There’s more to patient privacy and social media than HIPAA2012-03-12
In the lead-up to the first of a series of workshops on digital and social media for healthcare organizations I’m leading with Chris Boyer, I’ll be cranking out several healthcare focused posts over the next couple weeks. The workshop, Health Care Communicators Boot Camp, starts out in Philadelphia on March 26. Get details and register here.
Most hospitals and other healthcare organizations spout a single two-syllable word when asked whey they’re not engaging in social media. That word—an acronym—is HIPAA, short for the Health Information Portability and Accountability Act. HIPAA covers a lot of ground, but in this context, it prevents a healthcare organization from divulging personal health information about its patients. To be completely official about it, the U.S. Department of Health and Human Services, on its site dedicated to summarizing the HIPAA Privacy Rule, says…
The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule—called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.
The penalties for a HIPAA violation can be severe, up to $50,000 per violation along with criminal penalties “if the wrongful conduct involves false pretenses,” so it’s easy to see why hospital counsel shies away from activities that could lead to fines.
Plenty of hospitals manage to balance HIPAA compliance with robust social engagement, however, including prestigious institutions like The Mayo Clinic, Johns Hopkins Medicine, The Cleveland Clinic and the M.D. Anderson Cancer Center. In fact, they have determined that the benefits of a social media strategy can far outweigh the risks of HIPAA violations. Besides, as former Beth Israel Deaconess Medical Center CEO Paul Levy put it, “Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing.”
Most hospitals that permit or even encourage staff engagement in social media channels conduct some kind of training to ensure employees are up to speed—not just on social media, but on patient privacy in general. Some hospitals develop standalone training while others incorporate social media into their annual HIPAA sessions.
If your organization hasn’t developed training, now’s the time, not just because of HIPAA but because, as it turns out, your staff could be liable for more severe punishment if the run afoul of the law, no matter how ignorant they may be of the rules or how innocent they thought their post may have been.
Consider the case of Nai Mai Chao, a nursing assistant in Oregon who spent eight days in jail over invasion of the personal privacy of residents of the nursing home where she worked. Reports say that she posted graphic images of patients, accompanied by some offensive comments, to her Facebook page. While she insisted she wasn’t the actual photographer, she confseed to posting the images, resulting in a conviction for the misdemeanor of invading personal privacy.
OregonLive.com quoted a prosecutor in the case saying the conviction is a lesson for responsibility over what people post online. Of course, it’s HSS that prosecutes HIPAA violations, so both Ms. Chao and the nursing home where she worked could be in for some additional penalties.
All of which could have been avoided if Ms. Chao and her colleagues at all levels had been trained on their obligations, the rules and the consequences related to posting online. As it stands, Ms. Chao probably won’t have to worry about it any longer, since she was also sentenced to probation, community service and a fine. She had to surrender her nursing certificate and was fired from her job. In an interesting side note, the judge required her to write a 1,000-word apology to a patient and if she fails to do so, she could be charged with violation her probation.
That’s a lot of punishment that could have been avoided through a simple one-hour training session that could have not only prevented any future violations by other employees but resulted in positive online staff engagement that could have boosted the nursing home’s reputation.
If you’re not training your staff on the connection between patient privacy and social media, don’t put it off any longer. The consequences clearly go beyond HIPAA.
You can read more about Ms. Chao’s case on The Security Scrutinzer blog.