Social Networking Management Guide Compliance and Legal Services
Table of Contents IU Health Policies... 3 ADM 1.13 Standards of Conduct for Business Practices ADM 1.98 Information Security Incident Response & Security Breach Notification ADM 2.05 Internet Social Networking ADM 2.07 Photography and Recordings HIPAA 2.01 Reasonable Safeguards for Privacy and Confidentiality of Protected Health Information HR 105 Corrective Action Consistently Manage Social Network Violations... 4 Initiate Documentation Template Obtain Screenshots Notification Interview Social Network Participants Consult Subject Matter Experts at IU Health Social Networking Investigation Documentation Tool... 6 Employee Education / Training... 8 New Employee Orientation Annual Mandatory HIPAA Privacy and Security Awareness Web Based Training In services Resources 9 Frequently Asked Questions 10 Contacts at IU Health. 13 2
IU Health Policies IU Health recognizes Internet social networking is a common way for people to interact socially and professionally. Participation on social networking sites carries the potential for breach of information. Workforce members have an ongoing obligation to protect the privacy and confidentiality of IU Health families and patients even when not at work. IU Health Policies and Procedures provide guidance and expectations for appropriate use of Internet social networking sites. The following policies are available to guide IU Health workforce members to appropriately engage in Internet social networking: ADM 1.13 Standards of Conduct for Business Practices.pdf ADM 1.98 Information Security Incident Response & Security Breach Notification.pdf ADM 2.05 Internet Social Networking.pdf ADM 2.07 Photography and Recordings.pdf HIPAA 2.01 Reasonable Safeguards for Privacy and Confidentiality of Protected Health Information.pdf HR 105 Corrective Action.pdf 3
Consistently Manage Social Network Violations IU Health maintains open communication to encourage personnel and others to report and/or seek guidance regarding potential or actual misconduct related to social networking. Department Management, Legal Services, Compliance Services, Information Services and Employee Relations will investigate each report of possible information breach using social networking sites. Tools and resources are available to consistently capture and document information. Corrective action will be consistently and fairly applied when applicable. Personnel may contact any member of the Management team, Compliance Services, Legal Services, Information Services, Safety and Security, etc. to report a possible social networking violation. The Management team of the involved personnel, with support of Compliance Services, Legal Services and Employee Relations, is responsible to: Initiate the Social Networking Investigation Documentation tool Obtain screenshots of the users profile from the social network site, the initial post in question and any subsequent comments o Information Services may be able to assist in the recovery of these documents depending on the user s security settings Immediately contact the Department Director, Employee Relations, Compliance Services and/or Legal Services o Management and/or Employee Relations may recommend suspension during investigation o Compliance Services and/or Legal Services will determine whether there is a potential breach and whether the incident is reportable to a government agency and/or law enforcement Interview each workforce member who participated in the posts o Personnel should be interviewed individually and systematically as soon as possible after the concern is identified Initiate the interview with an attempt to understand what the employee knows about the policies surrounding social networking and HIPAA 4
Determine whether the employee completed the annual mandatory HIPAA Privacy and Security Awareness training through elms o Request personnel remove the posts from their social networking sites Following personnel interviews, consult with Employee Relations to ensure the proper level of discipline for each person is given o Discipline may not be the same for all involved depending on the complexity of their involvement Determine the need for focused training in the department 5
Social Networking Investigation Documentation Tool Reported by: Contact #: Responsible Management: Contact #: Circumstances of the Social Networking concern: Type and Scope of Confidential Information on the Social Networking site: DATE DONE TASK RESPONSIBLE PARTY / CONTACT # Screenshots obtained of: the users profile from the social network site, Initial post in question Subsequent comments Department Director notified Employee Relations notified Compliance Services and/or Legal Services notified Others notified / reason: Notes 6
DATE DONE TASK RESPONSIBLE PARTY / CONTACT # Workforce members identified Workforce members removed posts from their social network site Workforce members interviewed Investigation notes reviewed by Management, Employee Relations, Compliance Services and/or Legal Services Corrective action types per employee established (list corrective action type(s)) Education needs established Training completed; if applicable Personnel records updated per HR policies Notes Note: Compliance Services and/or Legal Services will ensure government and law enforcement agencies are notified, when required, under Attorney Client Privilege. 7
Employee Education / Training IU Health workforce members receive HIPAA Privacy and Security training upon initial employment, volunteer work, student orientation, or third party contract; and annually thereafter or upon material changes to any corporate or department policies and procedures that regard the privacy, security, and confidentiality of individual health information. Specialized training / in service(s) to address specific concerns is available by request made to the Compliance Services Department. Documentation regarding training for the entity s workforce shall be retained for a period of at least six years from the date of its creation or the date when it was last in effect, whichever is later. The documentation shall be retained by Department Management. Documentation related to online training courses and the databases of employees completing the online courses shall be maintained by the Learning Solutions Department. 8
Resources IU Health maintains a comprehensive, formal program of general compliance and HIPAA training to ensure that IU Health personnel are aware of their legal, moral and ethical responsibilities. Personnel have access to IU Health policies located on PULSE, the intranet site for IU Health. It is expected that IU Health personnel will abide by the ethical standards of the professions to which they belong. Additional resources: Social Networking: Frequently Asked Questions (attached) Contacts at IU Health (attached) Annual mandatory web based training through elms In services upon request 9
Social Networking Frequently Asked Questions Question: Is it okay to say where I work on my Facebook status? Answer: Once you post your place of employment and your role, it can be construed by some that you are always on duty. This opens the door for unsolicited requests for healthcare guidance. Posting your place of employment also allows viewers to identify persons or circumstances associated with your posts through association. If you post your place of employment on your profile, it is important to maintain constant awareness of your personal and professional boundaries. Posts that may be associated with your work should include a disclaimer that the post is your personal opinion and does not represent the opinion of IU Health. Question: Families sometimes ask me to be their friends on Facebook. I know we are strongly urged not to. How do I answer them without sounding rude? Answer: Let the requestor know you are honored that you were asked to befriend them, however professionally and ethically you may not accept their request. Question: My neighbor was my friend long before being a patient at IU Health. Is it okay to remain friends online? Answer: Yes. It is important to always remain conscious of your professional and ethical duty to maintain patient confidentiality regardless of personal relationships. It would be appropriate to advise friends that you will not comment on health related matters through a public site. Social networks are all public sites regardless of their privacy settings. Also be mindful of photos or recordings that associate a nurse/patient relationship. 10
Question: How do I know what kind of information is okay to post and not to post? Answer: It is never permissible to post any photographs, recordings or other information about a patient on a personal social networking site. Information posted for educational purposes on sites such as those created by IU Health or YouTube are done after a detailed consent is signed by the patient and permission granted from IU Health Corporate Communications. Use good judgment; if you are not certain about the appropriateness of posting, then do not post. See below for guidance related to professional networking sites. Question: Is it permissible to post a picture taken at a picnic where both employees and patients were present? My colleagues and I are the only people who know who the patients are in the photos. Answer: No, it is generally not appropriate to use photographs taken during IU Health related functions without obtaining the written permission of those in the photograph. You can never be certain that you and your colleagues are the only people who know the connection of those in the photographs. Question: My security settings are set so that only my family and friends can see what I post. How would my information be released to the general public? Answer: Even disclosures to friends and family are considered public. You are not allowed to share confidential patient information with friends and families, whether at home or through Internet postings. Also, remember that a family or friend can copy the content of your Internet site to share through their sites with people that you do not know. It is possible to see postings through friends of friends who are not as careful as you when setting security parameters and posting comments on a public forum. Question: What if someone tags me in a picture and it shows up on my personal network site? Answer: If it is a photograph that you believe to be inappropriate, ask the person who tagged you to remove you from the tag and remove the picture from 11
your site (and the other individual s site as well, if you believe it to be an inappropriate posting, such as a breach of privacy). Question: Is it okay to put a link to IU Health sites, such as for fundraising, on my personal network site? Answer: Yes, if the purpose is to guide individuals to a trusted site for information. Question: What about CaringBridge and similar sites? Answer: Pages on CaringBridge and other similar sites are typically set up by patients, guardians or significant others who share confidential information about themselves or their loved ones. Although healthcare personnel did not disclose confidential information, the healthcare personnel must continue to maintain their professional and ethical duties not to participate in healthcare related discussions on sites like CaringBridge. For example, it would be appropriate to post a caring note for the family or patient, but it would not be appropriate to post clinical information about the patient or that you know the patient because you are caring for the patient. Question: As a professional, is it ever appropriate to participate in social networking? Answer: Yes. Social networking sites and blogs are an excellent resource to learn about different treatment modalities, connect with other professionals and follow healthcare trends. Refer to IU Health ADM Policy 2.05, Appendix B: Internet Social Networking Guidelines for guidance. Also see IU Health ADM Policy 1.13 Standards of Conduct for Business Practices. 12
Contacts at IU Health for Privacy and Security Matters Name Department Phone Number Valita Fredland Privacy Officer / Legal Services 317.962.3455 Rasma Kancs Director Compliance Services / HIPAA 317.962.1732 Roxanne Binford Program Manager / HIPAA 317.962.6057 Brian Quick Security Officer / Information Services 317.962.9190 13