Susan Childs, RN, BSN, CPHRM Dayton Children’s Hospital ... · 5 More than 1.23 billion active...

1

Susan Childs, RN, BSN, CPHRMDayton Children’s Hospital

Liz Stock, Esq.Bricker & Eckler LLP

Chris Bennington, Esq.INCompliance Consulting

7093020v1© Bricker & Eckler 2014

© Bricker & Eckler 20142


2


“Just performed my first circumcision. I’ll be pouring one

out tonight for all the lost foreskin…. #rip”

3© Bricker & Eckler 2014



3


• Social Media Overview• Employment Issues• Social Media and HIPAA• Real world examples and tips• Q&A


This presentation does not constitute legal advice, and you should consult with a lawyer before relying on any

statement in this presentation.


4


• Social Media is a “conversation” your hospital may or may not be engaged in formally – but the conversation is going on – and most likely includes your employees

• 2013 survey showed that 67% of online American adults have a profile on a social media site (83% in 18-29 age group)


Uses internet and web-based technologies to transform broadcast media monologues (one to many) into social media dialogues (many to many).

Transforms people from content consumers into content producers.

8

Social Media


5

More than 1.23 billion active monthly users (Jan. 2014)

757 million users log into Facebook daily (Jan. 2014)

945 million mobile users (Jan. 2014)

Every day: 4.5 billion “likes”; 350 million photos added (May 2013)

Size of Facebook database: Over 300 Million GB (Nov. 2013)

9

Facebook



A brief year by year history – reflecting society’s trend of becoming “more open?”

The Evolution of Facebook’s Privacy Settings” by Matt McKeon from Visual Communication Lab (@mattmckeon).

10

Facebook’s Default Privacy Settings

6



7



8



9

“I can’t believe one of our employees posted that on her Facebook page! Can I fire her?”

“I Googled that applicant. Can I/should I use the information I found as grounds for not hiring him?”

“Should my supervisors be posting recommendations for former employees on LinkedIn?”

17

Employers Are Asking:


Potential impact of social media on your hospital from an employment perspective:

The Potential Employee The Former Employee The Current Employee

18

Social Networking and theEmployment Lifecycle


10

Should you use social media to make hiring decisions?

19

The Potential Employee


Pay Dirt: online disclosures vs. résumé, application, or job interview disclosures

Risk becoming “pregnant” with information that would be unlawful to use in making a hiring decision (e.g., religious beliefs, medical history, prior workers’ compensation claims, etc.)

20



11

Limit searches to public information

Do not obtain user’s or another person’s password to obtain access to non-public data

Segregate the searchers from the employment decision-makers

21



Some States have laws that prohibit:

Asking applicants or employees for their social network password

Taking adverse employment action for lawful conduct outside the workplace


12

LinkedIn: provides a unique opportunity to make recommendations regarding current or former employees

But, supervisor may create evidence of “pretext” regarding the reason for a termination

23

The Former Employee


Use of social media on work time/equipment:

What do your current policies say?

What are your actual practices?

Consider extent of hospital use of social media and guidance needed for those posting on hospital’s behalf

24

The Current Employee


13

www.twitter.com/daytonchildrens

www.youtube.com/daytonchildrens

www.facebook.com/wally.b.bear

www.twitter.com/SKGreaterDayton

www.facebook.com/daytonchildrens

www.facebook.com/safekidsgreaterdayton

www.facebook.com/womensboard

www.facebook.com/twigaux

www.facebook.com/carehousedayton

www. Pinterest.com/daytonchildrens

blog.childrensdayton.org

Instagram – Username : Dayton Childrens


Main problem area: Off-duty use by employees

Just One Example Anonymous report on compliance hotline Nurse posed for photos in OR wearing

medical bra over scrubs Posted photos to Facebook

26



14

Must be careful not to jeopardize professional ethics and/or patient privacy

Federation of State Medical Boards recently issued guidance on the appropriate use of social media in the medical practice. http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf


New York Daily News article – Feb. 7, 2013 Ob-gyn rants on Facebook about a patient she

claims was repeatedly late for appointments

“So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds and NSTs. She is not 3 hours late for her induction. May I show up late to her delivery?”


15

Consider a policy to prohibit: Disclosure of PHI (more later) Unauthorized disclosure of confidential

information Posting content that is false, obscene,

threatening, defamatory, illegal Posting information disruptive to your

hospital’s ability to operate effectively and efficiently

29



Violation of applicable law or other policies (discrimination, harassment, HIPAA, etc.)

Friending patients

Speaking or posting on behalf of your hospital without express authorization

Providing medical advice via social media

30



16

CAUTION!

There are various legal limitations on an employer’s ability to prohibit certain employee activity.

Ensure policies are not overly restrictive of employee rights under the law.

31



Prohibits discrimination or retaliation against non-supervisory employees who engage in “protected concerted activity”

Includes discussions of wages, benefits, dress code, assignments, and other work responsibilities amongst employees.

Does not include “mere griping” or employee’s activity for purely personal interest.

32

National Labor Relations Act


17

Example: Caseworker employed by non-profit social services

provider threatens to complain to supervisor about co-workers not working hard enough

Coworker posts: “My fellow co-workers, how do you feel?”

Other coworkers respond: • “Try doing my job. I have five programs.”• “What the hell, we don’t have a life as is.”

Coworkers fired for harassment NLRB decision: Terminations unlawful


Example: Bartender unhappy about not receiving a raise for 5

years complains on Facebook:

• Calls customers “rednecks” and says he hopes they choke on glass as they drove home drunk

Bartender fired

NLRB: Termination lawful; personal venting and not “concerted activity”


18

What about:

Nurse posts that hospital provides poor patient care?

Nurse goes on to criticize nurse-patient ratio and benefits paid to nursing staff?

Other nurses join the discussion?


Whistleblower protections

State laws prohibiting termination for lawful conduct outside of work

First Amendment (public employers only)

Invasion of privacy

Stored Communications Act

36

Other Laws


19

37

HIPAA


The Health Insurance Portability and Accountability Act of 1996.

Privacy Rule - regulates the use and disclosure of “Protected Health Information (PHI)” held by “Covered Entities.”

This includes PHI disclosed via Social Media.

38

HIPAA


20

Covered Entities: Providers, Health Plans, and Health Care Clearinghouses

Workforce: HIPAA applies to a Covered Entity’s workforce, which includes: employees, volunteers, trainees, and other persons whose conduct, is under the direct control of the Covered Entity

39

Who is covered?


Information that relates to:

1. the individual’s past, present or future physical or mental health or condition

2. the provision of health care to the individual3. the past, present, or future payment for the

provision of health care to the individual

Identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual

40

What is PHI?


21

41

What is PHI?


Names, addresses, dates, phone numbers, Social Security numbers, account numbers, etc.

Full face photographic images and any comparable images

“Any other unique identifying number, characteristic, or code”

Privacy Rule - Provides federal protections for PHI held by Covered Entities.

Gives patients a right with respect to that information.

Covered Entities may still disclose and use PHI for certain permitted purposes. Examples:

• Treatment – Disclosures to other providers• Payment – Disclosures to insurers • Health Care Operations – Disclosures for Quality

Improvement• Other – Disclosures to public health agencies


22

General Rule: Patient authorization is required for disclosures

Exceptions: Treatment, payment, health care operations, and certain special categories (i.e., public health, law enforcement)

If an exception does not apply, we cannot disclose without authorization.


There is no Facebook exception.


23

Common question: If there is no Facebook exception, why can the hospital post all kinds of patient information on its page?

Answer: The hospital obtains HIPAA compliant authorizations before posting patient information to its page (we hope!).


Internal Investigation Disciplinary action Professional reputation Professional licensure Organizational reputation Notifications to patient, media,

government Government Investigation Fines


24

An impermissible use or disclosure of PHI that compromises the security or privacy of the PHI. Unless an exception applies, a use or disclosure of PHI in a manner not permitted under the Rules is presumed to be a breach unless a covered entity demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment including certain factors.


If a breach is “reportable,” a Covered Entity must notify the patient and Health & Human Services (HHS).

If the breach involved 500 or more patients, the Covered Entity must also notify local media.

HHS investigates self-reported breaches.

HHS imposes fines for self-reported breaches.

Most social media-related breaches will be reportable.


25

Examples of Social Media- related breach investigations

Nursing student takes picture of baby having a PICC line placement and posted to Facebook

Employee notified of a former patient’s death on Facebook

Anonymous report that hospital website contains photo showing patient information


HHS also learns of breaches through complaints, which may be filed by anyone.

Fines vary; up to $1.5 million per year.

Associated costs can surpass $15 million

Patients affected may now receive part of the fine/settlement paid by the Covered Entity (Regulations forthcoming).


26


Post-Treatment: “The surgery was weeks ago. I can talk about it on Facebook now!”

WRONG. Providers have a continuing obligation to protect PHI both during and after treatment.

51


Responding to patients: “I need to defend the hospital against what this patient is saying on Facebook!”

WRONG. The HIPAA obligations are not negated by a patient’s own disclosures through social media.

52

27


High Profile Patients: “I can tell my Facebook friends that Sasha Obama was just admitted to my facility. It will be in the news anyway.”

WRONG. Public figures have the same HIPAA protections as everyone else. Let the news break the story.

53


Level 1Human ErrorCarelessness

Level 2At Risk Behavior

Fails to follow Procedure

Level 3Reckless Behavior

Curiosity, Personal Use or Malicious Intent

Coaching/Counseling

Written/Final Written Warning

Termination

28


KEY to

Levels

LEVEL 1 Lack of care or attention

to process or procedure Carelessness that makes

confidential information susceptible to being overheard, accessed or revealed to unauthorized individuals

Non-intentional or inadvertent act to access or disclose confidential info without a work-related reason

Failure to report disclosures

LEVEL 2 Action that

fails to comply with HIPAA or hospital policy or procedure resulting in potential or actual breach of information privacy

LEVEL 3 Employee willfully

accesses a record out of curiosity or concern; personal use or malicious intent

Accesses, reviewsor discloses confidential information without documented authorization

Provide staff with guidance on how to interact with official social media sites. Examples: Any photo or patient information posted by Hospital has

been done so with written consent by the patient. You may “like” or “share” items posted on our official sites.

This connects your post to our site and assures viewers we have proper authorization.

Never post patient information or photos that were not originally posted on the official sites.

Never provide more patient information than was posted on the official site.

Never “friend” a person when your only relationship with that person is health care provider-patient.


29


Susan Childs, RN, BSN, CPHRM Dayton Children’s Hospital ... · 5 More than 1.23 billion active...

Documents

Transcript of Susan Childs, RN, BSN, CPHRM Dayton Children’s Hospital ... · 5 More than 1.23 billion active...