Protected Health Care Information: Privacy and Security and Social Networking
Two nurses discuss a patient's care and protected health information ("PHI") on Facebook.
Two certified nursing assistants discuss the frustrations they have in caring for a patient on Facebook.
On Yellowpages.com, an unhappy nurse pretends that she is a patient and blasts the Director of Nursing by falsely accusing the Director of being an alcoholic.
An employee posts reviews on Yahoo claiming that the nursing home puts profits over quality of care.
A physician "tweets" colleagues about surgical cases.
Every month there are hundreds of millions of visitors to Facebook, YouTube, Twitter and LinkedIn as well as instant messaging and Webmail. These communications are called Social networking. These social networking tools have enabled individuals to form instantaneous connections which are called communities and enable the spreading of PHI information in a flash.
Privacy and Security of PHI are too often a second thought when it comes to social networking opportunities. These social networking technologies usually do not encrypt the electronic data. Encryption usually is in place for text messaging within the same carrier network but once the text messaging goes outside the network, there is no longer any encryption protection. And of course, theft through interception and illegal use of this data by third parties for their own unlawful monetary gain is always a concern.
Social networking can lead to PHI breaches and inappropriate disclosures of patient information as well as medical identity theft. Another risk is that there is no audit trail so if a problem does develop, there's no way to track the communications and determine what happened, by whom and what protective system to put in place. As a result, social networking is a very risk communication phenomenon: instant PHI sharing with minimal protections of privacy and security. Smart phones have already changed the way we live: instant texting, email and photographs can immediately be communicated to one or more individuals including immediate posting on the Internet. Health care providers are struggling just to know what PHI is inappropriately disclosed between clinicians, other employees within the provider and anyone outside of the provider.
I recommend the following to help protect our patients' PHI from inappropriate usage of social networking:
- Conduct risk analysis/assessment and documentation of the various social media tools and how they are being used within an organization.
- Ensure encryption mechanisms are in place, where possible, for all electronic PHI, including portable devices.Do not allow healthcare personnel to use personal devices.
- Block/prohibit all Web sites not permitted for access in the organizational network, or allow Web site access based on defined job role (role-based access).
- Policies and procedures must be created and implemented outlining where, when, and what social media tools are permitted, if any, and how they are allowed to be used.
- Conduct training and education of policies and procedures to all staff.
- Ensure enforcement of policies and procedures for user accountability.
- Monitor all Internet and social media activity on a regular basis to assist in overall management for optimal outcomes.
- Evaluate policies and organizational needs regularly to ensure up-to-date practices relevant with the technology.
The consequences of not protecting our resident's PHI from inappropriate social networking can be devastating: HIPAA privacy rule and security rule as well as various state laws all have consequences for unlawful disclosure of PHI for both the provider and in some situations the individual practitioner. The Health Information Technology for Economic and Clinical Health (HITECH) Act has added to HIPAA protections and penalties, in particular requiring business associates to have their own HIPAA programs. Aside from legal repercussions, unlawful breaches of PHI through social networking can lead to losses of reputation and trust within the community. We must educate our employees and vendors as to the potential harm to all of us and especially to our patients.
Brandon C. Goldberg, Esq. Joins Law Firm
David S. Barmak is pleased to announce that Brandon C. Goldberg, Esq. has joined the staff of the Law Offices Of David S. Barmak, LLC. Brandon is licensed to practice in New Jersey and Georgia.
Brandon is a graduate of the Emory University School of Law and completed his undergraduate studies at Cornell University. Coming from a family closely tied to the nursing home community, he is continuing his work with nursing homes from a legal perspective. During his law school years, he was a judicial intern for Judge Brenda Cole of the Fulton County, GA State Court and worked as a legal intern for the Centers for Disease Control, the U.S. Department of Housing and Urban Development, and the Federal Aviation Administration. These federal internships included significant work related to the EEOC and union relations.
Brandon is a welcomed addition to the staff that is currently serving 45 long term care facilities in New Jersey, New York, and Pennsylvania as well as acting as General Counsel for the Jersey Association of Medical Equipment Services (JAMES), the New Jersey Society of Independent Physical Therapists (NJSIPT), and Care Associates Network, LLC.
Brandon is a resident of Monroe Township, New Jersey.
Resident Cell Phones and HIPAA Compliance
As skilled nursing facilities' residents and their families become more technologically advanced in this day and age, smart phones are going to become an increasingly common sight in long-term care facilities. While cell phone use among staff can be limited, it will be much more difficult to justify limitations among residents under the law. Even if we were willing and able to restrict permitted cell phones to those without photo and video capabilities, such phones will not be widely available for long. We are fast approaching the day when one resident can film another resident or a medical chart and transmit that information around the world in minutes without anyone even seeing them do it. Is that resident looking at their list of contacts or recording a video? It may be impossible to tell.
Creating policies to accommodate cell phones and protect residents' rights do not have to be mutually exclusive. With usage agreements and some additional information, it should be possible to integrate cell phones into resident life.
When residents decide to bring a cell phone into the facility, it will inevitably be necessary to give them a basic training on how they can use the phones without violating HIPAA and the privacy of other residents. They need to be informed that even taking a picture of their roommate is a violation of HIPAA (assuming the roommate did not sign a consent form). With a straightforward and concise set of usage guidelines, residents with and without phones will be informed of the expectations regarding phone use and the privacy guarantees that have been put in place. Having residents sign forms that they will agree with the policies would be an important procedure as well. These forms would best be a part of the Admission Agreement, because this is the main contract between the facility and the resident and their family. The facility is private property, so what the facility says regarding the right to such technology stands unless the state decides that communications via photos is a resident's
right. But even in that scenario, the facility will still have to balance the right of one resident to take pictures against another resident's right to privacy.
Over time, a resident's faculties may fade. If residents are not following the usage guidelines, either due to advanced age or misbehavior, it will be necessary to revaluate their use of cell phones with them and their families. If a resident is posing a constant and credible threat to the facility's compliance with HIPAA, then they cannot be permitted to keep their phone. Ensuring decisions to deny a resident of their phone are well documented must be the cornerstone of any related action.
The presence of cell phones will also add to the responsibility of nurses, aides, and other staff. Checking laundry to ensure personal items are not washed will become even more important as the value of those items rises significantly. Accidently destroying a resident's personal item should never be acceptable, but when the value of the item is upwards of several hundred dollars, taking additional precautions may be necessary. Putting the phone in a protective case to keep in their pocketbook or wear around their neck may be some possible solutions. Suggesting insurance for the phone would also be a responsible strategy for safeguarding the resident's property.
As the presence of cell phones and other smart devices increase dramatically in skilled nursing facilities, it will be necessary to take preemptive measures to ease their incorporation into resident life. Preventing HIPAA violations must remain our top priority, but allowing and even encouraging residents to utilize advanced technology does not have to jeopardize their privacy and compliance with the law.
|Law Offices Of David S. Barmak, LLC|
David Barmak established his health care law firm in 1984 to deliver legal services, both in transactions and litigation, to organizations and professional practitioners in the health care field. We call this approach "Enterprise-Wide Risk Management" because it includes three important facets:
He is the immediate past Chair of the Health & Hospital Law Section of the New Jersey State Bar Association. Before making your choice of attorney, you should give this matter careful thought. The selection of an attorney is an important decision. The recipient may, if the newsletter is inaccurate or misleading, report the same to the Committee on Attorney Advertising.
- Counsel and advisement on all aspects of legal risk, from setting up the entity to corporate governance and compliance;
- Protection of your practice or business through litigation prosecution or defense in the Courts; as well as regulatory compliance and licensure issues before government agencies; and
- Operations improvement through the implementation of enterprise-wise onsite audits, programs and training seminars in the areas of, but not limited to, Fraud and Abuse, HIPAA Privacy and Data Security, Employment, A/R Management, Emergency Preparedness, and Workplace Violence.David S. Barmak, Esq. received his JD from Cornell University and BA from Duke University. He is licensed to practice and serves clients in the States of New Jersey, New York, Connecticut and Pennsylvania.
Telephone (609) 688-0055
Fax (609) 688-1199
For more information, please contact us: