A Social Media Wake-Up Call
If you're looking for a reason why your organization needs to create a security policy for social media right away, here's a great one.
A California hospital this week announced plans to fire five employees and discipline another because they used social media to post personal discussions concerning patients. And you don't want your organization to be the next one in the headlines.
The time has come to:
- Create a policy prohibiting the posting of any patient information on social media, and then educate your staff about the policy;
- Make it clear anyone violating the policy will be fired;
- Point out that under the HITECH Act, violations of the HIPAA privacy and security rules carry stiffer penalties and apply to both individuals as well as the organizations where they work.
Details on the California case remain sketchy, but local media reports said it involved the use of Facebook. Executives at Tri-City Medical Center in Oceanside said they have "not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees. But our investigation yielded sufficient information to warrant disciplinary action."
A growing number of healthcare organizations are developing specific security policies for the use of social media. For example, Adventist Health System recently spent six months crafting a detailed policy, says Sharon Finney, corporate data security officer.
Finney says reaching a consensus on the policy was a tough chore, but well worth the effort. That's because Adventist can't afford to risk HIPAA violations as its marketing and education departments make greater use of social media.
"My job is to make sure private information doesn't reach social media," Finney says.
Every healthcare security officer needs to come to the same conclusion. Quickly.