For better or worse, social media has become an integral part of modern life. But the way users act on popular networking sites can lead to potential liability for skilled nursing facilities and other health care institutions.
A lurid story about assisted living employees posting to Snapchat in the presence of a dying resident made the news cycle about a month ago, but the problem of posting to that service isn’t new; an article from 2015 in ProPublica covered how nursing home and assisted living workers were posting explicit photos of patients, often to Snapchat.
Though those cases represent extremes in behavior, the act of posting anything to social media can be fraught in terms of liability for skilled nursing facilities. In fact, social media can affect liability from two different legal fronts, Beth Pitman, counsel at Waller Lansden Dortch & Davis, LLP, told Skilled Nursing News.
Pitman has worked in health care law since 2007, with an initial focus on health care technology.
HIPAA mandates, abuse reporting requirements
Issues related to the Health Insurance Portability and Accountability Act (HIPAA) are one way a SNF could be liable because of an errant social media post by an employee, but there are other considerations for liability, she explained.
“In addition to HIPAA, there are laws related to a skilled nursing facility resident’s rights and the facility’s obligations to report abuse and neglect and those can give rise — from both the facility standpoint and the employee standpoint — to some criminal action,” she explained. “When it comes to social media, those two areas of law intersect, so the facility and the employees would have liability in two different areas.”
HIPAA was enacted in 1996, initially to allow insurance to be portable between employers and to deal with some issues related to health care fraud. The law was amended to include some privacy and security provisions in 2001 and 2002, with some subsequent amendments in 2010 and 2013. The law regulates the confidentiality of information from a privacy and security standpoint, Pitman said.
“A health care provider, its employees, or anyone it contracts with is prohibited from disclosing any information in a way that’s not permitted under the rule,” she told SNN. “That means you can only disclose it for health care purposes, for treating a patient, for submitting claims for payment, or for doing some things that relate to the operations of a health care business.”
To comply with HIPAA, health care facilities are required to have policies and procedures in place, to train all employees before employees can access information that is covered, and to undergo a yearly or at least biannual security risk assessment.
But in addition to HIPAA considerations, facilities have to make sure that they are complying with requirements in abuse reporting, Pitman stressed.
“At skilled nursing facilities, if there’s been a breach through social media that could possibly result in abuse, they both have to give notice under HIPAA of the breach of information, but also have to give notice to the government of the instances of abuse,” she said.
Addressing vulnerabilities of normal social media use
The cases of explicit and exploitative postings make the news, but those cases are outliers in terms of how intentional they are; according to Pitman, the most common issues with employee social media use don’t stem from an intention to abuse. They stem from people using social media the way they do in their everyday lives.
“There may be times when employees are taking pictures of each other or with another patient they’ve befriended, and they just don’t realize what’s going to happen with Facebook or other kinds of social media or Instagram, where you may friend someone and then post information,” she said. “It’s so easy for someone to get a friend request and … then commenting on something may inadvertently disclose information.”
Since it’s so easy for facilities to become liable based on actions that are second nature to most people with a Facebook account, Pitman had some suggestions for SNFs to mitigate the chance of this happening. The first is to have policies and procedures in place to address HIPAA requirements on privacy and security, as well as the resident’s rights to have information maintained confidentially and “to be in an environment that’s free of abuse and exploitation,” Pitman said.
“They probably should have a signed acknowledgement from each of the employees indicating that they’ve read and reviewed the policies and procedures, understand them, and agree to comply with them,” she added. “It’s important to have in the policies and procedures to have a provision allowing for sanctions and disciplinary actions so that the employees understand what the consequence is — and also to follow up on that.”
For training, she recommended using examples of breaches of information that have occurred in the past, including cases that weren’t intentional, such as taking a photograph of a patient to show a physician.
And she has a very practical suggestion to keep employees from making any mistakes, though it’s one they may not like.
“My recommendation is for most people is to prohibit use of personal cell phones in any clinical areas,” she said. “Depending on how the facility wants to impose that, they can require that the employees check their cell phones into certain locations. When they leave, when they go out on break, or for lunch they can check them out again. There are different procedures they can put into place to help make that easier, but having a personal cell phone ban is probably the best way to prevent that kind of issue.”
Written by Maggie Flynn