media Archives - Medical Association of the State of Alabama

Posts Tagged media

Social Media & HIPAA: When Sharing is Not Caring

Posted by admin on January 12, 2018

Social media is an increasingly common presence within the health care industry – among providers and consumers alike – but despite the potential benefits it can offer both parties, it introduces many risks.

Paging Dr. Google

It’s no exaggeration to say that the internet has completely transformed the way people seek medical information, and social media has played a significant role in this transformation. In fact, of the 74 percent of internet users that engage on social media, 80 percent of those are specifically searching for health information, and nearly half are looking for information about a specific doctor or health professional^[1].

What’s more, research^[2] has shown that social media can have a direct influence on a patient’s decision to choose a specific health provider, or even lead them to seek a second opinion, particularly amongst patients coping with a chronic condition, stress, or diet management.

This presents many opportunities for healthcare providers looking to get ahead of the competition – and for those who choose to actively engage in social media, the rewards can be significant, but so can the risks. So before jumping into social media headfirst, physicians need to understand the potential pitfalls, specifically the risks associated with patient privacy, and their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Social media and PHI

PHI stands for Protected Health Information. The HIPAA Privacy Rule^[3] provides federal protections for personal health information held by HIPAA covered entities (health care providers, health plans, healthcare clearinghouses, plus their business associates) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The limits of permissible disclosure, however, are extremely limited, and definitely don’t include social media; if a physician were to disclose a patient’s PHI via social media without consent, even accidentally, this would be a direct violation of HIPAA guidelines and probably state law too.

While one would hope that most healthcare professionals know not to share PHI publically, some may not even know that what they are sharing, or intend on sharing is actually PHI; it is extremely difficult to anonymize patients, and even the subtlest of identifiers could be deemed a breach of patient privacy if it can be tied to a patient.

To avoid this happening, providers need to understand the 18 PHI identifiers, which are:

Names;
Geographic information;
Dates (e.g. birth date, admission date, discharge date, date of death);
Telephone numbers;
Fax numbers;
E-mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
URLs;
IP address numbers;
Biometric identifiers (e.g. finger and voice prints);
Full-face photographic images and any comparable images; and
Other unique identifying numbers, characteristics, or codes.

How to ensure a HIPAA compliant social media strategy

To avoid an inadvertent breach of PHI, covered entities should educate staff on best practices when using social media, including:

Avoid social messenger services

The likes of Facebook Messenger, LinkedIn, and Twitter Direct Messages may be familiar and convenient, but they are not secure and should be avoided at all costs when discussing patient health matters or exchanging PHI, even with trusted colleagues. Not only are these platforms inherently insecure due to a lack of encryption and access controls, the potential for error is increased as users could accidentally post information publicly or send a message to the wrong recipient.

What’s more, as BYOD (bring your own device) becomes more widely adopted in healthcare organizations, and as more devices are carried between home and work, the potential for device theft or loss increases, which further jeopardizes the security of any sensitive information that exists on a device, within social media applications, or on web browsers. This considered, PHI should only ever be exchanged via HIPAA-secure messaging services, that have been approved by IT departments and are used as part of an organization’s regular workflow.

Think very carefully before posting

When utilized as part of a wider marketing strategy, social media can be a very effective tool, but those responsible for managing social media output on behalf of an organization must be well versed in what type of content is and is not acceptable to share online. Even a seemingly harmless photo of the outside of a premises could cause problems if patients can be seen entering or exiting the building, or if a vehicle can be recognized in the car park. The same can be said of waiting rooms and reception areas, where the likelihood of capturing a patient’s face is high.

Keep work and home life separate

A HIPAA violation can just as easily happen in the home as it can in the workplace. After a hard day at work it is not uncommon for members of staff to air their grievances online – be it on Facebook, Twitter, or within closed forums. Again, considering how difficult it is to de-identify PHI, this behavior should be strongly discouraged, particularly where complaints about patients are involved. Similarly, posting about a famous person, friend, or family member being seen in a practice may be tempting, but is equally risky.

Social media has become second nature for many of us, and the ease of access to it is both a blessing and a curse for the healthcare industry. When managed responsibly, social media can be a highly effective marketing tool, and can even help improve the health outcomes of patients searching for information online. When used irresponsibly, however, the risks are high, and potential repercussions significant.

For HIPAA covered entities who engage in social media, the message is simple; develop robust company policies to ensure responsible usage, and ensure all staff are trained to think before they share.

^[1] http://www.pewinternet.org/2011/02/01/health-topics-3/

^[2] https://getreferralmd.com/2013/09/healthcare-social-media-statistics/

^[3] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

About The Author

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as health care and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc. DocbookMD is an official partner of the Medical Association.

Tags: HIPAA, media, privacy, social

Posted in: HIPAA

How to Make HIPAA Disclosures During Mass Tragedies

Posted by admin on October 6, 2017

In light of the recent incident in Las Vegas, the Office of Civil Rights, the government entity responsible for HIPAA Compliance, issued clarification guidance on the ability of a health care provider to share patient information during such situations. While such incidents are taxing on health care providers in terms of treating capacity and ability, it is important that providers keep in mind the requirements of HIPAA regarding the disclosure of certain information to the public. A summary of OCR’s recent clarification is provided below, as it serves as a good reminder regarding what information can be shared under HIPAA in these types of mass-casualty, disaster scenarios.

Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification.

You may share health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. You may also share information about a patient as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.

You should get verbal permission from the patient when feasible or otherwise be able to reasonably infer that the patient does not object to the disclosure. If the individual is incapacitated or not available, you may share information for these purposes if, in your professional judgment, doing so is in the patient’s best interest.
In addition, you may share protected health information with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts (g., American Red Cross), for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification.

Upon request for information about a particular patient by name, you may release limited facility directory information to acknowledge that an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. In general, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about the treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or that of his/her personal representative).

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Tags: HIPAA, identify, media, notify, patient, tragedy

Posted in: HIPAA

Social Media & Electronic Communication: Asset or Liability

Posted by admin on September 27, 2016

Editor’s Note: This article was originally published in the 2015 Winter issue of Alabama Medicine magazine.

You may have heard the adage, “Don’t put anything on the Internet that you wouldn’t want tacked to a bulletin board in the Town Square.” Thanks to smartphones and their applications, that adage is easier than ever to ignore – and isn’t always followed. During the past few years, there have been numerous news stories of physicians being reprimanded after inadvertently identifying patients on social media, nurses being fired for posting photos taken during surgeries, etc. So what may a physician do to minimize liability risk when using smartphones?

There are many areas of concern – social media, email/text, and smartphone applications. While these may be viable tools for communicating with patients, there are inherent risks – confidentiality, data security, and the potential for email and text to replace open communication. The following tips may help minimize your risk.

Social Media

Social media has exploded from Facebook and its ancestor MySpace to Twitter, LinkedIn, Pinterest – the list goes on – and according to Facebook’s third quarter 2014 earnings, more than 1.3 billion people use Facebook monthly.

You’ve heard ad nauseam that patients who perceive they have a good relationship with their physicians are less likely to sue, even in the event of an adverse outcome, and heard more times than you can count that communication is the cornerstone of your relationships with your patients. But, that advice is proffered for the therapeutic, professional setting.

So how do you navigate the boundary between therapeutic and personal – or social?

“As a physician, I understand the perceived value of the ways in which patients tend to rely on Facebook to communicate with family and friends. However, we physicians need to be sure of a couple of things: One, communication about a patient’s therapeutic course happens face-to-face and, at times, is supplemented with phone conversations, with the common thread of give-and-take interaction. And two, ethically, that we don’t blur the line between therapeutic care and the social relationship,” Hayes V. Whiteside, M.D., Chief Medical Officer and Senior Vice President of Risk Resource at ProAssurance, said.

Generally, the best advice is to keep your professional and personal lives separate when using Facebook and not accept friend requests from patients. Facebook friends typically have access to all other friends, to photos posted, and also to notes and messages posted on your wall. No matter how tightly you lock down your privacy settings, there’s no guarantee of privacy.

If you decide to use Facebook or other social media professionally, it’s a good idea to set up an account for your practice only and consider these suggestions:

Add a disclaimer statement along the lines of, “Our clinic cannot give medical advice to any individual over Facebook. This Facebook page is
for general informational purposes only and should not be used in place of a consult with your regular medical provider. The information presented here is not intended to be used as a diagnosis or treatment. If you need emergency medical attention, please call 911 or go to the nearest emergency room. If you need to be seen in our office by a physician, please call [telephone number] for an appointment.”

Frequently monitor privacy settings and the page itself.Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.
Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.
Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.

The American Medical Association has issued “Opinion 9.124 – Professionalism in the Use of Social Media,” and it may be found here.

Communicating via Email and Text

While email and, to a certain extent, texts may be viable tools for communicating with patients, there are some inherent liability risks. Issues such as confidentiality, data security, and the potential for email to replace open communication are examples of those risks. If email or text is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, normal lab results regarding non-sensitive medical issues, appointment reminders, and routine follow-ups may be appropriate to transmit via email.

Confidentiality and security become issues of primary concern. Who will be processing the messages? Will physicians obtain informed consent from patients regarding transmission of information via email? Who has access to the email account? To the computer where emails are stored? If email is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, lab results, appointment reminders, and routine follow-up inquiries are generally appropriate to transmit via email. Physicians should also print emails to and from patients and place them in the patient’s medical record.

The AMA in its “Opinion 5.026 – The Use of Electronic Mail” recommends physicians don’t establish a relationship via email and notes the same ethical obligations apply to any other encounter apply to communication via email. Regarding texts, medical/legal experts note they are subject to the same considerations and parameters as emails when it comes to privacy and protected health information, such as incorporation into the medical record. Risk management experts recommend avoiding using text to communicate patient information, treatment advice, etc. The AMA’s opinion may be found here.

Smartphone Apps

With 8-out-of-10 physicians using smartphones for professional purposes, according to mhealthwatch.com, it’s wise to be concerned about potential risk management implications. While such medical apps are great tools, there are innate risks – the unsecured smartphone, for example. Risk management experts recommend evaluating the types of information stored on a personal device. Research apps, such as Epocrates, should not be subject to HIPAA risks if used for research purposes only. However, apps allowing mobile dictation of information that can be transferred to an electronic medical record may be, as they may contain confidential patient health information. Another consideration is security – apps that transmit information may be vulnerable to hacking. Some medical apps bill themselves as HIPAA compliant; it’s wise to examine an app’s privacy policy and take reasonable steps to verify security. It’s also wise to keep in mind no app – especially free ones – is 100 percent secure.

Regardless of whether a smartphone app transmits, stores, or simply accesses patient health information, physicians should ensure the apps are HIPAA and HITECH compliant.

Tips to keep in mind:

HIPAA requires data security and proper destruction and/or file retention of patient health information when appropriate.
Physicians should remove patient health information from devices with apps before discarding/replacing the device.
Wireless apps should be reviewed to ensure security at all levels.
A security policy addressing mobile devices and apps that can be used, along with the appropriate use and destruction of patient health information, should be in place.
Work closely with information technology personnel to address security issues.

ProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at riskadvisor@proassurance.com. ProAssurance is an official Platinum Partner with the Medical Association.

Tags: facebook, media, social, social media, twitter

Posted in: Management

Keep the Medical Association in Your Facebook News Feed

Desktop Computers

Phone and Tablet Users