards in place than a solo practitioner. This allows each organization to put the safeguards in place that are best for their practice. Following what is laid out and required by the security rule will significantly reduce the risk of a potential breach of PHI.”

However, even when appropriate security measures are in place, a breach may still occur. If the breach leads to an investigation by the OCR, Duncan said that when determining any corrective action, civil monetary penalties or settlements, they will take into consideration whether or not – and to what extent – the healthcare provider was in compliance with the rules. They also take into consideration the size of the organization.

Some of the largest companies in the world (like Yahoo) have been victims of hacking which potentially exposed the private information of hundreds of millions of customers. Healthcare is not immune from the hacker epidemic.

“Even large hospitals and health plans are being hacked, and ransomware is another concern,” Duncan said. “Ransomware is basically when a third party takes your data and holds it until you pay them for it. Hackers are getting more sophisticated, and the security rule provides a framework to follow for healthcare providers to secure their PHI. It takes time, effort and money to be compliant with HIPAA, but we must recognize compliance is a cost of doing business today.”

While texting is the breach Duncan has seen most frequently, social media comes in a close second. If a healthcare provider has a social or electronic media presence, such as a practice website or Facebook page, they are required to have their Notice of Privacy Practices prominently displayed on that website. And, while it can be awkward to turn down a patient’s “friend” request on Facebook, Duncan recommends keeping your Facebook profile private and not “friending” patients. If you do, she can practically guarantee a patient will ask for medical advice on Facebook.

“It is very unwise to provide treatment advice through Facebook,” Duncan said. “If patients are trying to get through to you on Facebook because it is difficult to get through to the office, perhaps take a look at your practice to ensure patients have better access through appropriate channels.”

Healthcare providers and their staff should never post information about patients, even if they don’t include their name, without an authorization signed by the patient.

“Unfortunately, this does happen,” Duncan said. “I’ve heard from practices who have had staff take photos of a patient and post them online or simply comment about patients they saw in the office. This is a slippery slope, so we recommend that healthcare providers have a social media policy in place prohibiting providers and staff from posting ANY information about patients.”

Healthcare providers can also get into hot water with other types of personal posts that might not portray the provider in the best light.

“Physicians must recognize that actions online and content posted may negatively affect their reputations among patients and colleagues, may have consequences for their medical careers (particularly for physicians-in-training and medical students) and can undermine public trust in the medical profession,” states the American Medical Association Code of Ethics: Reputation Management.

 

For more information, go online to:

Joint Commissions Perspectives, Update: Texting Orders

U.S. Department of Health and Human Services, Health Information Privacy

AMA Guidelines for Patient-Physician Electronic Mail H-478-997

 

 

Sections: Archives

Related Articles

Groundbreaking Held for New Mercy Primary Care Clinic in Pea Ridge
2017 INCHARGE IS HERE!!
From the Arkansas Medical Society: Using the Law In Patient Care
InCharge 2017 ... Coming Again in April!
Sunali Goyal Brings Cutting Edge Ophthalmic Surgery Techniques Learned at Harvard to Arkansas
Arkansas Physicians May Be Ahead Implementing MACRA