From Baby Boomers to Millennials How to Remain HIPAA Compliant in the Age of Social Media Molly Staley, Marketing Consultant Capital Ortho
So, who exactly is a millennial and who is a baby boomer So, who exactly is a millennial and who is a baby boomer? Why are we looking at generations as it relates to social media and HIPPA compliance. The rules are essentially the same for everyone. But different generations tend to utilize social media differently. So, it’s important to communicate clearly to ALL employees in your organization. While older employees may chose to use Facebook primarily, younger generations are utilizing Snapchat and Instagram more often. Challenge for employers OR if you’re in the greatest generation, a Xennial, like myself.
I think we could all agree that the way we communicate has drastically changed over the past 15 years.
Now these are two extremes Now these are two extremes. But the point is, that when it comes to social media, we have to be careful to think before we hit publish.
Quick Review… What is HIPAA?? The Health Insurance Portability and Accountability Act of 1996 is U.S. legislation that provides data privacy and security provisions for safeguarding medical information. Established in 1996… which was pre-social media boom! FaceMash was established in 2003, which later became TheFacebook in 2004 and was only available to college students with a valid college email address. Then in 2006, Facebook became available to the general public, which cued the rise to fame for social media.
Protected Health Information Protected Health Information is any health information that can be tied to an individual and includes one of more these 18 identifiers. Names (full or last and initial) Geographical Identifiers smaller than a State Dates (other than year) Phone Numbers Fax Numbers Email addresses Social Security Numbers Medical Record Numbers Health insurance beneficiary numbers Account Numbers Certificate/License Numbers Vehicle Identifiers Device Identifiers and Serial Numbers URLs IP Address Numbers Biometric Identifiers Full face photos and comparable images Any other Unique Identifying Number, Characteristic, or Code As a healthcare company or one who works with healthcare companies, you are responsible for taking care of those who come to you for help. You should not look at HIPAA compliance as a necessary evil or something you need to navigate so as to not get into trouble with the law. You should instead view it as a set of guidelines that help you in your quest to provide the absolute best care for your patients. Source: HIPAAJournal.com
HIPAA & Social Media: What’s the Big Deal? According to HHS, the majority of HIPAA violations in recent years have occurred from employees mishandling PHI, many of which stem from inappropriate social sharing. Violations can result in fines ranging from $100-$1.5 million or Criminal Penalties which can result in fines up to $250,000 and up to 10 years in prison. Other potential consequences include lawsuits, loss of medical license, & employee termination. Give real life examples.
Many researchers believe that by the year 2025, Millennials will make up over half of the workforce in the US. And 75% of all internet users have at least one social media account. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur. Photo credit: Entrepreneur.com
Common Social Media HIPAA Violations Posting of videos or images of patients without written consent Posting of gossip about patients Posting of any information that could allow a patient to be identified Posting videos or images taken inside a healthcare facility in which patients or PHI are visible Read 3 examples Sharing of photos, videos, or text on social media platforms within a private group
HIPAA Social Media Guidelines Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually Provide examples to staff on what is acceptable- and what is not- to improve understanding. Communicate the possible penalties for social media HIPAA violations- terminations, loss of license, and criminal penalties Ensure all new uses of social media sites area approved by your compliance department Review and update your policies on social media annually Develop policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts Develop a policy that requires personal and corporate accounts to be totally separated
Guidelines Cont. Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting Monitor your organization’s social media accounts abd communications and implement controls that can flag potential HIPAA violations Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages Do not enter into discussions with patients who have disclosed PHI on social media Encourage staff to report any potential HIPAA violations Ensure social media accounts are included in your organization’s risk assessments Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts Moderate all comments all social media platforms
Guidelines Cont. Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting Monitor your organization’s social media accounts abd communications and implement controls that can flag potential HIPAA violations Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages Do not enter into discussions with patients who have disclosed PHI on social media Encourage staff to report any potential HIPAA violations Ensure social media accounts are included in your organization’s risk assessments Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts Moderate all comments all social media platforms
Resources hipaajournal.com/hipaa-social-media/ hipaajournal.com/hipaa-compliance-checklist/ hhs.gov/web/social-media/policies/index.html https://www.crccertification.com/code-of-ethics-4
Main thing with social media and HIPAA is think before you post Main thing with social media and HIPAA is think before you post!! Social media can be a fun way to connect with others and find out what’s going on in the community and with the world, it can also open up new ways for businesses to engage with their customers and clients. Once you’re educated on how to avoid HIPAA violations, you’ll see that social media can benefit your business and you don’t need to be afraid of “being social”!