Blogging for Beginners NHLA Spring 2008 Conference Steve Butzel, sbutzel@yahoo
HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel...
-
Upload
miles-hoggard -
Category
Documents
-
view
213 -
download
0
Transcript of HIPAA Compliance and Social Media Concerns September 2013 Presenter: Jennifer A. Dukarski of Butzel...
HIPAA Compliance and Social Media Concerns
September 2013
Presenter: Jennifer A. Dukarski
of Butzel Long
Professional Branding in the Digital AgeDigital media creates virtually limitless
opportunities to promote and protect your brand and products…
Professional Branding in the Digital Age… continued… while leaving an almost limitless
opportunity for employees, customers and others to destroy that brand
Because the internet comes with a price…Online interaction differs from face-to-face communication as people are prone to behave at their worst and forget about consequences. This is the Online Disinhibition Effect!
• You don’t know me (dissociative anonymity) • You can’t see me (invisibility)• You won’t see me until later (asynchronicity)• It’s all going on in my head (solipsisatic introjection)• It’s just a game (dissociative imagination)• There’s no cops (minimizing authority)
The Online Disinhibition Effect, John Suler (2004)
Why Digital Media Matters: Consumers Use Social Media• 42% use social media to access health-related reviews
• More than 80% of 18-24 year olds would share health information through social media
• Almost half (45%) of individuals from 45-64 would share health information over social media
Price Waterhouse Cooper HRI Consumer Survey, 2012
Why Digital Media Matters: What an Employer Does Has Consequences
• We asked or encouraged an employee to use Social Media. – Social media is becoming inseparable
with some job functions. – Some individuals are asked to “host the
company account” or post for the office.
• We have “deep pockets” and an offended party sues us, too.– For example, NBA Referee Bill Spooner
sued AP Reporter Jon Krawczynski and the Associated Press for comments surrounding a questionable call.
An Online Treasure Trove: PII and PHI Personal Identifying Information (PII)
• Individual Social Security Numbers• Addresses• Credit Card Data
Personal Health Information (PHI)• Names• Geographical identifiers smaller than a state• Dates related to an individual• Phone numbers• Fax numbers• Email addresses• Social Security numbers• Medical record numbers• Health insurance beneficiary numbers• Account numbers• Certificate/license numbers
• Vehicle identifiers (including license plates)
• Device identifiers• URLs• IP addresses• Biometrics (finger, retinal and
voice prints)• Full face photos• Other unique identifying
number, characteristic or code
Leaking PII and PHI is easier than you think…• California, April 9, 2010: Nurse photographs stabbing
victim and puts his image (including his face) on Facebook
• Westerly Hospital, Rhode Island, April 21, 2011: Physician tells stories of Emergency Room experiences on Facebook, including details that may allow a third party to determine the individual involved
• Martin Memorial Center, Florida: employees were disciplined after taking and sharing photos of a shark bite victim
• Palisades General Hospital: “George Clooney is here”• Medical Blogs: over 17% of blogs by professionals may
contain sufficient information to establish the identity of a patient
I Lost My Data on the Internet: LabMD and the Federal Trade Commission
8/29/2013: The FTC files a complaint against LabMD for failing to protect medical and other sensitive information over peer-to-peer network (software commonly used to share music, videos and other materials). The complaint alleged that LabMD (who performs medical testing for consumers nationwide) did not take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data, including PHI.
What is Bring Your Own Device?
• Bring Your Own Device (BYOD) is the policy of allowing employees to bring their own mobile devices (laptops, tablets, smart phones, etc.) to the workplace
• BYOD also may include use of non-company email and document sharing (Drop Box / SharePoint)
BYOD – The facts and statistics
• The average U.S. employee carries 3 mobile devices
• 81% of employees use personal devices at work
• 91% of tablet users and 75% of smart phone users have disabled auto-lock security
• 93% of employees admit to violating policies designed to prevent breaches and noncompliance
• 70% of physicians and health IT specialists use personal mobile devices to access electronic health records
© 2013 Butzel Long
Risking it all on BYOD?
• Cell Phones: A health clinic employee set his personal phone to “auto-forward” his University messages to his Google account. The phone was not password protected. While on vacation, the cell phone went missing.
• Flash Drives: A University professor lost his personal flash drive with ID including social security numbers for over 1000 students.
• Laptops: Just like the theft of a work laptop at Massachusetts Eye and Ear Infirmary that led to a $1.5 M fine to HHS, the theft of data from a personal laptop is equally risky.
• BYO Software/File Sharing: Dropbox, for example, openly admits that it is not HIPAA compliant. The same is true of many cloud-based file sharing programs.
© 2013 Butzel Long
Breaches: BYOD heightens the risk
Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data
• Paper Records accounted for 116 incidents and were involved in 5 major breaches
• Laptops accounted for 111 breaches and were involved in 15 other issues
• Portable Electronic Devices (smart phones, iPads, etc.) accounted for 69 breaches and played a roll in 11 other cases
• Network Servers were the sole cause of 46 breaches and were involved in 13 other cases
• Business Associates accounted for 103 breaches, the equivalent of 1 of every 9 incidents
It may feel like the Wild West…When implementing a strategy to deal with Digital
Media, organizations should consider all of the legal risks involved:
• Other Potential Legal Constraints– Media, Privacy and Communications
• Reputation management• Stored Communications Act
– Labor and Employment• Wage and Hour concerns• Hiring and Firing
– Intellectual Property• Patents, Trademarks and Copyright• Domain Names and Social Media Accounts
– Contractual and Ownership Rights• Ownership of social media followers, contacts, content and websites
– Endorsement and Other Regulatory Concerns
… But a preventative approach can mitigate the risks• Social Media Use Strategies
– Implement or Review and Audit your BYOD Policy– Review and Revise or Adopt a Social Media Policy– Review Your Employee Handbook
• Data Security Strategies (LabMD Takeaways)– Implement and maintain a comprehensive data security program
which includes addressing Business Associate risk– Use readily available measures to identify commonly known and
reasonably foreseeable security risks and vulnerabilities– Use adequate measures to prevent employees from accessing
personal information not needed to perform their jobs– Train employees on basic security practices– Use readily available measures to prevent and detect
unauthorized access to personal information