Social media is ubiquitous in our society, and has increasingly drawn the workplace into its folds. This development could spell trouble for health care facilities that owe substantial privacy and confidentiality obligations to their patients. For example, in April of last year a trauma nurse at Mount Sinai Hospital in Chicago allegedly tweeted a graphic photograph of a deceased patient’s treatment room in the aftermath of a shooting. That tweet, among others the nurse is alleged to have sent in connection with the incident, is currently at the center of a civil lawsuit filed by the victim’s mother against both the hospital and the nurse. While such posts have always been PR nightmares and pitfalls for civil lawsuits, these events are also starting to catch the attention of federal regulators.
On August 5, 2016, the Centers for Medicare & Medicaid Services (CMS) sent a letter to state surveyors directing that within 30 days they must start reviewing nursing homes’ social media policies and procedures. Since the letter was published on August 5, nursing homes have only a short runway to ensure they have sufficient policies and procedures in place.
The letter does provide some guidance for compliance. First, nursing homes must review and/or revise their abuse prevention policies and procedures to ensure they prohibit taking or using photographs or recordings that would demean or humiliate residents. Second, the policy must apply to all nursing home staff, which includes not only employees, but also consultants, contractors, volunteers, and other caregivers, so facilities should ensure they are applying the policy to the correct audience. Finally, the letter states that these policies must include guidance regarding the use of any type of equipment to take, keep, or distribute photographs or other recordings on social media.
CMS is not the only office of U.S. DHHS to have taken notice of unauthorized online posts regarding patients. In February of this year, Complete P.T., Pool & Land Physical Therapy, Inc. (Complete) entered into a resolution agreement with the Office for Civil Rights (OCR) to settle claims that it violated HIPAA by posting patient testimonials (including full names and full face photographs) to its website without valid authorizations. While the Mount Sinai tweet and events cited by CMS might seem like clear abuses of patient rights on social media, the OCR settlement with Complete signals that even positive online posting about patients can land health care facilities in hot water when not properly authorized.
These developments come at a time when the OCR is stepping up enforcement against HIPAA covered entities. In addition to the initiation of Phase II of its HIPAA audits, OCR has recently reached three multi-million dollar settlements with health care facilities (Advocate Health Care Network, University of Mississippi Medical Center, and Oregon Health & Science University) for alleged HIPAA violations. As noted in our recent alert, OCR’s HIPAA audit guidance and its recent enforcement actions show an increased scrutiny of organizations’ risk analyses. This scrutiny, combined with the apparent interest of CMS and OCR in social media and other online disclosures, make strong social media and online posting policies essential for every health care facility. All health care facilities should take time to identify the risks posed to their organization by social media and online disclosures, review their current safeguards to prevent unauthorized social media and online disclosures, and adopt or modify policies and procedures where necessary to address these risks.
The Privacy and Data Security team at Wyrick Robbins Yates & Ponton LLP frequently assists a wide variety of health care entities with compliance initiatives, such as developing HIPAA compliance programs and conducting HIPAA risk analyses and compliance assessments, and also drafts and modifies social media use policies for clients in a variety of business sectors. Please contact us with any questions about these issues or related matters.