social Archives - Medical Association of the State of Alabama

Posts Tagged social

Social Media & HIPAA: When Sharing is Not Caring

Posted by admin on January 12, 2018

Social media is an increasingly common presence within the health care industry – among providers and consumers alike – but despite the potential benefits it can offer both parties, it introduces many risks.

Paging Dr. Google

It’s no exaggeration to say that the internet has completely transformed the way people seek medical information, and social media has played a significant role in this transformation. In fact, of the 74 percent of internet users that engage on social media, 80 percent of those are specifically searching for health information, and nearly half are looking for information about a specific doctor or health professional^[1].

What’s more, research^[2] has shown that social media can have a direct influence on a patient’s decision to choose a specific health provider, or even lead them to seek a second opinion, particularly amongst patients coping with a chronic condition, stress, or diet management.

This presents many opportunities for healthcare providers looking to get ahead of the competition – and for those who choose to actively engage in social media, the rewards can be significant, but so can the risks. So before jumping into social media headfirst, physicians need to understand the potential pitfalls, specifically the risks associated with patient privacy, and their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Social media and PHI

PHI stands for Protected Health Information. The HIPAA Privacy Rule^[3] provides federal protections for personal health information held by HIPAA covered entities (health care providers, health plans, healthcare clearinghouses, plus their business associates) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The limits of permissible disclosure, however, are extremely limited, and definitely don’t include social media; if a physician were to disclose a patient’s PHI via social media without consent, even accidentally, this would be a direct violation of HIPAA guidelines and probably state law too.

While one would hope that most healthcare professionals know not to share PHI publically, some may not even know that what they are sharing, or intend on sharing is actually PHI; it is extremely difficult to anonymize patients, and even the subtlest of identifiers could be deemed a breach of patient privacy if it can be tied to a patient.

To avoid this happening, providers need to understand the 18 PHI identifiers, which are:

Names;
Geographic information;
Dates (e.g. birth date, admission date, discharge date, date of death);
Telephone numbers;
Fax numbers;
E-mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
URLs;
IP address numbers;
Biometric identifiers (e.g. finger and voice prints);
Full-face photographic images and any comparable images; and
Other unique identifying numbers, characteristics, or codes.

How to ensure a HIPAA compliant social media strategy

To avoid an inadvertent breach of PHI, covered entities should educate staff on best practices when using social media, including:

Avoid social messenger services

The likes of Facebook Messenger, LinkedIn, and Twitter Direct Messages may be familiar and convenient, but they are not secure and should be avoided at all costs when discussing patient health matters or exchanging PHI, even with trusted colleagues. Not only are these platforms inherently insecure due to a lack of encryption and access controls, the potential for error is increased as users could accidentally post information publicly or send a message to the wrong recipient.

What’s more, as BYOD (bring your own device) becomes more widely adopted in healthcare organizations, and as more devices are carried between home and work, the potential for device theft or loss increases, which further jeopardizes the security of any sensitive information that exists on a device, within social media applications, or on web browsers. This considered, PHI should only ever be exchanged via HIPAA-secure messaging services, that have been approved by IT departments and are used as part of an organization’s regular workflow.

Think very carefully before posting

When utilized as part of a wider marketing strategy, social media can be a very effective tool, but those responsible for managing social media output on behalf of an organization must be well versed in what type of content is and is not acceptable to share online. Even a seemingly harmless photo of the outside of a premises could cause problems if patients can be seen entering or exiting the building, or if a vehicle can be recognized in the car park. The same can be said of waiting rooms and reception areas, where the likelihood of capturing a patient’s face is high.

Keep work and home life separate

A HIPAA violation can just as easily happen in the home as it can in the workplace. After a hard day at work it is not uncommon for members of staff to air their grievances online – be it on Facebook, Twitter, or within closed forums. Again, considering how difficult it is to de-identify PHI, this behavior should be strongly discouraged, particularly where complaints about patients are involved. Similarly, posting about a famous person, friend, or family member being seen in a practice may be tempting, but is equally risky.

Social media has become second nature for many of us, and the ease of access to it is both a blessing and a curse for the healthcare industry. When managed responsibly, social media can be a highly effective marketing tool, and can even help improve the health outcomes of patients searching for information online. When used irresponsibly, however, the risks are high, and potential repercussions significant.

For HIPAA covered entities who engage in social media, the message is simple; develop robust company policies to ensure responsible usage, and ensure all staff are trained to think before they share.

^[1] http://www.pewinternet.org/2011/02/01/health-topics-3/

^[2] https://getreferralmd.com/2013/09/healthcare-social-media-statistics/

^[3] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

About The Author

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as health care and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc. DocbookMD is an official partner of the Medical Association.

Tags: HIPAA, media, privacy, social

Posted in: HIPAA

CMS Reveals New Medicare Card Design; Strengthens Fraud Protections

Posted by admin on September 20, 2017

The Centers for Medicare & Medicaid Services has redesigned its Medicare card to remove Social Security numbers and use a unique, randomly-assigned number in an effort to better protect users from identity theft and fraud.

CMS will begin mailing the new cards to people with Medicare benefits in April 2018 to meet the statutory deadline for replacing all existing Medicare cards by April 2019. People with Medicare will also be able to see the design of the new Medicare card in the 2018 Medicare & You Handbook. The handbooks are being mailed and will arrive throughout September.

“The goal of the initiative to remove Social Security numbers from Medicare cards is to help prevent fraud, combat identify theft, and safeguard taxpayer dollars,” said CMS Administrator Seema Verma. “We’re very excited to share the new design.”

CMS has assigned all people with Medicare benefits a new, unique Medicare number, which contains a combination of numbers and uppercase letters. People with Medicare will receive a new Medicare card in the mail, and will be instructed to safely and securely destroy their current Medicare card and keep their new Medicare number confidential. Issuance of the new number will not change benefits that people with Medicare receive.

Health care providers and people with Medicare will be able to use secure look-up tools that will allow quick access to the new Medicare numbers when needed. There will also be a 21-month transition period where doctors, health care providers, and suppliers will be able to use either their current SSN-based Medicare Number or their new, unique Medicare number, to ease the transition.

This initiative takes important steps towards protecting the identities of people with Medicare. CMS is also working with healthcare providers to answer their questions and ensure that they have the information they need to make a successful transition to the new Medicare number. For more information, please visit: www.cms.gov/newcard.

How can providers get ready for the changes?

Ask your billing and office staff if your system can accept the new 11-digit alphanumeric Medicare Beneficiary Identifier or
If your system cannot accept the new number, system changes should be made by April 2018
If providers use vendors to bill Medicare, ask them about their MBI practice management system changes and make sure they are ready for the change
Verify your patients’ addresses: If the address you have on file is different than the address you get in electronic eligibility transaction responses, ask your patients to contact Social Security and update their Medicare records. This may require coordination between your billing and office staff.

For more information go to https://www.cms.gov/Medicare/New-Medicare-Card/Providers/Providers.html

Tags: MBI, Medicaid, Medicare, security, social, SSN

Posted in: Medicare

Social Media & Electronic Communication: Asset or Liability

Posted by admin on September 27, 2016

Editor’s Note: This article was originally published in the 2015 Winter issue of Alabama Medicine magazine.

You may have heard the adage, “Don’t put anything on the Internet that you wouldn’t want tacked to a bulletin board in the Town Square.” Thanks to smartphones and their applications, that adage is easier than ever to ignore – and isn’t always followed. During the past few years, there have been numerous news stories of physicians being reprimanded after inadvertently identifying patients on social media, nurses being fired for posting photos taken during surgeries, etc. So what may a physician do to minimize liability risk when using smartphones?

There are many areas of concern – social media, email/text, and smartphone applications. While these may be viable tools for communicating with patients, there are inherent risks – confidentiality, data security, and the potential for email and text to replace open communication. The following tips may help minimize your risk.

Social Media

Social media has exploded from Facebook and its ancestor MySpace to Twitter, LinkedIn, Pinterest – the list goes on – and according to Facebook’s third quarter 2014 earnings, more than 1.3 billion people use Facebook monthly.

You’ve heard ad nauseam that patients who perceive they have a good relationship with their physicians are less likely to sue, even in the event of an adverse outcome, and heard more times than you can count that communication is the cornerstone of your relationships with your patients. But, that advice is proffered for the therapeutic, professional setting.

So how do you navigate the boundary between therapeutic and personal – or social?

“As a physician, I understand the perceived value of the ways in which patients tend to rely on Facebook to communicate with family and friends. However, we physicians need to be sure of a couple of things: One, communication about a patient’s therapeutic course happens face-to-face and, at times, is supplemented with phone conversations, with the common thread of give-and-take interaction. And two, ethically, that we don’t blur the line between therapeutic care and the social relationship,” Hayes V. Whiteside, M.D., Chief Medical Officer and Senior Vice President of Risk Resource at ProAssurance, said.

Generally, the best advice is to keep your professional and personal lives separate when using Facebook and not accept friend requests from patients. Facebook friends typically have access to all other friends, to photos posted, and also to notes and messages posted on your wall. No matter how tightly you lock down your privacy settings, there’s no guarantee of privacy.

If you decide to use Facebook or other social media professionally, it’s a good idea to set up an account for your practice only and consider these suggestions:

Add a disclaimer statement along the lines of, “Our clinic cannot give medical advice to any individual over Facebook. This Facebook page is
for general informational purposes only and should not be used in place of a consult with your regular medical provider. The information presented here is not intended to be used as a diagnosis or treatment. If you need emergency medical attention, please call 911 or go to the nearest emergency room. If you need to be seen in our office by a physician, please call [telephone number] for an appointment.”

Frequently monitor privacy settings and the page itself.Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.
Create guidelines or policy for staff regarding who may post updates to the page and under what circumstances, including who will redirect questions on the page to appropriate physicians for follow-up when a question is not general enough to be answered on the practice’s page, or when doing so would compromise patient privacy.Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.
Ensure patient confidentiality. Refrain from publicly posting any protected health information, whether in discussion with a patient or other physician on the practice’s Facebook page. Doing so could result in a HIPAA violation.

The American Medical Association has issued “Opinion 9.124 – Professionalism in the Use of Social Media,” and it may be found here.

Communicating via Email and Text

While email and, to a certain extent, texts may be viable tools for communicating with patients, there are some inherent liability risks. Issues such as confidentiality, data security, and the potential for email to replace open communication are examples of those risks. If email or text is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, normal lab results regarding non-sensitive medical issues, appointment reminders, and routine follow-ups may be appropriate to transmit via email.

Confidentiality and security become issues of primary concern. Who will be processing the messages? Will physicians obtain informed consent from patients regarding transmission of information via email? Who has access to the email account? To the computer where emails are stored? If email is used, risk management experts recommend physicians refrain from sending time-sensitive, highly confidential, or emergency information. Information concerning prescriptions, lab results, appointment reminders, and routine follow-up inquiries are generally appropriate to transmit via email. Physicians should also print emails to and from patients and place them in the patient’s medical record.

The AMA in its “Opinion 5.026 – The Use of Electronic Mail” recommends physicians don’t establish a relationship via email and notes the same ethical obligations apply to any other encounter apply to communication via email. Regarding texts, medical/legal experts note they are subject to the same considerations and parameters as emails when it comes to privacy and protected health information, such as incorporation into the medical record. Risk management experts recommend avoiding using text to communicate patient information, treatment advice, etc. The AMA’s opinion may be found here.

Smartphone Apps

With 8-out-of-10 physicians using smartphones for professional purposes, according to mhealthwatch.com, it’s wise to be concerned about potential risk management implications. While such medical apps are great tools, there are innate risks – the unsecured smartphone, for example. Risk management experts recommend evaluating the types of information stored on a personal device. Research apps, such as Epocrates, should not be subject to HIPAA risks if used for research purposes only. However, apps allowing mobile dictation of information that can be transferred to an electronic medical record may be, as they may contain confidential patient health information. Another consideration is security – apps that transmit information may be vulnerable to hacking. Some medical apps bill themselves as HIPAA compliant; it’s wise to examine an app’s privacy policy and take reasonable steps to verify security. It’s also wise to keep in mind no app – especially free ones – is 100 percent secure.

Regardless of whether a smartphone app transmits, stores, or simply accesses patient health information, physicians should ensure the apps are HIPAA and HITECH compliant.

Tips to keep in mind:

HIPAA requires data security and proper destruction and/or file retention of patient health information when appropriate.
Physicians should remove patient health information from devices with apps before discarding/replacing the device.
Wireless apps should be reviewed to ensure security at all levels.
A security policy addressing mobile devices and apps that can be used, along with the appropriate use and destruction of patient health information, should be in place.
Work closely with information technology personnel to address security issues.

ProAssurance-insured physicians and their practice managers may contact Risk Resource for prompt answers to liability questions by calling (205) 877-5015 or email at riskadvisor@proassurance.com. ProAssurance is an official Platinum Partner with the Medical Association.

Tags: facebook, media, social, social media, twitter

Posted in: Management

Keep the Medical Association in Your Facebook News Feed

Desktop Computers

Phone and Tablet Users