Dangerous Curves Ahead! – The Risks of Social Media Use by Sleep Professionals
By Deb Kovacs-Sturdevant, RPSGT, RRT, BA, LSSMBB
As a member of the BRPT Board of Directors, I am the Chair of the BRPT Professional Review Committee (PRC). The PRC has noted an increase in periodic reports about violations to Standards of Conduct (SOC) and Health Information Portability and Accountability Act (HIPPA) which emanate from social media sites. I am writing this article in response to some recent social media posts that are in violation of the BRPT SOC and possibly Federal HIPPA regulations.*
"The following guidance also represents the consensus of the BRPT Board of Directors on previous social media posts brought to our attention. This guidance is not meant to be comprehensive in scope and sleep technologists remain at risk for other legal and employer-based actions based on imprudent use of social media, irrespective of our position."
Slow - Dangerous Curves Ahead!
There are many dangerous curves ahead in navigating social media sites for healthcare and sleep professionals. What can we safely talk about on social media? What is considered protected healthcare information? Are closed social media groups a safe venue? If we are not well-informed, we could mistakenly divulge protected health information and drive ourselves, and our employers, off into a ditch.
Formal education about HIPAA and Protected Healthcare Information (PHI) is, sadly, lacking in the sleep community. It becomes a sleep technologist’s responsibility to become better informed of the risks associated with using social media. When it comes to HIPAA law, claiming ignorance is not considered a valid defense. It is a misconception that as long as we don’t include a photo or divulge a patient’s name, social security or medical record number, we are safe to blog or comment about our patients or cases on social media. Not true. As a matter of fact, any discussion about our patients on social media, including in a closed group for sleep technologists only, may put us at serious risk for violating the law and professional standards of conduct.
HIPAA is more than just a healthcare urban legend. HIPAA is a very real and enforceable Federal law. As more closed-group healthcare provider social media sites spring up, more and more violations by healthcare workers are also coming to light. Becoming educated about the real dangers of posting to social media helps us to avoid these damaging and potentially career-ending mistakes.
Before any healthcare-related information is released by an institution, PHI must be protected by scrubbing, called de-identification. There are two methods to achieve de-identification of PHI in accordance with the HIPAA Privacy Rule. The first is the “Expert Determination” method and requires a trained expert to perform de-identification of patient identifiers in outgoing information. The second is the “Safe Harbor” method.
List of 18 “Safe Harbor” Patient Identifiers*
PHI is any information in the medical record which can be used to identify a patient. Patient name, photo and identifying numbers are not the only information protected under Federal law. There are 18 patient identifiers to become familiar with:
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Most of these Identifiers are common sense. Some are very broad in scope and it is these that require more thoughtful understanding before posting anything on social media.
For example, Identifier #2 may be inadvertently violated if the poster’s town or area of residence is attached to the posting.
Dependent upon presence of other identifiers, Identifier #17 could be violated even if a patient’s face was not clearly visible in a photo.
Identifier #18 presents the greatest problem with HIPAA compliance in light of the significant amount of personal information available on the Internet. Even minimal amounts of information inputted into a search engine can generate relevant hits about individuals that make it increasingly difficult to comply with HIPAA. Even if the first 17 identifiers are carefully followed, the broadness of Identifier #18 can turn a seemingly harmless post on social media into a patient privacy violation. For example, posting about an individual’s body characteristics or habitus, past, present or future physical or mental health conditions, or the provision of health care to the individual, could also be a violation under Identifier #18.
Can I blog or post about my patients?
Technically, I suppose the answer is yes, but this is still risky. We could comment about specific patient encounters if done in a careful and professional manner, respecting all patient privacy guidelines. The key would be to make sure that the details are never specific enough to tie back to any individual patient. We would have to change certain details completely so that a patient is absolutely unidentifiable. For example, sharing of an experience as a human interest story or learning experience could be allowable as long as patient privacy is protected and the posting was fully vetted and sanctioned by our employer first.
Remember, posting anything about a patient on social media is very risky. Healthcare institutions and employers follow strict Federal guidelines for protecting PHI. Before posting anything about a patient or encounter to social media, it is advisable to vet this posting with our employer in order to ascertain if PHI is protected to the degree mandated and if the posting will be allowed. Many healthcare institutions have zero tolerance for postings about any business or patient care matters by anyone within their organizations other than the marketing or media representatives. Violation of these rules can result in corrective action or termination.
Also, venting our frustrations or posting negative comments about our patients or interactions would not be professional or appropriate. Our patients have granted us the privilege of taking part in their care. They deserve compassion and respect. And everyone has a right to privacy. Remember the Golden Rule and treat others as you would want to be treated – or as you would want to have your loved ones treated.
Are closed social media groups exempt and a safe place to post?
No, absolutely not! The very same rules that apply to social media postings in general also apply in closed groups. PHI must always be protected, without fail.
Administrators or even members of closed groups can police their own membership. Violations can be and are reported to government and credentialing organizations from closed-group social media sites.
It is also advisable to avoid the use of closed-group sleep technologist social media sites as a means for getting technical or troubleshooting advice while on the job. Every sleep center has their own hierarchy and resources for reporting incidents and/or getting technical advice during the course of a sleep technologist’s shift. It is expected that a sleep technologist would reach out to co-workers on site and then to their manager or supervisor for technical advice. Reaching out for advice on social media can severely increase the risk of violations because information needs to be divulged outside of your work group in order to explain the problem, which therefore increases the risk of divulging PHI. And posting could be in violation of employers’ guidelines.
Can a posting about my patients result in job loss or loss of my professional sleep credential?
Yes, absolutely, even up to and including Federal fines and prosecution.
If we violate HIPAA, the employer is also held accountable for what happened and fined accordingly. The end result to the technologist could be loss of credential and termination of employment plus risk of Federal fines and prosecution.
Additionally, each credentialing organization has a Standards of Conduct (SOC) that each credentialed professional is expected to abide by. For example, one of the BRPT SOC states that the credential holder will abide by all laws. Like all credentialing organizations, the BRPT has a Professional Review Committee that reviews and investigates complaints of alleged violations.
Recent reports indicate that people who “like,” “share,” “re-tweet,” or comment on inappropriate social media postings, even in closed groups, are also getting reprimanded and are at risk for losing their credentials and jobs.
You may view the BRPT Standards of Conduct on the BRPT website, under the blue “Standards” tab, and then choose “Standards of Conduct” from the pull-down menu.
Professional Tips for Social Media Usage
1. Don’t post anonymously. - Anonymity breeds bad behavior and grants false permission to say inappropriate things.
2. Check the tone of your social media presence. – If the message is not positive, do not post it. Don’t use social media as a vehicle to vent and complain.
3. If you wouldn’t say it in a crowded room, don’t put it online. – Information posted online stays out there forever and can haunt your career. Nothing is protected or sacred once it is posted – even in closed groups. Remember that electronic messages can be subpoenaed and used as evidence in legal proceedings.
4. Stop and think before you post. – Refraining from posting anything about our patients and interactions is always the best advice.
In summary, social media for healthcare providers can be a great tool for disseminating and receiving information if used wisely. Becoming educated about and then abiding by the laws and methods for protecting PHI are the keys to safe navigation of these potentially treacherous roads. Here’s wishing everyone a safe trip!