Why a Social Media Policy is Important for your Organization
By Brian Shrift, HCISPP
If you don’t Tweet, Facebook, YouTube, Instagram, LinkedIn, Pinterest, Tumblr, or Snapchat, that’s OK. But your staff may. And if they do it in the office, that could mean a HIPAA Security Breach and an audit for you – or even worse, a fine or a lawsuit.
Social Media consists of websites and applications, like those mentioned earlier, that allow almost anyone anywhere share information by spreading ideas, photographs and videos on the Internet. Often times you’ll hear of celebrities posting something and it “going viral,” meaning their post, often a comment or image, is being seen and spread by tens of thousands of individuals, if not millions. Once something has been posted, it’s near impossible to have it deleted, as it is spread and downloaded by others immediately.
“Selfies,” a photo of yourself taken with your smartphone and posted to a social media site, are very popular. Often people will snap a selfie of themselves while they’re stuck in traffic, after a new haircut, all dressed up for a night on the town, flexing in a mirror, or at the office. While there could be objections to all the shirtless flexing selfies on the Internet, the one we’re concerned with is the office selfie.
The reason we’re concerned with the office selfie is due to the combination of the high-resolution cameras now found in smartphones and what is captured in the foreground. If an office selfie were to be used as a “profile picture,” you wouldn’t be able to make out anything in the foreground other than seeing a whiteboard with some writing on it. However, the photo uploaded to Facebook is saved in its original, high-resolution format, allowing your friends and the public the ability to view it in its original format. These high-quality images make it simple for anyone to make out the information written on the whiteboard.
In our example (Figure 1), Trish, a volleyball coach at Fordham University, had her conference’s standings written on the whiteboard in the background over her left shoulder. While the whiteboard is over 15ft away from her desk, her iPhone picked up the writing quite easily (Figure 2). But what if this was your office and the whiteboard contained patient information?
Here are just a few examples of selfies and social media postings which should not have been taken or posted:
Joan Rivers’ physician allegedly took a selfie in the procedure room while Rivers was under anesthesia.
An off-duty employee of Spectrum Health Systems was fired after taking a photo of an attractive woman in the emergency room and posting it to Facebook, as well as all employees who “liked” it.
An emergency room technician at Abington Health was fired after the company found that she was posting patient information and x-ray’s to Twitter.
The core components of our Social Media Policy, which we recommend to our Clients, are:
Think Before Posting – Once something is posted on the Internet, it is no longer within your control. Even if you later delete it, it may still be available via electronic medium and will have your name attached to it. Please consider the consequences of any such communication and understand that you are responsible for what you post.
Privacy Concerns – Being governed by the Health Insurance Portability and Accountability Act (HIPAA), staff are obligated to guard against the exposure of protected health information.
Monitoring Activity – Informing staff that the company has a right to monitor unauthorized disclosure of information as well as the reputation of the company.
Respect Company Time and Property – Company computers and the time you spend on them are paid for by and are for the benefit of the company. Use of this equipment for social media activity is to be treated as any other use of equipment such as telephones and/or email.
Reporting – Require all employees to immediately report any violations of this policy or possible or perceived violations of this policy to their supervisor.
Discipline – The Company investigates and responds to all reports of violations of the social media policy and other related policies. Violation of this policy may result in disciplinary action up to and including termination.
For more information on the Security Rule and the HITECH Act, and for a complimentary Social Media Policy, please visit our website: HIPAASecurityHelp.com.
Brian Shrift is President of Precision Business Solutions. Mr. Shrift is a certified HealthCare Information Security and Privacy Practitioner.