Patient info on Facebook traced to temp staff
Patient info on Facebook traced to temp staff
'It's just Facebook ... not reality'
[Editor's note: This is the second part of a two-part series on issues surrounding social media and ambulatory surgery. In this issue, we discuss one facility's nightmare when a temp employee posted patient information on Facebook. We discuss legal issues and employee training. In last month's issue, we gave you some horror stories and told you how to avoid them. We also told you how to be proactive about your online presence, as well as how to develop a social media policy.]
One hospital's experience with a temporary employee who posted a patient's information on online — making fun of her condition and showing no remorse when challenged — is raising questions about how healthcare facilities can ensure temporary staffing agencies provide adequate compliance training.
The temp employee of Providence Holy Cross Medical Center in Los Angeles posted a photo of a woman's medical record, which clearly showed the woman's name and admission date, according to a report by the Los Angeles Daily News, which obtained a printout of the Facebook page before it was deleted. The photo was accompanied by the comment, "Funny but this patient came in to cure her VD and get birth control."
When others posted on the page with comments scolding the employee for violating the woman's privacy, the employee responded with "People, it's just Facebook ... Not reality" and "It's just a name out of millions and millions." He refused to take down the information, but it eventually was deleted when hospital officials were notified.
Providence immediately released a statement saying that the employee had been supplied by a temporary staffing agency and would no longer be allowed to work in any Providence facility. (See statement, below.) The staffing agency was supposed to have trained the employee in compliance with the Health Insurance Portability and Accountability Act (HIPAA), a hospital spokesman told AHC Media, publisher of Same-Day Surgery.
The facility's potential liability from the privacy breach might depend on the quality and effectiveness of its HIPAA compliance polices and training, says Philip D. Mitchell, JD, an attorney with the law firm of Epstein Becker Green in Newark, NJ. Providence reports that its contract with the temporary staffing agency requires such training, but Mitchell says a lawsuit could hinge on whether that was just boilerplate language or the hospital actually backed it up by confirming that the agency trained people properly.
"It all depends on their existing policies and procedures," Mitchell says. "How did they hire this person, and how did they train him? If all they can say is that the contract required he be trained by the temp agency, but they didn't do any due diligence to see how that agency complies, that could be problematic. You could argue that they had a responsibility to know how these people were trained before you accept them as an employee."
Could plead willful misconduct
Mitchell notes, however, that the egregious nature of the violation could give the hospital a valid defense of willful misconduct by a rogue employee. Unlike a more nuanced violation of HIPAA, a defense attorney could argue that any reasonable person would know the posting of a medical record on Facebook was wrong, he says.
"It's such a deliberate act and out of the norm that it could be hard to hold the hospital responsible for that," Mitchell says. "This person clearly has no regard for confidentiality, and unless the hospital had some way of knowing that, they can say this was someone purposefully breaking the law regardless of what training was or wasn't provided."
Any legal action taken by the patient most likely would result in only a modest settlement, Mitchell surmises, but he notes that the hospital is taking a bigger hit in the court of public opinion. The negative publicity attached to the hospital's name could be the worst result, he says.
Not easy to escape blame
Another attorney with experience in HIPAA enforcement says the facility's response that the staffing agency was responsible for training the employee might be shortsighted. The employee's comments indicated he had no understanding of HIPAA, much less any respect for it, and the hospital has to take some responsibility for that lack of understanding, says Joseph P. Paranac Jr., JD, an attorney with the law firm of LeClairRyan in Newark, NJ.
"Everyone may maintain the fiction that those temporary staffers are employed only by the staffing agency," Paranac says. "But in reality, those temporary staffers are probably joint employees of the staffing agency and the hospital. I suspect that on a daily basis, these temps are taking direction from hospital supervisors, so I would make sure that everyone who comes in to the hospital as an employee, and who has access to information, receives a two-hour training course on HIPAA."
Paranac notes that HIPAA puts the onus on healthcare providers to make sure employees are trained, and that responsibility cannot be casually passed on to another party such as a staffing agency. "If you want to hold to the idea these are not your employees and so you don't want to train them, then I would send someone to the staffing agency's training class and document what you see there," he suggests. "If their training is not sufficient, you can offer to help them improve it and not accept any more employees until they do."
Policies must be in sync
In addition to the negative publicity from a privacy breach, the potential ramifications are significant. Healthcare providers and individuals such as directors, employees, or officers of the covered entity, who "knowingly" obtain or disclose individually identifiable health information in violation of the regulations, face a fine of up to $50,000 as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use such information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment for up to 10 years.
The "knowingly" element requires only knowledge to the actions that constitute an offense, Paranac explains. Specific knowledge of an action being in violation of the HIPAA statute is not required.
Another potential problem is that facilities often have separate policies on HIPAA compliance and social media, and the two don't always mesh well, Mitchell says. In many cases, they are drawn up by different people with different purposes, rather than having one comprehensive policy.
"Often, the social media policies are set up by marketing or the IT folks, whereas the confidentiality policy usually comes from compliance, risk management, or the general counsel's office," Mitchell says. "If they don't sync up, you have potential gaps that will be a problem when you have to show your training was adequate, and there can be ambiguities that allow employees to make mistakes." (For information about how "user activity monitoring" can help ensure compliance with HIPAA, see story, below.)
Hospital requires agencies to comply The risk manager at Providence Holy Cross Medical Center in Los Angeles declined to be interviewed about the incident in which a temporary employee posted patient information on Facebook, but the parent company, Providence Health & Services, provided this statement: "Providence Health & Services, guided by core values that include respect and dedicated to compliance with state and federal privacy laws, takes patient privacy very seriously and regularly trains employees on the importance of guarding patient records. "As we reviewed this isolated incident, we worked with the staffing agency to ensure the individual is not allowed to work in the future in any Providence facility. We also reaffirmed to the agency involved in this matter that language in our standard contract with staffing agencies requires that any contract workers sent to a Providence facility recognize and adhere to all state and federal laws, particularly those protecting patient privacy. "Providence also has a social media policy that requires employees, vendors, volunteers, and others working in the hospital to follow laws and policies designed to protect patient privacy on both public and private Web sites." |
Activity monitoring can spot privacy breaches With growing attention to the threat of privacy breaches through social media, some healthcare organizations are utilizing "user activity monitoring" to help ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). With user activity monitoring, organizations can monitor, capture, and analyze all user and user group activity on the employer's device, including e-mails sent and received, chat and instant messages, web sites visited, applications and programs accessed, web searches, file transfers, and data printed or saved to removable devices. The system also can take screenshots of employees' activities at pre-set intervals. McKenzie (TN) Medical Center implemented Spector360 user activity monitoring after noticing high bandwidth usage as well as issues with worker productivity. (See resource at end of this article for information on purchasing the software.) The medical center employs more than 30 medical providers and almost 300 support staff. Unrestricted access to the Internet, personal e-mail, and social media presented potential legal liability, and the center wanted to ensure that all employees were complying with HIPAA regulations, says Don Page, IT manager and security officer. User activity monitoring allows hospitals and healthcare organizations to track employees' activity on social networking sites and receive alerts regarding potential suspicious activity based on established key words, Page says. It is also beneficial to employee training, he says, with hospital administrators able to flag issues and discuss them with employees. For example, if an employee posted confidential information on Facebook, hospital administrators can provide proof and discuss with the employee how he or she violated regulations. With the user activity monitoring software, McKenzie was able to quickly identify more than $18,000 worth of time where employees were spending time on computer use that was not related to work. The clinic director then reminded employees of the company's Internet usage policies and spoke with offenders regarding the new monitoring process. Since implementing user activity monitoring, McKenzie has increased productivity and reduced non-work related online activities, Page says. Not wanting to be too severe, the center also allows employees limited access to the Internet for personal reasons, such as paying bills online or visiting Facebook. Four computers have been set up in the lunch room for employees' use during their lunch break. Although McKenzie originally implemented user activity monitoring to address productivity concerns, Page says it has become a valuable tool in HIPAA compliance. During HIPAA compliance investigations, McKenzie Medical is able to replay all activity that took place on an employee's screen or activity logs relating to alleged incident. In some instances, employees have been cleared of wrongdoing after the hospital reviewed their activity. "Protecting our patients' privacy and ensuring that meet HIPAA compliance regulations is our foremost concern," Page says. "With user activity monitoring, we're able to address and respond to HIPAA concerns in a timely manner." Resource • SPECTOR 360 7.3 is available for purchase at www.spector360.com or by calling SpectorSoft Corporate Sales at (888) 598-2788. Standard pricing is $115 per endpoint for a perpetual license. |
Can your facility limit what workers say online? When it comes to staff members and comments they might make online, there are two types you need to understand, according to Paul A. Anderson, director of risk management publications at ECRI Institute, a Plymouth Meeting, PA-based nonprofit organization that researches approaches to improve patient care. The first type is named "concerted organizing activities" by the National Labor Relations Board. These comments include discussions about the terms and conditions of employment, such as wages and work hours, or complaints about supervisors, Anderson says. "Generally speaking, there's not much an organization can do about this kind of discussion," he says. "It's legally protected, and trying to curtail it is illegal." However, organizations can have policies that limit how employees discuss the organization's services, even when they discuss them on their personal social media profiles, Anderson says. "So, although you can't stop a nurse from going home and complaining that she's underpaid, you can most definitely stop her from going home and saying something like 'the surgeons are all incompetent there,' or 'I'd never let my own kids go here,'" he says. Usually, if the facility's policy is clear and the employee knew about it, the organization can discipline the employee, including termination. "One thing to consider, though, is whether the organization wants to be known as 'the one that fired a nurse for a Facebook post,' because if the staff member is willing to complain about you while she's still employed, she'll definitely have something to say after you've fired her," Anderson says. Information created or shared via social media could be subject to discovery in the event of a lawsuit, says ECRI Institute. Tell staff: They represent you Social media training must emphasize again and again the need for "constant vigilance against unprofessional conduct," according to ECRI Institute's recently published guide to healthcare and social media.superscript1 What employees say reflects directly on the organization, the guide points out. Mandatory training on the Health Insurance Portability and Accountability Act (HIPAA) should emphasize that all staff members have a duty to protect patients' privacy, even on their personal social media profiles, it says. This guidance includes sharing of success stories and good outcomes, the guide says. You might want a policy that requires someone familiar with the HIPAA privacy rules to review all descriptions of patients to ensure they are sufficiently deidentified, it says. Your policy also should address whether photos can be taken and how they can be used, ECRI Institute says. "No photos of patients should be taken or used without specific authorization by the patient," the guide says. "The authorization should specify how the photo will be used (e.g., in a brochure, on a website, for clinical purposes), and staff who might seek to use existing photos for any purpose should check to ensure that the authorization covers a second use." Also, training should include the consequences of violating patient privacy. In addition to discipline from the facility, violators could face up to a $100,000 fine, with up to five years in prison. And your liability might not end when the employee resigns or is fired, ECRI Institute warns. "It is possible that a healthcare organization could be sanctioned for privacy violations that occur after employment ends if it can be shown that the organization did not properly educate its staff or volunteers regarding their HIPAA obligations," it says. HIPAA education for staff and volunteers should include a clear definition of what constitutes protected health information and a reminder of their obligation to protect a patient's privacy, even after their employment or volunteering ends. "Employees should sign an acknowledgment that they received the training and understand their obligations," ECRI Institute says. If you become aware of violations among former employees, you might want to consider having your lawyer notify them, in writing, that they must remove the posts or comments. "They should be reminded of their ongoing obligation not to violate patient privacy," ECRI Institute says. "This could be perceived as a good-faith effort to comply with the rule should sanctions be considered." Reference
|
[Editor's note: This is the second part of a two-part series on issues surrounding social media and ambulatory surgery. In this issue, we discuss one facility's nightmare when a temp employee posted patient information on Facebook. We discuss legal issues and employee training. In last month's issue, we gave you some horror stories and told you how to avoid them. We also told you how to be proactive about your online presence, as well as how to develop a social media policy.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.