Читать книгу A Dentist’s Guide to the Law - American Dental Association - Страница 87

Stories about possible violations of patient privacy through social media have appeared in the news. For example, news media have reported that:

• A hospital took away a doctor’s privileges for an online post that included information that could be used to identify a patient¹⁰

• A hospital identified an incident involving employees who allegedly used social media to discuss patients¹¹

• An emergency room worker posted a photo of her workstation, which included a computer screen displaying information about a patient. The patient subsequently notified law enforcement that she was the victim of identity theft¹²

Whether a dental practice posts a message or photo on the practice’s social media site, or a member of the dental team makes a personal post, privacy laws may be violated if the post identifies a patient, or could be used to identify a patient, and the patient has not authorized the disclosure.

Successfully managing the risks through appropriate policies, procedures and training can help dental practices benefit from social media while protecting patient privacy in compliance with applicable federal and state laws. A dental practice’s policies and procedures prohibiting improper disclosures of patient information should clearly apply in any context, whether inside or outside of the dental practice, and whether the disclosure is electronic, on paper, or oral.

The Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered dental practices to have reasonable safeguards in place to protect electronic patient information. The HIPAA Privacy Rule requires a covered dental practice to obtain patient authorization before disclosing identifiable patient information unless the disclosure is permitted by HIPAA, such as a disclosure for treatment, payment or health care operations. If patient information is disclosed in violation of HIPAA, the dental practice may be required to provide breach notification to the affected patient(s), the federal government, and, in some cases, the media. HIPAA violations can also result in substantial monetary penalties, where the state law and some HIPAA violations carry criminal penalties.

HIPAA covered dental practices must also comply with applicable state law where the state law is more stringent than HIPAA. Dental practices that are not covered by HIPAA must comply with applicable state law. State laws protecting patient information may include medical confidentiality laws, data security laws, and laws requiring breach notification when sensitive personally identifiable information is improperly acquired, accessed, used or disclosed. Violations of state privacy laws can result in fines, and some state laws allow individuals to take legal action.

Therefore, before posting on social media, a dental practice should carefully review the content to determine whether the content complies with applicable law. For example, a covered dental practice that wishes to post patient before-and-after photos on a social media site may be required to obtain HIPAA-compliant written authorization from the patients if the photos could be used to identify the patients. Under HIPAA, full face photos and comparable images are considered identifiers.

Even if a patient has voluntarily made his or her health information public, HIPAA and certain state privacy laws still apply to the information. For example, if a patient discusses his or her health information with the news media, or in a social media post or online rating service, a covered dental practice must continue to protect the information in compliance with HIPAA and applicable state laws.

This is not to say that a dental practice can never respond to a patient’s social media post, only that the dental practice must do so in compliance with applicable laws, and that such laws may prohibit disclosures that identify the patient. For example, in response to a patient’s post stating that her questions were not answered to her satisfaction, a dental practice may be able to respond with a general statement that does not identify the patient, such as, “We encourage patients who have questions about their care to call our office right away so we can provide any follow up information they require.” If a patient posts a complaint about wait time, a dental practice may be able to respond, “Occasionally a dental emergency requires us to alter our schedule, and we apologize to patients who are affected when this happens.”

To help prevent privacy law violations on social media:

• Understand and comply with applicable federal and state privacy and data security laws

• Train staff never to disclose identifiable patient information or sensitive personal information via social media without proper patient authorization

• Keep in mind that patient information that is protected by privacy laws can extend beyond traditional patient records. Photo or videos of a patient, even just sitting in the waiting area, may be patient information that is protected by HIPAA. Merely revealing that an individual is a patient may violate privacy laws.

• HIPAA protects information that identifies a patient, or that could be used to identify a patient. Even if a patient’s name is not disclosed, if other data elements are disclosed that make the information identifiable, then the information may still be protected by HIPAA.

• Even if a patient has publicly disclosed his or her health information, HIPAA still applies to that information. A covered dental practice must protect patient information even if the patient has willingly made the information public.

• Responding to a patient’s comment on a social media site can result in a privacy law violation if the response includes information that identifies the patient, or that could be used to identify the patient. If a dental practice believes that it is prudent to respond to a post, restricting the response to a general statement that does not contain any information that could be used to identify a patient can help reduce the risk of a privacy law violation.

• Before posting patient photos, have the patient sign any authorization, consent or release forms required by HIPAA or any applicable state law. Applicable law may also require a dental practice to have staff members sign releases before posting their photos.

• Even photos depicting the interior of the dental practice should be screened to make sure they do not include any patient information. For example, make sure the photos do not include patient charts or computer screens displaying patient information.

In light of the importance of protecting patient privacy, and the risks associated with violating privacy laws, dentists may wish to have policies and procedures on privacy compliance when using social media.