HIPAA protected Healthcare Information in the Age of Expanding Social Media Boundaries
Social by nature, curious by design and caring by desire, health care providers hold the important responsibility of our patient’s personal medical information in confidence. The hallmark attribute of the patient/nurse relationship is built on the belief and understanding of trust. In many respects a built trust of care that includes the privacy and confidentiality of a patients personal health information. The expansion of the electronic communication age has provided health care professionals the ability to work faster and with a greater degree of efficiency and accuracy. A task that would have taken me half a day 25 years ago with telephone calls and memorandums are now completed with a hand held device before I finish my first cup of Earl Grey in the morning.
The world wide web/internet has connected us in ways that are improving and expanding exponentially to move this protected information from one source to another. The problem we must contend with is how secure the information is as we move it from person to person. We must also consider the need to place this information out in cyberspace and move it around. Breaches in patient confidentiality or privacy can be intentional or inadvertent, but they can occur in a multitude of methods.
The growth of the Social Media outlets has spawned numerous issues for health care institutions to engage in the protection of patient protected health care information. Of late, improper utilization of social media by nurses has caused issues as they relate to, State laws and Federal regulations, HIPAA Health Insurance Portability and Accountability Act of 1996). The concept of protecting a patient’s information in this space has led to a blurring of the boundaries of what is private information and what is public information.
Social media venues also bring into question if what is posted should be considered personal and what should be considered professional. In this discussion, I will focus on social media sites that expose posted content to the openness of the internet. The risk associated with posting patient information on the sites and some of the penalties that can and have occurred in recent litigation cases.
Assessing risk of exposure
Blogging (an interactive form of publishing content on the web) on social networking sites exposes the risk of the material posted to be viewed in the public domain. When posted on personal sites or chat rooms the material is discoverable and no longer private, even after it has been deleted. The advances in electronic technology, currently provides this connection in our small personal hand-held devices. This poses other challenges such a theft of the device and the content in the devices electronic storage. Some examples of breaches in patient privacy can be very unassuming and done with a lack of intentional forethought. As often can be the case, skill assisted nursing care facilities have seen staff capturing images of the residents and posting them to their social media sites. These events typically have endearing captions and names accompanying the residents photograph describing something cute they did or may have said in conversion.
As inadvertent and innocent as this may have been, it was a breach of a resident/patients privacy. The same is true when a posting includes patient information described in sufficient detail that the patient can be identified without the benefit of name identification. For example, a nurse may be treating a patient in a particular unit and post the events of that day’s care. This may include the extent of the patients change in condition he/she may be sharing in the post. With this material being accessible, it can be forwarded or re-posted to any venue, placing it in a position for the general public to view. Though perhaps the intent is harmless, some patients could have their lives placed in personal jeopardy. If for example they are attempting to hide, from a previously abusive relationship.
In an August 2011, white paper published by the National Council of State Boards of Nursing (NCSBN) (www.ncsbn.org), there seems to be some misconception on the use of social media.
These misconceptions included a mistaken belief that;
- communication/posts are private and accessible only to the intended recipient.
- posts deleted from a site are no longer accessible.
- if the site is limited (private to selected recipients), the disclosure of the patient/resident information is harmless if only read by the selected recipients (if permissible disclosure has not been obtained it is still a breach of confidentiality.)
- the mistaken belief that if the patient/resident’s name is not disclosed it is not a breach.
In a 2010 NCSBN national survey, 33 of the 46 responding Boards of Nursing received complaints of nurses posting images and/or sensitive resident/patient information on social media sites. The survey also illustrated the point that 26 of the 33 reporting States Boards of Nursing took some form of disciplinary action in response to the received complaints, which at a minimum, were letters of censure to the respondents.
Paying the penalty
Another important consideration and responsibility comes with securing the device that may have patient sensitive information in storage. Electronic devices that store information such as laptops, tablets and smart phones can be stolen and the content easily accessed. These units have the capacity to hold significantly large files of patient sensitive information that is the responsibility of the health care professional entrusted to its safe keeping.
In the Rover article, occurrence of stolen electronic devices with patient sensitive information ranged from a small number to a significantly large database. In December of 2012 Hospice of Northern Idaho settled and agreed to pay $50,000 for a breach of unprotected patient information. The investigation found a self-reported theft of an unencrypted laptop with approximately 440 patient records including personal health information in the database.
The same year, Blue Cross Blue Shield of Tennessee was required to pay $1,500,000 in fines after an investigation of a reported theft of computer information. The report indicated the company failed to secure 57 computer hard drives that were stolen from the Tennessee facility. The hard drives contained protected health information on over 1 million individuals, including, names, social security numbers dates of birth, diagnosis codes and health plan data.
As a practicing licensed professional, you may be subject to potential consequences from your employer and the States Board of Nursing. The consequences are beholden to the jurisdiction, however an investigation may occur on the grounds of failure to protect patient protected health information. A Nurse may find themselves answering to accusations of unprofessional conduct, mismanagement of patient records, or breach of a patient’s confidential information.
Best course of action
Our profession spans a wide range of nurses working and practicing across chronological ages from the early twenties in and through their seventies. The level of understanding of protecting patient sensitive information in the social media area will likely vary from individual to individual. The best guidance is to think twice before you press the send/post button to a social network site. Maintaining the privacy and integrity of a patient’s health information is paramount to your relationship with your patient, and it is also the law. Understanding the electronic age poses many risks that will challenge your ability to protect this information. If you are uncertain contact/consult your employer’s policies on the use of social media. Nurses must have a sound understanding of the boundaries of the personal and professional cyberspace as well as the risks of unintentional and inadvertent exposure of this safeguarded material.
- White Paper: Nurse’s guide to the use of Social Media, NCSBN (August 2011), www.ncsbn.org
- Rover, Sara Simrall, 2013, Social Media Compliance Challenges: From HIPAA to the NLRA, Social Media And HIPAA Privacy Concerns for Health Care Providers. American Health Lawyers Association. Hospitaland Health Systems Law Institute.