What you can learn from a recent HIPAA scandal
A recent HIPAA scandal involving Snapchat and newborns has some hard lessions for dental professionals.
IN SEPTEMBER, TWO MEDICAL STAFFERS at Jacksonville Naval Hospital were found to have mishandled newborn patients; the misconduct was discovered in their Snapchat posts, which featured them “mishandling a newborn, making obscene gestures and calling babies ‘mini Satans,’” according to the Washington Post.
Around the same time, DentistryIQ editors received a message from a dental professional complaining that a dental hygienist at his or her practice had posted pictures and “sarcastic comments” about a patient on a personal Facebook page. The article received a strong response on social media, indicating that the issue of HIPAA compliance and staff social media accounts is of ongoing concern to dental professionals.
The consequences of a HIPAA breach are severe. Here are what three experts say you should learn from the Jacksonville scandal:
Dianne Watterson, MBA
I had a situation several years ago where a staff member posted some highly offensive remarks about a patient in the chair. She didn’t use the patient’s name, but it was time stamped, so other people could identify to whom she was referring.
Every dental practice needs a code of ethics on social media practices and their employees. Here’s what I recommend:
1. Employees will not ever share sensitive or identifying information about patients that could be in conflict with HIPAA regulations. It is strictly forbidden to insult patients over social networks.
2. Employees will not make disparaging remarks about management or coworkers over any social medium. It is impolite to badmouth people on a public forum. Posting made during an emotional moment may be regretted later.
3. Make sure postings are well-thought-out before sending. If there is any doubt whatsoever about whether or not to post, it is usually better not to post.
4. Keep in mind that anything you post could be read, copied, and shared with others many times. Even privacy settings do not prevent readers from copying and resending things that you post in private.
5. Employees are expected to maintain social media posting etiquette, which includes being civil and refraining from posting crude, inflammatory, or off-color remarks.
6. Remarks you make on social media sites are a reflection of you, and you are a reflection of the practice. Disparaging remarks about our practice or coworkers could place your job in jeopardy.
Linda Harvey, RDH, MS, LHRM
These professional’s actions displayed blatant disrespect for human dignity and strike an emotional chord in all of us. Sadly, this case will be remembered for a long time for all the wrong reasons.
Could something like this happen in dentistry? Have you ever voiced displeasure with your daily schedule, a difficult coworker, or uncooperative patient on social media? How often are you posting treatment-related pictures on social media?
Posting a picture of the day's schedule where you can read patients' first and last name, phone number, and scheduled treatment constitutes a HIPAA breach. So does posting pictures of patients and other comparable images without written authorization according to the Privacy Rule. These pieces of patient information constitute "individually identifiable information" also known as protected health information (PHI).
Bear in mind, written authorization must be obtained using a HIPAA-compliant form. Verbal or implied consent is not legally sufficient under HIPAA. To learn what constitutes an acceptable "authorization," refer to 45 CFR 164.508 of the Privacy Rule.
What can dental professionals learn from this medical tragedy? The biggest takeaway is to be sure you know and understand HIPAA's privacy and security requirements. A privacy breach can result in criminal or civil fines and penalties. A former UCLA research worker found out the hard way when snooping in patient records landed him in prison for four months.
Not sure where to seek the best information? Start with the US Department of Health and Human Services website to review key aspects of these laws. Be sure to visit their FAQ page for interpretation on specific privacy questions.
Rebecca Boartfield and Tim Twigg
Compliance challenges, whether they be HIPAA, OSHA, charting, or employment related, can be damaging to your finances, emotion, and reputation. From an HR perspective, this situation highlights the need to review personnel policies.
Personnel policies help establish the ground rules and can protect against litigation. These written policies should cover several areas of applicable behavior, such as unprofessional conduct, cell phone use, and cameras on phones, as they relate to proprietary and confidential information. If something like this scandal occurred and you had nothing to show establishing that you were taking every measure to ensure appropriate conduct with your employees, then a prosecutor would likely paint you as a negligent employer.
Policies can show a good-faith effort on the employer’s part to follow the rules and keep employees from being inappropriate. While policies are important, they can’t necessarily stop all inappropriate behavior from occurring. When something does happen, even something little, it's important to take action immediately. Does the problem warrant suspension? Termination? If not, at the very least, establish documentation showing that the individual was counseled of the behavior and warned of consequences should it happen again. Of course, this should be signed by the individual in question to be completely thorough.
In short, never assume something like this can't happen to you. Take the necessary steps to protect yourself and follow up quickly and appropriately.
Editor's note: This article first appeared in the Apex360 e-newsletter. Apex360 is a DentistryIQ partner publication for dental practitioners and members of the dental industry. Its goal is to provide timely dental information and present it in meaningful context, empowering those in the dental space to make better business decisions. Subscribe to the Apex360 e-newsletter here.