Social MediaJoy Hardee, Vidant Health Privacy OfficerBeth Anne Atkins, Vidant Health Corporate Communications

Nov. 20, 2015

2

• A social networking website focuses on building online communities of people who usually share interests and/or activities.

• Most social networking sites are web-based and allow users to interact via cell phones, instant messaging or email.

• Social networking has encouraged new ways for people to communicate and share information

Social Networking Defined

3

• HIPAA’s privacy regulations apply to health care providers, defined as: “a provider of medical or health services…and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” 45 C.F.R. 160.103

• The HIPAA Privacy Rule protects the patient’s protected health information, which is “all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.” 45 C.F.R.160.103

Why should we care?

4

• HIPAA provides severe penalties for the dissemination of protected health information (PHI). (Civil Monetary Penalties & Criminal Penalties)

• Fines of $100 per violation of PHI and up to $50,000 for each violation with fines up to $1.5 million in a calendar year

• 10 years imprisonment for knowingly misusing individually identifiable PHI. 42 U.S.C. 1320 (d) (6)

• In addition to HIPAA, there may be state law claims for invasion of privacy that may be asserted.

Why should we care even more?

5

• Increasing # of complaints going to OCR

• Resolved after Intake and Review

• No violation

• Corrective action obtained

# of HIPAA complaints growing every year

6

• Hospitals Will Fire Workers in Facebook Scandal..Tri-City Medical Center in Oceanside CA

• Hospital Worker Fired over Facebook comments about patient…..Oakwood Hospital & Medical Center in Dearborn, Michigan

• When Facebook Goes to the Hospital, Patients May Suffer….St. Mary Medical Center in Long Beach CA (4 staff members fired and 3 disciplined after snapping a photo of a dying man that had been stabbed and posting on FB)

The information you disclose may not have a name but may contain enough information to identify the patient.

Media stories: Hospital employees fired for posting on Facebook

7

• Allows patients to share information, personal experiences and to socialize

• Allows increased connection with other people suffering from the same illness or condition

• Empowers patients to take control of health care decisions

Benefits of Social Networking for Patients

8

• Improved results because of better informed patients.

• Increased productivity due to patient knowledge

• More patient/provider interaction

• Real-time communication to entire class of patients in emergency situations, such as a drug recall or preventing scams

• Growing your business. Many professionals are using social networking sites to attract new clients and patients.

Benefits to Health Care Providers

9

• PRIVACY. The vast majority of what you do online is not private.

• Once you post something online, it may never go away.

• Information can be reproduced and distributed via copy/paste, email, instant messaging and even Google

• Many social networking sites have had virus problems which infect computers and can even copy personal information from your computer

• You do not own information posted on your personal social networking website

• Most social networking sites contain terms and conditions which provide them the right to use all of your information forever.

Problems with social networking

10

• Facebook terms and conditions: “You hereby grant Facebook an irrevocable, perpetual non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content…”

• Gmail terms and conditions: “By submitting, posting or displaying the content you give Google a perpetual, irrevocable, world-wide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display…”

You Do Not Own Your Information

11

• Patients:• Disclosure of PHI on social networking sites.

• Downstream, could lead to discrimination, loss of insurance or employment, denial of a mortgage, or use as evidence in lawsuits.

• HIPAA Privacy Rule:• Attorney-Client Privilege is broken if client discloses

privileged information.• HIPAA Privacy Rule is unclear. Even if a patient publicly

discloses PHI, a Provider may violate the Privacy Rule by disclosing the same information.

HIPAA Privacy Concerns

12

• Wall Posts. Any of your “Friends” can create a message to be displayed on your wall.

• You have no control over content of wall posts from friends.

• Status updates, notes, and blogs. All could potentially disclose PHI worldwide instantaneously.

• Photos and videos. A photo or video of a patient constitutes PHI absent patient consent.

• Responding to negative patient posts on social networking sites

Pitfalls for Providers (and their employees)

13

Nondiscrimination

• As an employer, the practice of viewing our employees’ social media pages exposes Vidant Health to a risk of EEOC claims.

• Examples of risk:• Monitoring a subordinate employee’s Facebook page;• Accessing a job applicant’s Facebook page as part of pre-

employment investigation; and• Accessing an employee’s Facebook page as part of a

personnel or risk management investigation.

Vidant Health & Social Media

• Launched social media efforts in 2009 with Facebook and Twitter.

• Later launched LinkedIn and YouTube accounts.

• Purpose: engage consumers, patients and community

• Not intended for internal communication14

15

Policy Overview

• Oversight of official Vidant Health social media platforms

• Use of social media during working hours

• Suggestions for employees interacting with others through social media

• Guidelines for identifying with Vidant Health on social media

• Guidelines for employees contributing content to social media

16

Monitoring Social Media

• Strategic Development monitors our official Vidant Health social media pages.

• Strategic Development also receives periodic notices when keywords are mentioned via social media. This tool is used for public relations, service quality, and risk management purposes.

• Department managers should NOT be monitoring subordinate’s social media pages.

Investigations on Social Media

• Human Resources and Risk Management perform limited complaint driven investigations on social media (not pre-employment).

• Department managers should NOT perform their own investigations. Instead, report complaints to Human Resources or Risk Management, as appropriate.

7 (In)Famous Examples

• The “Crackhead”• The Jailbird• The Santa Claus• The Birthday Party• The Great Night Out With the Girls• The Wizard of Oz• The Physician’s Dictation

18

19

Today’s Takeaway

• Social media is just a new way of sharing information.

• The laws that govern online conduct are the same.

• Our policies are the same.

• If conduct would violate the law or a Vidant Health policy in an offline context, it will do so in the context of social media.

• Even seemingly innocent conduct has the potential to put the organization at risk

20

• Remember that HIPAA’s Privacy Rule applies to providers and their employees.

• Providers• If you use social networking sites, draw clear lines between your

personal and professional pages.• Choose your “friends” wisely. Don’t let them choose you.• Tear down or deactivate your wall. This gives you more control of

your page.• Before posting anything, take a moment to consider HIPAA

implications.• Implement training policies for employees and staff.• Ensure that all social networking sites are inaccessible from work

computers.

Additional Takeaways

21

• Employees• Implement employee policies or handbooks regarding the use of social

networking tools.

• Train employees about the importance of HIPAA and social networking.

• Remember that employees have cell phone capabilities and PDAs with photo and video capabilities. What seems to them like good, natural fun could cost them their job and cost you a bundle in legal fees.

• Ensure that employees are not visiting social networking sites from work computers.

• Use common sense.

Additional Takeaways