HIPAA violations cost individuals and businesses billions of dollars every year. While many costly HIPAA violations are often the result of mishandling files, examples we hear about in the media often involve employees making poor choices on social networks. As Twitter and Facebook blur the lines between our public and private lives, many employees need additional social media training on the appropriate use of technology in the workplace.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers when they change or lose their job and establishes privacy and security standards for healthcare information. HIPAA involves four rules:
- Privacy Rule: Protects the privacy of individually identifiable health information
- Security Rule: Sets national standards for the security of electronic protected health information
- Breach Notification Rule: Requires covered entities and business associates to provide notification following a breach of unsecured protected health information
- Patient Safety Rule: Protects identifiable information being used to analyze patient safety events (health care quality issues or medical errors) and improves patient safety
These rules are enforced by the Office for Civil Rights, a division of the US Department of Health and Human Services. There are many classes of HIPAA violations, each with their own set of penalties, from fines to jail time.
HIPAA Myths and Social Media Violations
HIPAA violations perpetrated by individuals on social media breach both the Privacy and Security rules. In many cases, employees don't realize their behavior is violating HIPAA because of perceived security on social networks or a lack of understanding around HIPAA's definition of privacy. There are many common myths surrouding HIPAA that can be prevented with a good social media policy and employee training.
Myth #1: Avoiding identifying information is not a violation
In 2010, five nurses were fired from a medical center in California for discussing patients on Facebook. The hospital claims no identifying information, such a patient names or photos, were included in the posts, but chose to fire the employees anyway.
In a similar situation, a nurse in Michigan was fired for an angry update on Facebook about an alleged cop-killer (unnamed in her post) who was a patient at her hospital. Due to the news coverage, the hospital felt that it was clear whom the nurse was discussing.
Myth #2: Pictures at work are okay as long as they aren’t of patients
Four nursing students in Kansas were expelled from their program for posting pictures of themselves with a human placenta on Facebook. The students contend they were informed their post would not be a violation of privacy, but were expelled for their “lack of professional behavior” anyway.
It is also important to recognize often time more can be seen in a picture then a photographer intends. Even taking pictures of fellow staff members in the hallway might inadvertently capture a patient’s name on a door or walking down the hallway.
Myth #3: Public figures don’t have the same protections
An employee at a medical center in Mississippi resigned from her job due to a privacy violating tweet. The employee responded to a tweet from Governor Haley Barbour concerning trimming expenses from the budget with a remark regarding the governor’s private, after-hours appointment several years prior. Though the governor is a public figure, his medical history is protected under HIPAA.
While a quick guide may help employees make better choices, formal HIPAA training is crucial for healthcare employees. Making employees aware of the laws and consequences can help cut down on the number of violations and protect both the company and employees. OpenSesame offers a wide range of HIPAA training courses to help you stay up to date on the laws and regulations and out of legal trouble.
When it comes to HIPAA, the message to employees should always be better safe than sorry. Though a formal HIPAA complaint may not be filed, even minor infractions should be taken seriously and offending employees trained accordingly to prevent further violations.
Image Credit: bigerking
Kate Cornelius is the marketing and community associate at OpenSesame. Follow Kate on google+