Dangerous Curves Ahead! – The Risks
of Social Media Use by Sleep Professionals
By Deb Kovacs-Sturdevant, RPSGT, RRT, BA, LSSMBB
Introduction
As a member of the BRPT
Board of Directors, I am the Chair of the BRPT Professional Review Committee
(PRC). The PRC has noted an increase in periodic reports about violations to
Standards of Conduct (SOC) and Health Information Portability and Accountability Act (HIPPA) which emanate from social
media sites. I am writing this article in response to some recent social media
posts that are in violation of the BRPT SOC and possibly Federal HIPPA
regulations.*
*Disclaimer:
"The following guidance also represents the
consensus of the BRPT Board of Directors on previous social media posts brought
to our attention. This guidance is not meant to be comprehensive in scope and
sleep technologists remain at risk for other legal and employer-based actions
based on imprudent use of social media, irrespective of our position."
Slow - Dangerous Curves Ahead!
There are many dangerous curves ahead
in navigating social media sites for healthcare and sleep professionals. What
can we safely talk about on social media? What is considered protected
healthcare information? Are closed social media groups a safe venue? If we are
not well-informed, we could mistakenly divulge protected health information and
drive ourselves, and our employers, off into a ditch.
Formal
education about HIPAA and Protected Healthcare Information (PHI) is, sadly,
lacking in the sleep community. It becomes a sleep technologist’s
responsibility to become better informed of the risks associated with using
social media. When it comes to HIPAA law, claiming ignorance is not considered
a valid defense. It is a misconception that as long as we don’t include a photo
or divulge a patient’s name, social security or medical record number, we are
safe to blog or comment about our patients or cases on social media. Not true.
As a matter of fact, any discussion about our patients on social media,
including in a closed group for sleep technologists only, may put us at serious
risk for violating the law and professional standards of conduct.
HIPAA is
more than just a healthcare urban legend. HIPAA is a very real and enforceable Federal
law. As more closed-group healthcare provider social media sites spring up, more
and more violations by healthcare workers are also coming to light. Becoming educated
about the real dangers of posting to social media helps us to avoid these damaging
and potentially career-ending mistakes.
Before any
healthcare-related information is released by an institution, PHI must be
protected by scrubbing, called de-identification.
There are two
methods to achieve de-identification of PHI in accordance with the HIPAA
Privacy Rule. The first is the “Expert Determination” method and requires a
trained expert to perform de-identification of patient identifiers in outgoing
information. The second is the “Safe Harbor” method.
List of 18 “Safe Harbor” Patient
Identifiers*
PHI is any
information in the medical record which can be used to identify a patient. Patient
name, photo and identifying numbers are not the only information protected
under Federal law. There are 18 patient identifiers to become familiar with:
1. Names;
2. All geographical
subdivisions smaller than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three
digits of a zip code, if according to the current publicly available data from
the Bureau of the Census: (1) The geographic unit formed by combining all zip
codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing
20,000 or fewer people is changed to 000.
3. All elements of
dates (except year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over 89
and all elements of dates (including year) indicative of such age, except that
such ages and elements may be aggregated into a single category of age 90 or
older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail
addresses;
7. Social Security
numbers;
8. Medical record
numbers;
9. Health plan
beneficiary numbers;
10. Account
numbers;
11.
Certificate/license numbers;
12. Vehicle
identifiers and serial numbers, including license plate numbers;
13. Device
identifiers and serial numbers;
14. Web Universal
Resource Locators (URLs);
15. Internet
Protocol (IP) address numbers;
16. Biometric
identifiers, including finger and voice prints;
17. Full face
photographic images and any comparable images; and
18. Any other
unique identifying number, characteristic, or code (note this does not mean the
unique code assigned by the investigator to code the data)
*HHS.gov website
Most of
these Identifiers are common sense. Some are very broad in scope and it is
these that require more thoughtful understanding before posting anything on
social media.
For
example, Identifier #2 may be inadvertently violated if the poster’s town or
area of residence is attached to the posting.
Dependent
upon presence of other identifiers, Identifier #17 could be violated even if a
patient’s face was not clearly visible in a photo.
Identifier
#18 presents the greatest problem with HIPAA compliance in light of the
significant amount of personal information available on the Internet. Even minimal
amounts of information inputted into a search engine can generate relevant hits
about individuals that make it increasingly difficult to comply with HIPAA.
Even if the first 17 identifiers are carefully followed, the broadness of Identifier
#18 can turn a seemingly harmless post on social media into a patient privacy
violation. For example, posting about an individual’s body characteristics or habitus, past, present or future physical or mental health conditions,
or the provision of health care to the individual, could also be a violation
under Identifier #18.
Can I
blog or post about my patients?
Technically,
I suppose the answer is yes, but this is still risky. We could comment about
specific patient encounters if done in a careful and professional manner,
respecting all patient privacy guidelines. The key would be to make sure that the details are never
specific enough to tie back to any individual patient. We would have to change
certain details completely so that a patient is absolutely unidentifiable. For
example, sharing of an experience as a human interest story or learning
experience could be allowable as long as patient privacy is protected and the
posting was fully vetted and sanctioned by our employer first.
Remember,
posting anything about a patient on social media is very risky. Healthcare institutions
and employers follow strict Federal guidelines for protecting PHI. Before
posting anything about a patient or encounter to social media, it is advisable
to vet this posting with our employer in order to ascertain if PHI is protected
to the degree mandated and if the posting will be allowed. Many healthcare
institutions have zero tolerance for postings about any business or patient
care matters by anyone within their organizations other than the marketing or
media representatives. Violation of these rules can result in corrective action
or termination.
Also, venting
our frustrations or posting negative comments about our patients or
interactions would not be professional or appropriate. Our patients have
granted us the privilege of taking part in their care. They deserve compassion and respect. And everyone
has a right to privacy. Remember the Golden Rule and treat others as you would
want to be treated – or as you would want to have your loved ones treated.
Are closed social media groups exempt
and a safe place to post?
No,
absolutely not! The very same rules that apply to social media postings in
general also apply in closed groups. PHI must always be protected, without
fail.
Administrators
or even members of closed groups can police their own membership. Violations
can be and are reported to government and credentialing organizations from
closed-group social media sites.
It is also advisable
to avoid the use of closed-group sleep technologist social media sites as a
means for getting technical or troubleshooting advice while on the job. Every
sleep center has their own hierarchy and resources for reporting incidents
and/or getting technical advice during the course of a sleep technologist’s
shift. It is expected that a sleep technologist would reach out to co-workers
on site and then to their manager or supervisor for technical advice. Reaching out for advice on social media can
severely increase the risk of violations because information needs to be
divulged outside of your work group in order to explain the problem, which
therefore increases the risk of divulging PHI. And posting could be in
violation of employers’ guidelines.
Can a posting about my patients
result in job loss or loss of my professional sleep credential?
Yes,
absolutely, even up to and including Federal fines and prosecution.
If
we violate HIPAA, the employer is also held accountable for what happened and
fined accordingly. The end result to the
technologist could be loss of credential and
termination of employment plus risk of Federal fines and prosecution.
Additionally,
each credentialing organization has a Standards of Conduct (SOC) that each
credentialed professional is expected to abide by. For example, one of the BRPT
SOC states that the credential holder will abide by all laws. Like all
credentialing organizations, the BRPT has a Professional Review Committee that
reviews and investigates complaints of alleged violations.
Recent reports indicate that people who “like,” “share,”
“re-tweet,” or comment on inappropriate social media postings, even in closed
groups, are also getting reprimanded and are at risk for losing their
credentials and jobs.
You
may view the BRPT Standards of Conduct on the BRPT website, under the blue “Standards”
tab, and then choose “Standards of Conduct” from the pull-down menu.
Professional
Tips for Social Media Usage
1.
Don’t post anonymously. - Anonymity breeds bad behavior and
grants false permission to say inappropriate things.
2. Check
the tone of your social media presence.
– If the message is not positive, do not post it. Don’t use social media as a
vehicle to vent and complain.
3. If you wouldn’t say it in a crowded
room, don’t put it online. – Information
posted online stays out there forever and can haunt your career. Nothing is
protected or sacred once it is posted – even in closed groups. Remember that electronic messages can be subpoenaed
and used as evidence in legal proceedings.
4. Stop and think before you post. – Refraining from posting anything about our patients
and interactions is always the best advice.
In summary, social media for healthcare
providers can be a great tool for disseminating and receiving information if
used wisely. Becoming educated about and then abiding by the laws and methods
for protecting PHI are the keys to safe navigation of these potentially
treacherous roads. Here’s wishing everyone a safe trip!