Though many popular Web sites have strong privacy practices in place, there is still no better time to analyze where, when, how, and if your personal health information (PHI) is circulating through these types of Web sites.
The Ponemon Institute and TRUSTe released its 2009 Most Trusted Companies for Privacy Award recently and ranked eBay, Verizon, the US Postal Service, WebMD, and IBM as the top five. But health leaders must also beware of employees sending any PHI on the Internet.
The last thing you want is to get burned because someone in your organization without authorization sent PHI across Yahoo!, Facebook, or similar sites.
It's not common—though it's possible—for healthcare workers to use these sites to intentionally and maliciously violate patient privacy laws.
More often, healthcare workers sign on during breaks, or when they are off work, and vent about their day with friends without realizing that they share identifiable information and violate HIPAA.
Regardless of how you respond to these privacy and security vulnerabilities, education is crucial, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR and a HIPAA expert.
"A lot of people are panicking," Apgar says. "But one thing that's not well understood is the danger related to all this."
Transmission over an unsecure network is inevitable, particularly if the sender and the receiver don't share a secure network, says Apgar.
Combat this with these four education models:
- New employee training (orientation)
- Annual refresher training
- Security reminders (weekly helpful e-mails; information in hospital newsletters; and flash reminders on staff computer monitors)
- Communications policy—as with confidentiality agreements, require staff members to acknowledge in writing that they have read and understand it. Do this annually at staff performance reviews.
An article in the September issue of the Journal of the American Medical Association entitled "Online Posting of Unprofessional Content by Medical Students," revealed that 60% of 80 medical school deans reported incidents involving unprofessional postings on these types of Web sites.
Another 13% acknowledged incidents that violated patient privacy. Some of these violations resulted in expulsions from medical school, according to the article.
"These professionals are well educated, but that doesn't mean they are savvy with security," says Apgar.
The finality of disclosures on these types of Web sites is what makes it so dangerous, says Apgar.
"Once you put something out there, it's out there, and it's never coming back," he says.
Simply banning these Web sites from the hospital network is one strategy that many organizations use, Apgar says.
Spring Harbor Hospital, in Westbrook, ME, doesn't allow access to Web sites, such as Facebook, on facility computers, says Chris Simons, RHIS, who serves as the facility's director of HIMS and privacy officer.
"We also include it in orientation as a no-no," she says. "We have had some issues with staff on Facebook saying inappropriate things about their managers, and have addressed that."
Access to personal e-mail accounts is just as dangerous for many reasons, and organizations are beginning to ban this practice as well.
A physician who logs onto a personal Yahoo! Mail account to send himself or herself a list of patients to access at home is one example of inappropriate use, Apgar says.
That's a breach of a lot of information, says Apgar. The hospital network may be encrypted, but the information won't be on the other side once the physician opens the e-mail at home.
Freelancer Corey Goodman contributed to this report.