Updates and Implications on Understanding, Policy, Compliance and Enforcement
Technology has enabled many organizations in the healthcare industry to provide safe and quality care while allowing accessible use and sharing of medical data. However, it has not come without the risk of medical information being used inappropriately.
The HIPAA Privacy and Security Rules ensure protected health information (PHI) is kept safe, secure, accessible, and available for those who have the authorization and a valid need to access it. Enforcement of the Rules comes in many forms including the possibility of enduring an OCR audit, either random or complaint-initiated, and the potential for civil monetary penalties, criminal penalties, and/or a publicly-posted settlement agreement.
The importance of compliance with regards to social media is the focus of this informative blog. The Final HIPAA Privacy and Security Rules which went into effect on March 26th of this year include stricter rules for data breaches of unsecured PHI. The compliance date of September 23rd of this year is quickly approaching.
When it comes to providing up to date information for large populations of patients, social media may prove to be an excellent tool. Social media is defined as a technological platform including services used by individuals to communicate and share information. Social media supports availability in many forms such as social networking, blogs, internet forums, video and picture sharing, and group interest sites to name a few.
A survey by the Pew Research Center of individuals reported the majority of social media being used is Facebook at 67%, Twitter at 16%, and Instagram at 13%. Facebook is the most popular social media instrument with 6,930,053 views in the month of April, 2013 compared to Tumblr which received 43,956 views.
According to Schmitt, Sims-Giddens, and Booth, “Social media is more than an emerging technology platform or cultural trend, but a method of communication that is changing the way individuals and organizations throughout the world transmit and receive information. The meaning and value of social media continue to be debated among business leaders, computer science scholars, educators, and users.”
Social media has a negative connotation when it comes to information being shared inappropriately by nurses, or other clinicians, on their personal social media outlet such as Facebook. The ease of publishing significant amounts of written, pictorial, or audio information in seconds, from a portable location, and while on the job provides the capability to violate policies, laws, and patient ethics instantly and from anywhere. While the potential for misuse is significant, and evidence is available to support those fears, not all social media use in healthcare is bad.
The following are positive examples of social media use from a survey performed by the American Academy of Facial Plastic and Reconstructive Surgery in Alexandria, VA. The survey reported that in 2011, 42 % of patients obtained plastic surgery information via social media, which is an increase from 29% in 2010.
In addition, physicians shared the fact that patients were knowledgeable and more educated about plastic surgery because of the availability of information online. Social media has also been received positively as a component of nursing education curriculum. Technology has provided students with options for learning away from the traditional classroom setting. This technology has also helped job seekers connect without expending much effort through LinkedIn.
Jobrary is another technological advance that can be shared via social media easily for job seekers as an online creative resume and portfolio of work. Social media has also facilitated the sharing of scholarly works through online solutions. A good example is Mendeley which provides secure organization for articles and sharing while remaining free of charge.
However, there is significant and consistently-appearing evidence depicting the negative side of this sharing technology. On August 17th last year, Dale Munroe, a former Florida Hospital employee was accused of retrieving and selling patient information. According to the Federal Bureau of Investigation, “ORLANDO—U.S. District Judge Roy B. Dalton, Jr. today sentenced Dale Munroe, II to 12 months and one day in federal prison for his role in stealing the information of Florida Hospital patients. As part of his sentence, Munroe was also ordered to serve a two-year term of supervised release. Munroe pleaded guilty on October 22, 2011.” This is a clear example of a violation of both the HIPAA Privacy and Security Rules, as well as the organization’s workforce security awareness and training.
While this example includes criminal penalties, Civil Monetary Penalties (CMPs) and settlement agreements are more common. The Final Omnibus Rule includes increased fines for violations including the first category that should get the attention of many healthcare organizations, “Did not know.” This category can still transfer significant liability to a healthcare provider for the actions of their employees, or other members of the workforce.
|Did not know||
|Willful Neglect-Not Corrected||
More damaging than the CMPs in this table are the settlement agreements, which need not necessarily adhere to this fine structure, the significant cost of responding to a breach or an investigation by the OCR, and the negative impact to the reputation of the organization.
According to the Ponemon Institute (2011) the average cost of compliance was between $446,000 and $16 million per organization. However, the cost of not complying was projected significantly higher at between $4.4 million and $28 million due to loss of revenue from decreased productivity, damage to the organization’s reputation, loss of current and future customers, and legal costs.
Just last year, Linda Sanches, Senior Advisor, Health Information Privacy said that many organizations have not done their due diligence towards compliance. Now we have the upcoming Final Omnibus Rule compliance date looming on September 23rd, 2013, and promises of increased awareness, training, and enforcement.
What should be done? Your organization needs to begin the process sooner rather than later, and address a real, emerging, and quickly expanding threat. Designate a team to investigate the use, options, controls, enforcement, and audits that can be put into place to reduce your risk, and potentially increase revenue and patient satisfaction. Incorporate corporate culture and keep an eye ever focused on regulatory requirements including both HIPAA and stricter state-based laws such as those in California and Texas.
Short of collecting personal devices at the door or by the timeclock, and blocking all communications with social media sites, the problem will be impossible to eliminate. Ensure that policies, supporting procedures, workforce training, personnel management, technical controls, and random auditing are all a part of your organization’s solution to this growing opportunity.
Involve departments like Marketing, Foundation, and Human Resources to identify how social media is already being used, or desired to support business purposes. Remember that all of the members of your workforce are human beings, and that absolutes are rarely adhered to. Provide healthy, safe, secure and compliant options, clear direction, and reasonable and appropriate review of adherence, and the organization will be in the best position to manage risk.
– Rose Rienton MSN, BSN, CHP
Healthcare Practice Leader with RISC Management and Consulting
For more information please contact RISC Management and Consulting, www.RISCsecurity.com
Read our HIPAA Compliant Hosting white paper as it explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.
Department of Health & Human Services. (2013). News release: WellPoint pays HHS $1.7 million for leaving information accessible over internet. Retrieved from http://www.hhs.gov/news/press/2013pres/07/20130711b.html
Federal Bureau of Investigation. (2013). Former Florida hospital employee sentenced to federal prison for data theft. Retrieved from http://www.fbi.gov/tampa/press-releases/2013/former-florida-hospital-employee-sentenced-to-federal-prison-for-data-theft
International Communications Research. (2012). American academy of facial and reconstructive surgery 2012 membership study. Retrieved from http://www.aafprs.org/wp-content/themes/aafprs/pdf/AAFPRS-2012-REPORT.pdf
National Institute of Standards and Technology. (NIST). Safeguarding health information: Building assurance through HIPAA security. Retrieved from http://www.nist.gov/itl/csd/hipaa-security-conference-2012-webcast.cfm
Office for Civil Rights. (2013). 2012 Audits of covered entity compliance with HIPAA Privacy, Security and Breach Notification Rules: Initial Analysis. Retrieved from http://www.ehcca.com/presentations/HIPAA21/sanches_1.pdf
Ponemon Institute. (2011). The true cost of compliance: A benchmark study of multinational organization. Retrieved from http://www.ponemon.org/library/the-true-cost-of-compliance-a-benchmark-study-of-multinational-organizations?s=true+cost+of+compliance
Mendeley is a free reference manager and academic social network that can help you organize your research, collaborate with others online, and discover the latest research. http://www.mendeley.com/
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.