Transcript ADVERTISNG JEOPARDY

HIPAA Compliance and
Social Media Concerns
September 2013
Presenter:
Jennifer A. Dukarski
of Butzel Long
HIPAA Compliance and Social Media Concerns
EVERYTHING HAS A PRICE: SOCIAL
MEDIA IN THE DIGITAL AGE
Professional Branding in the Digital
Age
Digital media creates virtually limitless
opportunities to promote and protect your
brand and products…
Professional Branding in the Digital
Age… continued
… while leaving an almost limitless opportunity for
employees, customers and others to destroy that
brand
Because the internet comes with a
price…
Online interaction differs from face-to-face
communication as people are prone to behave at their
worst and forget about consequences. This is the
Online Disinhibition Effect!
•
•
•
•
•
•
You don’t know me (dissociative anonymity)
You can’t see me (invisibility)
You won’t see me until later (asynchronicity)
It’s all going on in my head (solipsisatic introjection)
It’s just a game (dissociative imagination)
There’s no cops (minimizing authority)
The Online Disinhibition Effect, John Suler (2004)
Why Digital Media Matters: Consumers
Use Social Media
• 42% use social media to access health-related reviews
• More than 80% of 18-24 year olds would share health
information through social media
• Almost half (45%) of individuals from 45-64 would share
health information over social media
Price Waterhouse Cooper HRI Consumer Survey, 2012
Why Digital Media Matters: What an
Employer Does Has Consequences
• We asked or encouraged an
employee to use Social Media.
– Social media is becoming inseparable
with some job functions.
– Some individuals are asked to “host the
company account” or post for the office.
• We have “deep pockets” and an
offended party sues us, too.
– For example, NBA Referee Bill Spooner
sued AP Reporter Jon Krawczynski and
the Associated Press for comments
surrounding a questionable call.
HIPAA Compliance and Social Media Concerns
THE INTERSECTION OF SOCIAL
MEDIA, HIPAA AND BAD
JUDGMENT
An Online Treasure Trove: PII and PHI
Personal Identifying Information (PII)
•
•
•
Individual Social Security Numbers
Addresses
Credit Card Data
Personal Health Information (PHI)
•
•
•
•
•
•
•
•
•
•
•
Names
Geographical identifiers smaller than a state
Dates related to an individual
Phone numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
•
•
•
•
•
•
•
Vehicle identifiers (including license
plates)
Device identifiers
URLs
IP addresses
Biometrics (finger, retinal and voice
prints)
Full face photos
Other unique identifying number,
characteristic or code
Leaking PII and PHI is easier than you
think…
• California, April 9, 2010: Nurse photographs stabbing victim
and puts his image (including his face) on Facebook
• Westerly Hospital, Rhode Island, April 21, 2011: Physician
tells stories of Emergency Room experiences on Facebook,
including details that may allow a third party to determine
the individual involved
• Martin Memorial Center, Florida: employees were
disciplined after taking and sharing photos of a shark bite
victim
• Palisades General Hospital: “George Clooney is here”
• Medical Blogs: over 17% of blogs by professionals may
contain sufficient information to establish the identity of a
patient
I Lost My Data on the Internet: LabMD
and the Federal Trade Commission
8/29/2013: The FTC files a complaint
against LabMD for failing to protect
medical and other sensitive information
over peer-to-peer network (software
commonly used to share music, videos
and other materials).
The complaint alleged that LabMD (who performs
medical testing for consumers nationwide) did not
take reasonable and appropriate measures to prevent
unauthorized disclosure of sensitive consumer data,
including PHI.
HIPAA Compliance and Social Media Concerns
THE RISKS OF BRING YOUR
OWN DEVICE
What is Bring Your Own Device?
• Bring Your Own Device
(BYOD) is the policy of
allowing employees to
bring their own mobile
devices (laptops, tablets,
smart phones, etc.) to the
workplace
• BYOD also may include
use of non-company email
and document sharing
(Drop Box / SharePoint)
BYOD – The facts and statistics
• The average U.S. employee carries 3 mobile
devices
• 81% of employees use personal devices at work
• 91% of tablet users and 75% of smart phone
users have disabled auto-lock security
• 93% of employees admit to violating policies
designed to prevent breaches and
noncompliance
• 70% of physicians and health IT
specialists use personal mobile
devices to access electronic health
records
© 2013 Butzel Long
Risking it all on BYOD?
• Cell Phones: A health clinic employee set his personal
phone to “auto-forward” his University messages to his
Google account. The phone was not password protected.
While on vacation, the cell phone went missing.
• Flash Drives: A University professor lost his personal
flash drive with ID including social security numbers for
over 1000 students.
• Laptops: Just like the theft of a work laptop at
Massachusetts Eye and Ear Infirmary that led to a $1.5 M
fine to HHS, the theft of data from a personal laptop is
equally risky.
• BYO Software/File Sharing: Dropbox, for example,
openly admits that it is not HIPAA compliant. The same
is true of many cloud-based file sharing programs.
© 2013 Butzel Long
Breaches: BYOD heightens the risk
•
•
•
•
•
Paper Records accounted for 116
incidents and were involved in 5
major breaches
Laptops accounted for 111 breaches
and were involved in 15 other issues
Portable Electronic Devices
(smart phones, iPads, etc.) accounted
for 69 breaches and played a roll in 11
other cases
Network Servers were the sole
cause of 46 breaches and were
involved in 13 other cases
Business Associates accounted for
103 breaches, the equivalent of 1 of
every 9 incidents
Source: Health Information Privacy/Security Alert Analysis of HHS Office for Civil Rights Data
It may feel like the Wild West…
When implementing a strategy to deal with Digital Media,
organizations should consider all of the legal risks involved:
• Other Potential Legal Constraints
– Media, Privacy and Communications
• Reputation management
• Stored Communications Act
– Labor and Employment
• Wage and Hour concerns
• Hiring and Firing
– Intellectual Property
• Patents, Trademarks and Copyright
• Domain Names and Social Media Accounts
– Contractual and Ownership Rights
• Ownership of social media followers, contacts, content and websites
– Endorsement and Other Regulatory Concerns
… But a preventative approach can
mitigate the risks
• Social Media Use Strategies
– Implement or Review and Audit your BYOD Policy
– Review and Revise or Adopt a Social Media Policy
– Review Your Employee Handbook
• Data Security Strategies (LabMD Takeaways)
– Implement and maintain a comprehensive data security program
which includes addressing Business Associate risk
– Use readily available measures to identify commonly known and
reasonably foreseeable security risks and vulnerabilities
– Use adequate measures to prevent employees from accessing
personal information not needed to perform their jobs
– Train employees on basic security practices
– Use readily available measures to prevent and detect unauthorized
access to personal information
QUESTIONS ?
Jennifer Dukarski
Tel: 734.213.3427
Email: [email protected]