HIPAA on the Social Network—What Consumers Need to Know

by Mary Butler

Without a doubt, patient privacy rights have improved in recent years.

In the 1950s and 60s, and even well into the 1980s, it was standard for small-town newspapers to publish lists of the names of people, regardless of age, who were admitted or discharged from the hospital. When HIPAA came along and put a stop to that, people tried to fight it because they felt they had “the right to know,” says Harry Rhodes, MBA, RHIA, FAHIMA, CHPS, CDIP, CPHIMS, director of national standards at AHIMA.

Yet, despite all the improvements HIPAA made to how patient health information is protected by providers, egregious examples of privacy violations continue to make headlines. Now, it’s social media users who—through sheer ignorance or disregard for the law—push aside patient privacy and dignity just to get a few yuks from their friends, multiple news stories confirm. Or, at least, these are the more highly publicized incidents.

Fortunately, thanks to federal law and provider privacy policies, patients today have a recourse when their privacy is violated. But that assumes that a) a patient even finds out they’ve been violated online and b) that they recognize that what’s happened to them is illegal and they know where to turn for help. Combating these violations requires more training for healthcare workers and a brief examination of why violators think what they’re doing is OK. There also needs to be more consumer education so that patients know they have a right to their health privacy.

New Medium, Same Mindset

As long as there are new social media platforms, there will be new ways for people to make poor decisions with them.

Most recently, two nursing home employees in Lowell, MA, were accused of posting videos showing them abusing elderly residents to the social media video site Snapchat. The videos showed the nursing home aides asking residents questions about sex and marijuana in one video, and yelling at a sleeping resident in another. The accused employees told police their actions were “just a joke” done “for laughs.”

Or consider a case from 2011 when a contract employee at Providence Holy Cross Medical Center posted a picture of a patient’s medical record to his Facebook page, including the patient’s name and admission date, then joked that the patient came in for contraception and treatment of a venereal disease.

In another incident, a physician was reprimanded for complaining about a patient who was late for a prenatal appointment. Although she didn’t mention the patient by name, her employer investigated this post and others to see if identifying information was revealed.

Rhodes says that even before the Internet entered the workplace, privacy officers would remind their staff that discussions about patients are never as private as people think they are. This is old advice, he emphasizes.

“It seems like that problem keeps coming back around. They think they’re in a private conversation but they’re not,” Rhodes says. He says that when someone is sitting at work with their smartphone, if they post something work-related, even if it’s to a small group of friends or followers, it feels like a normal conversation. “They rationalize it, they’re ‘just carrying on a conversation,’ and they make one smart comment and forget it’s going to everyone.”

Rhodes says a common response from someone who has violated HIPAA in this way is “I didn’t think it was a big deal.” This is emblematic, he says, of a conundrum that author Malcolm Gladwell describes as individuals being “experience rich but theory poor.” You can explain to a group of people why a given action is wrong, but unless they imagine it happening to them, it doesn’t sink in.

Rhodes says he’s heard of this approach working for providers who started hosting brown bag lunches to discuss privacy violations as part of their privacy training. When trainers start sharing more personal examples, such as the news stories highlighted above, employees start to have “Aha!” moments.

“It’s that age-old axiom, ‘how would you feel if it happened to you?’” Rhodes says.

Consumer Rights

While most healthcare consumers have heard of HIPAA and have a vague understanding that it pertains to privacy, it’s difficult to have a full grasp of the protections that it entails.

The actual text of HIPAA is 1,500 pages long and most people haven’t read it, says Rhodes, so you get the extremes of people being either over-protective of health information, and people thinking it’s okay to disclose everything.

On the consumer side, Angela Rose, MHA, RHIA, CHPS, FAHIMA, a director of HIM practice excellence at AHIMA, says letting consumers know their rights can be tricky.

“The average consumer has a fifth grade reading level. It’s a very hard thing to relay in a way that people can understand, especially in multiple languages,” Rose says.

That’s why AHIMA went to great lengths to make the revision of its “Consumer Health Information Bill of Rights” as readable and digestible as possible.

To this end, the Bill of Rights includes The right to file a complaint or report a violation regarding your health information, which states: “You have the right to file a complaint if you think your health information is not being handled correctly. You have a right to expect a timely response. The Notice of Privacy Practices must tell you how to file a complaint with the organization and with the United States Department of Health and Human Services.”

If consumers find out any member of their care team—from their physician’s office manager to the physician themselves, posted anything remotely identifying about them on the Internet, their first response should be a complaint directly with the provider.

This is exactly what one consumer did, as she explained in an essay for XO Jane. The writer, Sara Mason, received a Facebook friend request from the office clerk who took in her insurance and identification information within a couple hours of her appointment. She took a screen shot of the Facebook request, emailed it to the office administrator, and got an immediate response. In that case, the employee that made inappropriate use of access to Mason’s medical information was dismissed.

For more information, consumers can review the Consumer Health Information Bill of Rights, and should feel empowered to take action if they suspect their rights have been violated in any way.

Mary Butler is the associate editor at The Journal of AHIMA.

Original source:
Butler, Mary. "HIPAA on the Social Network—What Consumers Need to Know" (Journal of AHIMA), September 2015.