Social Media – Page 5 – RISC Management and Consulting

Technically astute healthcare providers are already aware of the mines in the minefield of social media, but nowadays even a simple video chat could blow up in a healthcare provider’s face. There are many new applications (apps) available for iPhones, android phones, and tablets. These solutions can make it easier for nurses and other healthcare staff to network, share news, and keep in touch. Social media sites can be a great way for nurses and other healthcare pros to network and share news but when it comes to specifics, healthcare providers should not use social media to share health information that could be linked to any individual patient – that includes names, pictures and physical descriptions — without the patient’s consent. The Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws expressly protect individuals who are patients of healthcare providers.

There have been documented unprofessional postings, and reports of photos being taken with mobile devices that are a violation of the patient’s privacy. This information, which has the possibility of being linked to an individual person, could include names, pictures, or a physical description all without the patient’s consent or knowledge. Beyond sharing specific information, many healthcare providers are probably aware of the potential risks of using social media especially when it comes to connecting with patients online such as “friending” patients on Facebook or linking on LinkedIn. Generally, accepting such an online request doesn’t mean consent for sharing even a simple detail like acknowledging that the patient is a patient.

These precautions extend to the array of new apps for video chatting and sharing videos for free using WiFi connections, including Facetime, Vine, Tango, Fring and others which nurses and other might be tempted to use for not only interacting in a social way with patients but for consultations.The warning in a word: Don’t.

A video – even without a face – could provide information that identifies a patient, and many WiFi connections are not secure and are at risk for being intercepted. Such a data breach would be a clear violation of HIPAA requirements. Vine, for example, is a mobile app from Twitter that allows users capture and share short looping videos. Like Tweets, the brevity of videos on Vine (6 seconds or less) inspires creativity but they are entirely searchable and public. Tango allows users to share text messages, photos and videos with other users and the privacy policy on Tango’s website clearly states:

“If you choose to do so your text messages, photos, videos and other communications will be stored on our servers. In addition, if you choose to share these items with other Tango users, we may not be able to remove them from our servers or make them unavailable to anyone you have shared them with. … By choosing to share that information, you should understand that you may no longer be able to control how that information is used and that it may become publicly available (depending in part on your actions or the actions of others with whom you have shared the information).”

However, if managed appropriately with a social media policy, technology is a great tool for patients to use, as well as nurses for patient education. Technology can also be used to access the internet on a mobile device to research evidence-based practice and provide up to date nursing intervention. It is important to ensure professional boundaries are in place and within the scope of the state nurse practice act, company policy and procedure, state laws, and federal laws. The nurse must be accountable and reminded of consequences including jeopardizing their license.

Some social media tips for nurses and other healthcare professionals:

• Draw clear lines drawn between interactions as a healthcare provider and those as a friend.
• Consider creating separate personal and professional social networking accounts.
• Do not share protected information using applications that could be compromised.
• Use secure internet connections for video chat and video sharing with patients.
• Even without a name or face, when posting a picture or video as information to others (i.e., “here’s what a suspicious mole looks like” on a fan page or “here’s how my patient’s skin condition presents” to a colleague), get the patient’s permission in writing.

This posting is sponsored by RISC Management & Consulting, http://www.RISCsecuriy.com
Have questions or concerns? RISC Management and Consulting can help. Contact us today.

References
Baker, D. (2013). Social networking and professional boundaries. AORN Journal, 97(5), 501-506. doi:10.1016/j.aorn.2013.03.001
Fringland Ltd. (2013). About Fring. Retrieved from http://m.fring.com/about
South University. (2013). The social media issue: Healthcare professionals and social networking. Retrieved from http://source.southuniversity.edu/healthcare-professionals-and-social-networking-33211.aspx
TangoMe Inc. (2013).Welcome: What is tango? Retrieved from http://www.tango.me/how-to-tango/
Vine Labs Inc. (2013). Social networking: Vine description. Retrieved from https://itunes.apple.com/us/app/vine/id592447445?mt=8

If you think your organization is too small to attract the attention of the U.S. Department of Health and Human Services, think twice.
The department recently settled a security dispute with a hospice in Idaho for $50,000. The potential violation of the Security Rule of the Health Insurance Portability and Accountability Act of 1996 involved a data breach of health information affecting 441 patients.

The Hospice of North Idaho agreed to pay $50,000 to settle potential violations after an unencrypted laptop computer containing the electronic protected health information of the patients had been stolen in June 2010.
Field workers for the hospice use laptops containing patient information as a regular component of their workflow. In an investigation by the Department of Human Services’ Office for Civil Rights, it was revealed the hospice had not conducted a risk analysis to safeguard the electronic patient information and didn’t have policies or procedures to address mobile device security. The lack of a risk analysis has become a regular theme in the publicly available settlement agreements published by the OCR.
The HIPAA Security Rule and HITECH Act Data Breach requirements mandate the existence policies and the reporting of inappropriate or unauthorized access to PHI or ePHI called breaches. The Health Information Technology for Economic and Clinical Health Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to the government and the media within 60 days after the discovery of the breach, or when the breach should have been discovered. Smaller breaches affecting less than 500 individuals must be reported to the secretary of Health and Human Services on an annual basis.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information,” Office for Civil Rights Director Leon Rodriguez said in a press release from the Department of Health and Human Services. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” RISC Management’s stance on encryption is that implementation has become easy enough, and cost has been reduced enough, that choosing not to implement encryption is difficult to justify. With the exception of “legacy systems” that were developed long before data encryption was readily available, there are few relational database platforms or operating systems that don’t support encryption today. And even for those systems, there are third party applications and technology that can implement encryption in such a manner that it both provides safe harbor, and, does not require the rewriting of legacy applications.
The Idaho hospice has taken steps to remedy its compliance since the 2010 theft.
The Department of Health and Human Services provides tips to physicians, health care providers and other healthcare professionals who use smartphones, laptops and tablets in their work here (visit http://www.HealthIT.gov/mobiledevices).
RISC Management and Consulting can help assess your encryption capabilities, identify supported encryption options, and assist you in implementing standards-based encryption that may provide safe harbor under the HITECH rules.