Covered entities and business associates can protect themselves against the dangers of unsecured social networking Web sites by taking a hard stance against them, experts advise. Social networking sites, such as Facebook and Twitter, are examples of another new technology that presents a risk to protected health information (PHI).
It’s not common—although it’s possible—for healthcare workers to use these sites to intentionally and maliciously violate patient privacy laws.
More often, healthcare workers sign on during breaks or when they are off work and vent about their day with friends without realizing that they are sharing identifiable information and violating HIPAA.
“These professionals are well educated, but that doesn’t mean they are savvy with security,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. The finality of disclosures on these Web sites is what makes the situation so dangerous, Apgar says. “Once you put something out there, it’s out there, and it’s never coming back,” he says.
Banning these Web sites from the hospital network is one strategy that many organizations use, Apgar says.
Spring Harbor Hospital in Westbrook, ME, bans access to Web sites such as Facebook on facility computers, says Chris Simons, RHIS, who serves as the facility’s privacy officer and director of HIMS. “We also include it in orientation as a no-no,” Simons says. “We have had some issues with staff on Facebook saying inappropriate things about their managers and have addressed that.”
St. Dominic Jackson (MS) Memorial Hospital similarly has banned access to social networking sites on all hospital-owned computers and laptops, says Dena Boggan, CPC, CMC, CCP, the hospital’s HIPAA privacy/security officer.
Boggan sends weekly HIPAA tips to all employees. Immediately after initiating the ban, she sent a tip that described the dangers of blogging about work experiences, especially healthcare events, on social networking sites.
Continually reminding staff members is important because they don’t always understand the dangers that seemingly harmless posts and entries may present, says Boggan. “These are cautious reminders to be very aware that although it may be your personal site, the Internet has eyes everywhere,” she says.
Rhonda Edgecomb, RHIT, CHP, chief privacy officer at Community Health and Counseling Services in Bangor, ME, doesn’t see social networking sites as a concern within her organization. But she understands how problematic they can be.
As a member of a social networking site, Edgecomb has read inappropriate postings by peers who work in healthcare settings. “They refer somewhat vaguely to cases that they worked on, and I have a huge issue with that,” she says.
Similarly, access to personal e-mail accounts is just as dangerous for many reasons, and organizations are beginning to ban this practice as well.
A physician who logs on to a personal Yahoo! Mail account to send him- or herself a list of patients to access at home is one example of inappropriate use, Apgar says. That’s a breach of a lot of information, he explains. The hospital network may be encrypted, but the information won’t be encrypted once the physician opens the e-mail at home.
Some organizations may hesitate to block Web mail from the hospital network because it also would block access to the Web mail’s search engines, such as Google and Yahoo!, which staff members use daily. However, blocking specific Web addresses for e-mail accounts while maintaining access to search engines is possible, Apgar says. Discuss this option with your information technology department. It’s another way for providers to protect themselves.
Adapted from Briefings on HIPAA, November 2009, HCPro, Inc.