Patient Privacy Protection?

It’s Getting More Complicated…

If You Are on Facebook

Tom & I are starting

infertility treatments

I had no idea my wife

would talk about this on
Facebook!

MyHealthCommunity Social Network, Inc

135 Market St., Portsmouth, NH, 03801
603-553-2997 www.myhealthcommunity.net

Really!

Copyright © 2010 MyHealthCommunity Social Networks, Inc. All Rights Reserved

 Temptation of Social Media Hard to Resist

500 million active users on Facebook

A temptation few businesses can resist.

Hospitals are no exception – 551 with Facebook accounts*

762 Hospitals on Social Media
July 24, 2010

99
348 You Tube
Blogs
551 Profiles
Facebook Fan
Pages 583 Tw itter
Accounts

You Tube Profiles

source: w w w .ebennett.org/hsnl Twitter Accounts

Facebook Fan Pages
Blogs
History Repeats itself over and…

 The graphic for Mashable.com by Lisa Waananen.

 ..and over and…

 The graphic for Mashable.com by Lisa Waananen.

..and over with Facebook Privacy Compromises

 How will your hospital’s patient’s

privacy be compromised in the
future?

 The graphic for Mashable.com by Lisa Waananen.

 ACLU Response to Facebook on Places

Consumer Privacy,
Free Speech,
Internet Privacy

 “While the ACLU of Northern California and Facebook both agree that
location information is very sensitive, the ACLU of Northern California
disagree that Places gives users adequate control of how and when to
share this information… We understand and appreciate the various privacy
protections and options that are currently available to Places users. But
there were some straightforward steps that we highlighted to Facebook
that they could have taken to improve the privacy features before launch.
Not having these common sense privacy protections has unfortunately
overshadowed some of the safeguards that the Places team worked so
hard to build into the product.”
~ ACLU of Northern California
http://www.aclunc.org/issues/technology/blog/facebook_addresses_several_privacy_problems.shtml

 Bottomline- Again Facebook gave no warning to users that

they would be opted in and it is again a confusing, multi-
step process to opt out.
 Telling Facebook To Do a Privacy Check-In

 The ACLU chapter recommends that Facebook make it an opt-in,

rather than opt-out process for apps to access a user's friends'
data and require that apps list the specific profile data fields that
they will be accessing.
“Of course, you shouldn’t have to do all of this to protect your own
privacy. Instead, Facebook should make sure that your information
is under your control, that you can choose who can check you in,
who can see when you’re “Here Now,” whether your check-ins are
permanent, and whether apps can see your last check-in.”
~ACLU, August 19, 2010, http://dotrights.org/facebook-places-your-friends-are-here-what-about-your-
privacy
 When Patients Post ~ Privacy is Not A Concern??

The risk of violating HIPAA, [1] appears to not have some

hospitals worried as patients post on the walls of their Facebook
page with their name and photo or their friend, relative or child’s
name and photo. Some hospital marketing departments
encourage patients to share their personal stories on these very
open, public social spaces.

The interpretation is that these patient stories are voluntarily told

by the patient or parent and so the revealing of personal health
information is not violating HIPAA standards. Photos are often
posted by the patient or relative along with the story so the
patient is identifiable.

Will any of these patients or relatives regret this later?

[1] Health Insurance Portability and Accountability Act (HIPAA) of 1996, HIPAA was enacted in part
to maintain the privacy of patients' medical and personal information by creating national standards
to protect individuals' medical records and other protected health information (PHI).
 Details Revealed Today, May be A Regret Tomorrow


Postings on Facebook can be very
specific on patient medical
conditions. Parents may not realize
the risks of revealing this personal
medical information.
 Who is Worried About Revealing Medical Information?

WASHINGTON — The Obama administration is rewriting new rules

on medical privacy after an outpouring of criticism from consumer groups
and members of Congress who say the rules do not adequately protect
the rights of patients…The rules specify when doctors, hospitals and
insurers must tell patients about the improper use or disclosure of
information in their medical records. Such breaches appear to have
become more frequent, with the growing use of health
information technology, social media and the Internet.
~”Tighter Medical Privacy Rules Sought” By ROBERT PEAR
New York Times August 23, 2010 p.A11, New York edition
 Hospital Staff Compromise Patient Privacy on Facebook

Courtney Berlin, a spokeswoman for Tri-City Medical

Center in Oceanside, Calif., said several hospital
employees were recently disciplined for “using Facebook
to post their personal discussions concerning hospital
patients.”

"We recently identified an incident

involving hospital employees who used
social media to post their personal
discussions concerning hospital patients,” Tri-City Medical Center CEO Larry Anderson stands
Tri-City CEO Larry Anderson stated, in front of the hospital in Oceanside.

adding that an internal investigation (Photo by Hayne Palmour IV - Staff photographer)

"yielded sufficient information to warrant disciplinary action.“

.
Source: NCTimes.com
 Social Media Policy is A Must To Guide Staff

 Kaiser Permanente, California’s largest health care provider, enacted a

social media policy in 2009.

 Vince Golla, digital media and syndication director for Kaiser, wrote in an e-
mail that the policy was necessary “to help employees understand their
responsibilities in social media channels and show them how they can
safely engage.”

 The policy forbids Kaiser employees from sharing any kind of information
that might lead to the identification of a patient.

 A section of the policy states: “Even if an individual is not identified by name

within the information you wish to use or disclose, if there is a reasonable
basis to believe that the person could still be identified from that information,
then its use or disclosure could constitute a violation of the Health Insurance
Portability and Accountability Act.”

Source: NCTimes.com http://www.ebizdocs.com/blog/?p=455 Tuesday, May 25th, 2010 at 2:39 pm

 Cautions for Clinical Staff On Social
Media sites
 Kathleen McCormac, RN, JD, San Francisco attorney, cautions against
giving healthcare advice on social media sites. “Nurses should not share
patient experiences online,” McCormac says. “Even if you don’t identify the
patient, the HIPAA [Health Insurance Portability and Accountability Act]
violation still exists. You don’t have the patient’s permission.”

 “There isn’t sufficient security on these sites,” McCormac says. “Everything

is ‘discoverable,’ ” meaning it could be used as evidence in all legal matters,
including claims with the board of registered nurses.

 The problem arises when access is open to anyone. “If it’s not controlled
and hasn’t been sanctioned, you are probably outside the safety net,” she
says. You need a disclaimer that the discussion is not intended to provide
medical advice.
Source:http://news.nurse.com/article/20100809/NATIONAL01/108090045/-
1/frontpage
 Managing Social Media in Your Hospital

 Staff education as part of mandatory education on appropriate use of

social media.
 Social media policy and/or staff guidelines are vetted through legal and
posted online on website and Facebook tab.
 Corporate guidelines should be flexible to accommodate users’ needs. If
the customer perceives it is mandated from the top level, it is less likely
they will see this as a friendly conversation.
 Staff should be assigned with responsibility to monitor comments
 Have a response plan for negative comments or redirection of user for
clinical needs. Process established and staff aware of how to address or
escalate negative comments.
 Hospital must track privacy policy changes on Facebook
 Hospital needs to educate users about these changes and how the
changes may affect them.
 Hospital makes recommendations on how users should use Facebook
to better protect their privacy when sharing PHI
 Hospital can offer classes to public on Facebook use
• Customers NOT revealing PHI in wall posts
 Facebook Teams exist: Clinical Super-users or Medical Staff Or Key
marketing and Fund Development
 Facebook Headlines : Hospital Staff Posting on
Facebook While Patient is Dying

Officials investigate Facebook postings

of photos of St. Mary Patient (excerpt)
By Kelly Puente, Staff Writer
Press-Telegram, Long Beach, CA

LONG BEACH - State health officials on Wednesday were continuing their investigation into a
major breach of patient privacy at St. Mary Medical Center in Long Beach after some
hospital staff members took pictures of a dying patient and reportedly posted the photos on
Facebook.
On April 9, William Wells, 60, was rushed in to the St. Mary emergency room with his
throat slashed so severely he was nearly decapitated. Instead of focusing on treating him,
nurses and other hospital staff took pictures of Wells and posted them on Facebook, a
whistle-blowing employee told the Los Angeles Times.
Wells died from his injuries…Hospital officials said four staff members were fired and
three were disciplined as a result of the privacy violation…Ralph Montano, a spokesman
for the California Department of Public Health, said the department is investigating the
incident along with eight other possible breaches of patient privacy at St. Mary this year.
 Establish Guidelines & Educate Staff

Establish guidelines for responsible participation by employees and

volunteers with personal blogs and personal activity/posts on
Facebook, Twitter, etc. Communicate these regularly to all staff.
Consider an amendment to your Code of Conduct:

 Remind employees that their posts and updates on Social

Media are not only a reflection of themselves but
of the hospital and to use good judgment.
 Restrict sharing any confidential information, patient info, etc
 Empower employees with how to respond to negative
feedback and comments that may be posted about the hospital.
 Communicate your expectations on complaining about
one’s job, making negative comments about the hospital,
defaming the competition, etc.
 Remind employees that any posts and updates are not
private. The world-wide web is the audience.

Guide the employees on use of Social Media in regard to mentions,

posts, updates, etc so that they are not discouraged from
participating.
Source:Jimmy Warren, President TotalCom Communications. Blog, Marketing Your Hospital: Resources for best traditional
and social marketing practices.http://marketingyourhospital.com/2009/07/16/create-a-social-media-policy-for-your-hospital/
 Develop Process to Interact with Social Media

Establish a process to handle complaints and negative comments

including:
 Important to respond immediately, responding in the same social
media (Facebook, Twitter, etc) as the complaint appeared.
 Provide examples of appropriate replies (i.e. “I am truly sorry that
this happened. Our goal is to provide the best service to you.Please
contact me at ________ or Direct Message me. I would like to
help.”).

Incorporate guidelines for crisis/disaster management of your

hospital as it relates to Social Media. What information would be
posted, who would post it officially from the hospital, etc.

Communicate directives regarding posting patient’s personal health

information including photographs, dispensing medical advice, etc

As Social Media changes, so must your Social Media Policy. Your

Marketing/Public Relations/Community Relations Department should
collaborate with Human Resources and Legal to insure proper
guidelines are developed and then properly communicated with the
appropriate staff.
 Elements of a Social Media Policy for
Hospitals for Posts Facing Out to Public
 Your hospital’s Social Media Policy for official outposts can simply be an
amendment to your current Communication Policy due to the fact that a
smaller group of people are participating (Marketing, PR or Community
Relations Department).
 Define the purposes/objectives for each Social Media channel selected (i.e.
Using Twitter to monitor what the public is saying about your hospital,
Pushing information, announcements, fund drives & events on Facebook).
 Redirect patients to more private channel for medical information exchange
specific to their medical needs.
 Ensure there is thorough understanding of each Social Media channel
within the department as well as the board, CEO, etc. If necessary, utilize
one of the tutorials on (where else?!) YouTube.
 Include current policy for corporate identity/branding
 Communicate that official outposts should be authentic, transparent, within
good taste, respectful of copyrights, and protective of confidential and
proprietary information. In addition, official outposts should be relevant,
and bring value to the audience.
Source:Jimmy Warren, President TotalCom Communications. Blog, Marketing Your Hospital: Resources for best traditional and social marketing
practices.http://marketingyourhospital.com/2009/07/16/create-a-social-media-policy-for-your-hospital/
 Hospitals Who Have Facebook Fans

 Given these issues with constant threats to a patient’s privacy by

Facebook, hospitals have an obligation to make sure users know
about these changes to policies by Facebook affecting their
privacy settings.
 By inviting your patients into this arena to interact with your
hospital, you are partnering with Facebook to provide a service to
your patient community.
 Educating your patients on keeping their personal information
(especially PHI such as name, birth date, medical condition)
private is part of a healthy relationship with your community.
 Details of 100 million Facebook users published online

 The personal details of 100 million Facebook users were collected and
published online in a downloadable file reported by msnbc.com on July
29,1010 The article said that Facebook downplayed the issue, saying that
no private data had been compromised. An online security consultant, on
the Internet site Pirate Bay had used code to scan 500 million Facebook
profiles for information not hidden by Facebook user privacy settings. The
MSNBC article reported that the resulting file had been downloaded by
several thousand people.

"Once I have the name and URL of a user, I can view, by default, their
picture, friends, information about them, and some other details," the
online security consultant responsible for the compromise added. "If the
user has set their privacy higher, at the very least I can view their name
and picture. So, if any searchable user has friends that are non-
searchable, those friends just opted into being searched, like it or not!
Oops :)"

© 2010 msnbc.com updated 7/29/2010 8:59:38 AM ET

 A Covered Entity under Current HIPAA Rules

 The guiding principle under the HIPAA* privacy standards is that

as society enters the electronic era, health plans, healthcare data
clearinghouses and healthcare providers (collectively referred to
as "covered entities") will be gathering "individually identifiable
health information" about residents. This information is private
and deserves protection in the ways it is collected and disclosed.
However, there is also the recognition that healthcare providers
who are "covered entities," and thus subject to HIPAA, must deal
with third parties in order to operate.
 The business associate rules are designed to ensure that the
privacy of personal health information is maintained even when
the individually identifiable information is passed on to these third
parties.

Source~ HIPAA compliance, part 1: who are your "business associates"? The answer matters, because you are
responsible for their adhering to HIPAA privacy rules - Oct, 2002 by Sandra K. Battaglia
http://findarticles.com/p/articles/mi_m3830/is_10_51/ai_93232188/

*Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Enforcement Rules
 Tougher personal health information protection in
proposed HHS rules
 DHHS announced in July notice of proposed rulemaking on health
IT privacy and security that promises to strengthen existing laws.
 The new rules are part of an effort to ensure Americans trust
personal health data exchange. The proposed rules are designed
to strengthen and expand enforcement of HIPAA*~ DHHS
Sec.Kathleen Sebelius
 The rulemaking is mandated under the HITECH portion of the
American Recovery and Reinvestment Act of 2009.
 The proposed rules include measures to expand individuals’ rights
to access their information and to restrict certain types of
disclosures of protected health information. It requires business
associates of HIPAA-covered entities to be under most of the
same rules as the covered entities, and it sets new limitations on
the use and disclosure of protected health information for
marketing and fund raising. It also prohibits the sale of protected
health information without patient authorization.
**Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security,
and Enforcement Rules
 Changing HIPAA rules for Business Associates

 “Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal
Regulations, shall apply to a business associate of a covered entity in the same
manner that such sections apply to the covered entity. The additional requirements
of this title that relate to security and that are made applicable with respect to
covered entities shall also be applicable to such a business associate and shall be
incorporate[d] into the business associate agreement between the business associate
and the covered entity.” ARRA Sec. 13401(a). This statement makes business
associates directly subject to nearly all of the HIPAA security regulations,
the HIPAA rules relating to electronic protected health information. Prior to
the change, these obligations existed for business associates only as a
matter of contract.
 “A business associate of a covered entity that accesses, maintains, retains, modifies,
records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected
health information shall, following the discovery of a breach of such information,
notify the covered entity of such breach.” ARRA Sec. 13402(b). This statement
creates a new obligation for business associates – report to covered entities
breaches of unsecured protected health information.
 “The additional requirements of this subtitle that relate to privacy and that are made
applicable with respect to covered entities shall also be applicable to such a business
associate and shall be incorporated into the business associate agreement between
the business associate and the covered entity.” ARRA Sec. 13404(a). This
statement makes business associates directly subject to nearly all of the
HIPAA privacy regulations. Prior to the change, as with the security
regulations, these obligations existed for business associates only as a
matter of contract.
Source: "New Challenges for HIPAA Business Associates Under ARRA and HITECH" by Joseph Lazzarotti, Jackson Lewis, LLP June 1, 2010
http://www.workplaceprivacyreport.com/2010/06/articles/hipaa-1/new-challenges-for-hipaa-business-associates-under-arra-and-
hitech/
American Recovery and Reinvestment Act of 2009 (ARRA) The Health Information Technology for Economic and Clinical Health
(HITECH) Act
 Hospitals Must Assess Their Business
Associate Relationship with Facebook

In light of HIPAA, ARRA, HITECH, data breach notification

requirements, and state law mandates and the recent incident
with personal details of 100 million Facebook users collected and published
online in a downloadable file hospitals need to :

 have legal departments assess the business associate

applications. Business associates can include software vendors,
benefits brokers, cloud computing providers, data
storage/destruction companies, and accountants, among others.

 Have legal departments review business associate agreements to

include stricter contract language and additional rights and
protections, such as the right to audit the business associate and
to be held harmless in the event of any data mishap.

Source: Data Management and Security Report “New Challenges for HIPAA Business Associates Under
ARRA and HITECH June 1, 2010 by Joseph Lazzarotti
http://www.workplaceprivacyreport.com/2010/06/articles/hipaa-1/new-challenges-for-hipaa-
business-associates-under-arra-and-hitech/
 Consider Your Own Hospital’s Online
Communities
Have you considered leveraging your connections on
Facebook to refer them to your own secure online
community?

 With MyHealthCommunity as your secure online social media

platform, your fans would benefit from:
* private groups
* anonymous participation in sensitive discussion
* convenient, online education & library of resource
* trusted and expert medical information from providers at your
hospital

Take your patients out of the public arena to take control of

their health PRIVATELY.
 sales@myhealthcommunity.net

MyHealthCommunity Social Network, Inc

135 Market St., Portsmouth, NH, 03801
603-553-2997

Visit us at:
www.myhealthcommunity.net