Skip to Content
Close Icon

NewsRed Flag! CMS Mandates Nursing Home Social Media Policy: A Good Idea for Health Care?

By Dorothy de Souza Guedes, VGM Education

Cybersecurity is top priority for health care companies concerned about hacking that can expose patient information and result in HIPAA violations. But, have you thought about employee use of social media that may expose patients to privacy breaches?

In a memo to state survey agency directors on August 5, the Centers for Medicare and Medicaid Services (CMS) responded to reports of social media violations in nursing homes by mandating that facilities immediately create policies and procedures and train employees to avoid violating patient privacy online.

Although CMS has not mandated social media policies for HMEs, following its guidelines for social media is a good business practice for all health care providers.

Right to Privacy and Confidentiality

CMS’s mandate relates to the nursing home resident’s right to privacy and confidentiality of their body and personal space including accommodations and all aspects of personal care. Taking photos, videos or other recordings of a resident or their personal space without their written consent, or consent of a designated representative, is a violation of those rights. This includes group settings or pictures of personal space when residents are not present.

Residents also have a right not be subjected to verbal and nonverbal mental abuse. Prohibited actions include not sharing photos or recordings of residents on social media sites or through multimedia messages. Depending on what is depicted, investigators may also identify physical or sexual abuse.

In the Health Care Business Setting

Think about how this may apply in the health care setting, whether in your showroom or at a customer’s home. Your staff or visitors to your locations may inadvertently violate patient confidentiality by sharing photos or videos online that include patients or their possessions.

But, there is also intentional posting on personal social media pages in which details about interactions with patients are disclosed. Employees have always inappropriately shared patient information: social media is just a new avenue for sharing. It doesn’t matter if the disclosure is sympathetic or in support of the patient, it’s still a violation.

Train employees to understand that social media isn’t private, no matter their privacy settings. If you wouldn’t or shouldn’t put it on a billboard in your front yard, don’t post it on social media.

Potential Consequences

Violating HIPAA, including social media posts that disclose confidential patient information, can result in investigations by the Office for Civil Rights (OCR), fines and even criminal charges. Even if your company is not found liable for an employee disclosing patient information via social media, your company reputation may be damaged.

From a legal standpoint, most social media information is discoverable, that is, the other party in a lawsuit can request it be disclosed as relevant to their case against your company. And once information is posted, it lives in the cyber world indefinitely: there are ways to access archived or deleted information from social media platforms.

But, be careful what you tell employees they cannot do on social media: recent National Labor Relations Act cases uphold an employee’s right to complain online about work and seek input from coworkers.

HIPAA Training

Where you do have a right – and an obligation – to direct employee social media behavior is in the area of patient privacy. Include social media training in new employee orientation, and retrain employees regularly, perhaps as part of annual HIPAA training. These were some of the recommendations from the American Health Care Association (AHCA/NCAL) in a June memo sent to members.

AHCA also recommended creating social media policy that clearly defines what the employer expects from its employees’ online behavior. Standards of professionalism should be the same online as in person. Explain your company’s process for monitoring social media and for taking corrective action against staff and customers/visitors who inappropriately use social media. Policies and procedures regarding social media and potential abuse won’t do much good if not implemented or there is no provision for oversight and supervision of employees.

What you should know

VGMU HIPAA courses include training on employee potential violations via social media in both HIP001 - Understanding HIPAA and HIP002 - Working with HIPAA. Not a VGMU user? Contact Megan Kraft at 888-786-6628 or [email protected].

Comments