Social Media and Texting: A Growing Concern

Size: px

Start display at page:

Download "Social Media and Texting: A Growing Concern"

Eugenia Fletcher
6 years ago
Views:

Social Media, Care Providers Texting: How Do You Protect PHI?

By: Donna Thiel, VP & CCO, Fortis Management Group, LLC Craig

, Lane Powell PC 1 Social Media and Texting: A Growing

1 Social Media, Care Providers Texting: How Do You Protect PHI? HCCA Compliance Institute Monday, April 18, 2016 Presented By: Donna Thiel, VP & CCO, Fortis Management Group, LLC Craig Day, Esq., Lane Powell PC Sarah Swale, Esq., Lane Powell PC 1 Social Media and Texting: A Growing Concern 73% of U.S. population has a social network profile By 2014, cell phones outnumbered people By 2017, over 50% of employers are projected to require that employees use their own mobile device at work 2 1

2 HIPAA Regulatory Scheme 3 HIPAA Regulatory Scheme Privacy Rule Prohibits the unauthorized use or disclosure of protected health information What is PHI? Individually identifiable information About physical or mental health condition or treatment (includes payment) Use and Disclosure Authorized uses under law rule and examples Resident authorization 4 2

3 HIPAA Regulatory Scheme Security Rule Designed to protect electronic PHI Safeguards standards and implementation specifications Security measures Administrative Technical Physical Apply to maintenance and transmission of PHI Flexible: requires compliance but covered entity decides on specific security measures 5 HIPAA Regulatory Scheme Social Media No specific rules or guidelines Privacy Rule May not use or disclose PHI unless Authorized; or HIPAA exception applies Security Rule Applies if PHI stored on electronic device or inter/intranet Requires comprehensive analysis Reasonable measures to protect PHI Breach: must report, remediate, penalties may apply 6 3

Restrictions on Limiting Employee Use of Social Media and Texting Anti-Discrimination Laws: taking employment action based on protected status discovered via social media Fair Credit Reporting Act:

4 Restrictions on Limiting Employee Use of Social Media and Texting Anti-Discrimination Laws: taking employment action based on protected status discovered via social media Fair Credit Reporting Act: conducting background checks on social media w/o proper notice Privacy Laws: requiring employees to provide access to non-public information, hacking into account, or using deception National Labor Relations Act: interfering with employee s Section 7 right to engage in concerted activities by discussing terms and conditions of employment via social media and text Activity does not need to be related to union organizing E.g., wages, hours, discipline, or other conditions of employment 7 BYOD: Bring Your Own Device What devices will employer support? Who controls the account/data and who pays for service? What kind of monitoring can employer do? Employer allowed to view business-related texts? What are litigation hold requirements for data on devices? Employee required to keep all business-related texts? What are restrictions on employee use of device? Employee allowed to use device on floor? Employee allowed to use the device to discuss PHI? What happens to device when employee leaves employment? Retrieve device before termination / Shut down access Device application to wipe confidential data Non-disclosure agreement to prevent data leaks CLEAR WRITTEN POLICY 8 4

5 Texting: Discussion Scenario Attending Physician requests staff text her instead of calling her when they need to reach her. Does Center policy address use of personal cell phones on floor and/or for business purposes? Does Center policy address texting PHI? Does Center have a BYOD policy? Or does Center provide business cell phones? Does Center have any type of texting encryption available? If Center decides to permit texting, how will Center capture the conversation or direction from the AP? Twist: A family member asks that you text with routine care updates. 9 Social Media: Discussion Scenario Your Center has claimed a FB site and is using it to post events and recruit new staff. Staff member posts negative comments about Center on site. What can you do? As owner of the site, can you remove post? Can you discipline the employee for posting? Do you have a social media policy or other employment policies regarding disparaging comments about the Center? Do you just ignore it? 10 5

6 Security: Discussion Scenario LTC employee takes selfie with resident on her phone, uploads it to her work computer, and posts it on Facebook along with a brief description of resident s mental and physical condition. Employee loses phone and your system is hacked by a state actor. You receive a ransom note. Resident learns of the issue, is humiliated and contacts the Office of Civil Rights. Do you have policies that prevent employees from doing this? Do you have policies designed to prevent the breach of your system? Do you have employee training on using devices safely (e.g., secure networks) and avoiding phishing s or hackers? 11 Remote Access Issues Surveyors who want to use their own devices to access EMR APs and MDs who want to use their own devices to access records Employees working remotely Caution: time spent reading and responding to s and texts, and time spent answering phone calls, are hours worked and generally must be compensated 12 6

7 Third Party Access Issues Do you allow generic accounts? How do you ensure the devices are virus free before they come into your network? How does this impact the bandwidth for your staff? How long does it take for them to get provisioned if they don t use generic accounts? 13 Agency Access Issues Do you allow generic accounts? How do you log who has which account? How do you audit to make sure you are properly logging access? 14 7

8 15 8

Electronic Communication of Personal Health Information

Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy