Mobile Devices and Social Media: Are Your Privacy and Security Policies Adequate?
Home » Healthcare Sector » Mobile Devices and Social Media: Are Your Privacy and Security Policies Adequate?
Smart phones and the Internet have changed the way people communicate and have introduced new risks into the process of providing healthcare services. We asked Barry Mangels, Chief Compliance & HIPAA Privacy Officer at Children’s Hospital Los Angeles about the associated risks, benefits, and potential solutions for using mobile devices and social networking in the healthcare industry.
What is currently the most pressing legal concerns regarding mobile devices and social media in the healthcare industry?
I think one of the most pressing legal concerns is the move by the Office of Civil Rights (OCR) to make sure that people and organizations are in compliance. There is a requirement for organizations to report to the OCR if there is a breach of information for 500 entities or more.
It is public record that the Hospice of North Idaho had a laptop stolen two years ago. It had 441 names on it, which is below the requirement, but the OCR hit them with a $50,000 fine and a two-year supervised compliance program.
The real cost comes with complying with the compliance program and meeting the requirements, which requires them to monitor and report any breach. This includes someone sending a fax to the wrong number. Breaches like this can result in extending the length of their supervised compliance program.
The government is taking a very strong stand on this and they’re not going to let up. They’re going to make sure the hospitals and covered providers are doing what they’re supposed to be doing about protecting patient data.
But how do you really prevent it? With all the mobile devices and people constantly downloading so much data, how do you really keep control of what’s getting out of the hospital?
Obviously, that is the big concern. The question is, how do you control it and how do you maintain that control? I don’t know if there’s a real clear-cut message. An effective strategy that we are in the process of implementing is to make sure that all devices are encrypted but you run into problems because we’re dealing with personal devices. The best solution is education paired with a zero tolerance policy.
We have benefited from the nurses being able to text a doctor a very quick update on their patients’ status but that’s why “Bring-Your-Own” device and encrypting these messages in phones is so important. Additionally the IT department must have the ability to wipe the device clean if it lost. Is there a need to control what’s goes out on LinkedIn, Facebook and other social media websites?
That’s another challenge that we face Section 7 of the National Labor Relations Act give’s employees’ right to publish information on their social media site. We have a social media policy that instructs employee on protocols when posting to social media sites, violations of HIPAA is cause for immediate termination.
What are the key benefits you can gain by using social media?
There are tremendous benefits that can be gained by using social media. Our media department posts on our Facebook page and our Twitter account about what’s going on in the hospital. But these are media people so they know what rules there are. They are not posting about individual patients. As you can imagine, we do have the occasional celebrity bring their children here at the Children’s Hospital of Los Angeles. That’s where we have to be mindful and remind employees that, regardless of how famous someone might be, they have the same right to privacy as anybody else.
We do have people at the hospital that work very closely with the patient and staff when we know that we’re having a person of interest coming into the hospital.
What are the common pitfalls that you can warn other hospitals and health systems about?
I guess the most common pitfall that organizations experience is not understanding what their risks are and not conducting a clear risk analysis of who is carrying what kind of phones and how are they protected. For instance, everybody has a camera and a video recorder on their phone now and we have been getting more cases recently of patients taking pictures of other patients, which is a problem. Therefore, we have had to educate our nursing staff and other auxiliary staff on being very aware that patient information can be breached in these ways.
I would think that it’s a major task to keep everything under control considering how big your organization is and how many people are working in a hospital.
Absolutely. We have 4500+ employees in a 24/7 operation with the potential of our own people becoming paparazzi. I think the challenge that everybody faces is keeping security software up-to- date and enabling security software to protect against malicious applications such as viruses.
Ultimately, the facility has the responsibility. We have very specific privacy laws in this state where if a person is accused of breaching a patient’s privacy, they are subject to civil money penalties. In addition, they are also open to a civil lawsuit from the person whose information they shared.
How much of your workload is spent on making sure that the compliance is up-to-date with these issues?
I’m relatively new here since I came from another organization. Therefore I spend a significant amount of time just bringing myself up to speed on where we are and what we already have in place. I report to our board audit committee on this issue. I’m spending about 50% of my time, at least, on this issue because there’s so many people involved, such as IT and the Health Information Management (HIM) department. There is an increasing demand on our IT department which I think is doing a Herculean job to keep us compliant.
We also have community doctors who are not on staff at the hospital that want access to patients that they have sent here. We need to ask ourselves several questions when this happens such as:
- How much information do they get?
- Do we make the information available to their practice if the doctor is permitted access? (because they might be on a vacation and Doctor A is covering for Doctor B and Doctor A needs that information as well.)
- How do we go about filtering all of the data so they can only see their patients’ information?
This is a huge job and it’s only getting more complicated. Right now I am looking at my desk and I have four different devices that I can use to transfer patient data and I have three portable hard drives that can download that information. That is the norm in this country.
What training programs that you have found to be effective for implementing these policies?
One of the things I shared at the Healthcare Sector Meeting in February is that many people don’t know about is the Health IT Government website, which has tools such as training documents that the Office of Civil Rights have put out and have made available to the public.
I think they are so well done that there is no need to change them. You can download them and use your own logos and everything else. I think the government wants to get these tools out there and make it available. They’re actually helping people like myself, who have a one-person office but who depend on a compliance committee for identifying where there are openings for risk, which is extremely important.
How does your facility address social media exposure and is it any different because the patients are children? You mentioned earlier that issues arise because of the your hospital’s location in LA where you occasionally get celebrities as patients.
Well as you know we have had several well publicized incidents in California where information was leaked to the media. I think parents of our patients want to know, “what are you doing to protect my children’s information?" If we don’t do it well we’ll lose the good will and trust of our patients. It can be devastating for your reputation as a hospital or health system. Children’s Hospital Los Angeles has an outstanding reputation and history in this area.