Health Information Compliance Alert

HIPAA:

Remind Home Care Workers Of Facebook Rules

Employees have a right to use social media, but must protect identifiable patient information.

Social networking sites can provide new communication tools, but they also pose a HIPAA risk for home health providers. Home health agencies and hospices are susceptible to "inadvertent disclosure of PHI on social media, such as Facebook," when staff posts information cautions attorney John Gilliland with The Gilliland Law Firm in Indianapolis.

"Field staff become close to the patients and then share information about them on social media, forgetting that social media is very public." Remember that employees have a right to use Facebook and other social media, Gilliland says. You just must "remind them that social media is very public and that protected health information should never be posted -- that would be a HIPAA violation."

"Individuals should not use their Facebook accounts to relate any personally identifiable information about their patients," emphasizes Jim Sheldon-Dean, director of compliance services for information security consulting firm Lewis Creek Systems in Charlotte, Vt.

Be sure to train employees on these points. Most staffers just need to be "sensitized" to the issue during training, Gilliland believes. "They just don't think of it." Home care providers may want to revive the old World War II slogan, "Loose lips sink ships," when conveying this point, Gilliland suggests. Just as employees wouldn't gossip about their patients in the grocery store, they shouldn't talk about them on Facebook.

Who Is Representing You?

In addition to hitting HIPAA concerns in training about Facebook, you should think carefully about how your organization will be portrayed through public posts. "Agencies ... should establish rules for how they are represented on Facebook, including who may represent the agency and what kinds of information may or may not be shared there," Sheldon-Dean recommends.

Do this: "Individuals should not represent the agency unless the agency has designated those individuals to do so, and they should be trained on the proper ways of being involved so as not to breach privacy," Sheldon-Dean counsels.

However, if an employee is "saying anything about the agency that could be considered an endorsement of the agency and/or its services, they should ID themselves as an agency employee," Gilliland advises.

Wrinkle: While home care providers should address Facebook usage in their HIPAA training, Gilliland actually advises against formulating an entire social media policy. That's because the National Labor Relations Board recently published a case review suggesting that providers can get into labor law trouble solely for how such policies are worded, he reports.

Labor law cases about Facebook have addressed situations where employers discipline or terminate employees for discussing things like wages, poor management, and poor working conditions, Gilliland relates. Employees have the right to engage in such "concerted action" under labor law, whether they are organizing under a union or merely talking among themselves around the water cooler -- or on Facebook, the NLRB says. In other words, employees can't be fired for bad-mouthing you or your organization via social media, according to the board.

Resource: For a link to an August review of 14 NLRB social media cases, go to www.nlrb.gov/news/acting-general-counsel-releases-report-socialmedia-cases.

By not having a written policy on Facebook usage, "you can remove one half of what they can get you for," Gilliland says.