In a recent survey, co-sponsored by the Health Care Compliance Association, “social media” emerged as the No. 1 risk concern among respondents in healthcare.
In truth, patient information can and does end up on Facebook and on other Internet sites. In reviewing cases published in major media and by the federal government, the culprits are often those working within healthcare.
Consider a 2015 report published in the Journal of Nursing Regulation:
Referencing a 2014 survey, the National Council of State Boards of Nursing (NCSBN) revealed that 48% of responding Boards of Nursing (33 in number) face challenges with social media. Several boards in the survey reported images of wounds or procedures being shared across social media after being photographed on mobile phones.
NCSBA has called for greater awareness and vigilance to stop this kind of activity. In a published guide on uses of social media, SCSBA reminds nurses and others of the blanket responsibility to safeguard any and all patient information, and to limit disclosures only to members of a health care team who need to know for the purpose of providing care to an individual.
NCSBA has recommended numerous guidelines for nurses, which could also pertain to others. Examples include:
Do not transmit any patient-related image via any electronic media
Do not share, post or otherwise disseminate any information, including images, about a patient
Remember, too, that patient information can spread in unanticipated ways.
In one example, the Tampa Bay Times reported on a nurse who snooped out medical records of her nephew’s partner, and learned that she had delivered a baby and had put the child up for adoption. The nurse gave a printout to another family member, and the news came out at a family funeral. Anyone who heard could have posted or Tweeted.
In an older case reported by the federal government, a different, less obvious kind of improper exposure is worth noting, because it illustrates how breaches can happen even in the course of normal business. In this case, a physical therapy provider agreed to a $25,000 settlement after posting patient testimonials to its website. The testimonials included full names and photographs, but the provider had not obtained valid, HIPAA-compliant authorizations. Enough said to beware.
Ultimately, the work of safeguarding patient information is about creating a culture in which daily habits put a priority on privacy and security.
Risk assessment, as required under HIPAA rules, is essential. In a healthcare organization, that means examining of how, where and under what circumstances information might be improperly seen, heard, accessed or compromised. The task is to go step by step, in anticipating potential threats, implementing solutions and then putting precautionary habits into daily practice.
In a culture of vigilance, the safeguarding of patient information is top-of-mind. In such a culture, it would be unthinkable to hand a relative a printout containing patient information.
By contrast, a culture of laxity invites breaches. And with the prevalence of social media, laxity opens an avenue for fast spread of patient information to the masses.
The way to protect against a social media nightmare: Strive to create a dream team in your midst – where those with access to patient information guard it jealously from any possible abuse. It is impossible to eliminate risk altogether. But a culture of vigilance closes off many of the access points that result in breaches in general and pathways to social media.