ZenGRC

Simply Powerful GRC

Blog

HIPAA and Social Media: What You Need to Know

· ·

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law before the rollout of major social media sites such as Facebook, Twitter, and Instagram. And as such, there are no specific HIPAA rules for social media.

However, some HIPAA laws and standards apply to the use of social media by health care organizations and their workers. Because of that, each health care organization must implement a HIPAA social media policy to decrease the risk of HIPAA violations.

The HIPAA Privacy Rule forbids the use of protected health information on social media networks. Protected health information includes text, videos, and images about specific patients that can enable others to identify them.

Health care providers can only use patients’ protected health information in social media posts if their patients have given written consent. And the health care organizations can only use the patients’ protected health information for the purposes specifically mentioned in their consent forms.

Still, health care organizations can realize a number of benefits of using social media. For example, social media platforms enable health care providers to interact with their patients, involving them in their own health care. Additionally, health care providers can use social media to attract new patients.

They can also use social media to more easily and quickly offer patients information about new services, as well as post health tips, details of events, staff bios, and new medical research, as long as they don’t include any patient protected health information (PHI) in their social media posts.

Despite the benefits, health care organizations that use social media platforms can still run the risk of violating HIPAA rules and patient privacy.

According to the U.S. Department of Health and Human Services (HHS), most HIPAA violations in recent years have been caused by employees mishandling patients’ PHI, including by inappropriately sharing the information on social media sites.

Violations under the HIPAA Privacy Rule include civil monetary penalties ranging from $100 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million. Criminal penalties could result in fines of up to $250,000 and up to 10 years in prison. Other consequences of violating the HIPAA Privacy Rule include the loss of medical licenses, termination of employee(s), and lawsuits.

However, by following HIPAA social media guidelines, health care organizations and their employees can use social media sites while maintaining HIPAA compliance and safeguarding patient privacy and patient information.

HIPAA Social Media Guidelines

To avoid violating the HIPAA Privacy Rule, your health care organization should follow these basic HIPAA social media guidelines:

  • Establish clear policies to cover the use of social media and make sure that all your staff members understand how HIPAA relates to social media platforms.
  • Educate all your employees on the acceptable use of social media as part of HIPAA training. Conduct annual refresher courses.
  • Offer employees examples of the acceptable use of social media and the unacceptable use of social media to improve their understanding of the issue.
  • Explain the possible penalties for HIPAA social media violations to all your employees.
  • Ensure your compliance department approves all new uses of social media sites.
  • Create policies and procedures on the proper use of social media for your marketing department, which should include standardizing how marketing takes place on social media platforms.
  • Review and update your social media policies annually.
  • Establish a policy requiring that your staff members keep their personal and corporate accounts totally separate.
  • Develop a policy mandating that your legal department or your compliance department approve all social media posts before they’re posted.
  • Monitor your company’s social media accounts and social media communications.
  • Implement controls to flag potential HIPAA violations.
  • Keep a record of social media posts using your company’s official accounts that save posts, edits to the posts, and the format of social media messages.
  • Don’t conduct conversations over social media with patients who have disclosed their protected health information on social media sites.
  • Require your employees to report any potential HIPAA violations.
  • Include your social media accounts in your company’s risk assessments.
  • Implement appropriate access controls to prevent the unauthorized use of your organization’s social media accounts.
  • Moderate all comments on social media platforms.

HIPAA compliance should be an ongoing part of your total compliance program. In addition, if you continually train your employees about potential HIPAA violations that can happen when they use social media, your organization will reap the benefits of social media tools.

What is SB 561 for CCPA?

· ·

On May 16, 2019, the California Senate Appropriations Committee blocked Senate Bill 561, legislation that would have expanded a private right of action under the California Consumer Privacy Act (CCPA).

Signed into law on June 28, 2018, by then-Governor Jerry Brown, CCPA enhances privacy rights and consumer protection for California residents. The law goes into effect Jan. 1, 2020. The California Attorney General’s Office will begin enforcing the law on July 1, 2020, or six months after it publishes the final regulations, whichever comes first. 

On February 25, 2019, California Attorney General Xavier Becerra and California State Senator Hannah Beth-Jackson introduced SB 561. Had it become law, SB 561 would have allowed consumers to sue businesses if any of their rights had been violated. 

As it stands, the CCPA only allows consumers to bring actions against companies if their unencrypted personal information was subject to data breaches because those companies failed to implement reasonable data breach security measures.

In addition, SB 561 would have removed the 30-day cure period requirement for enforcement actions brought by the attorney general. Currently, a business would only be in violation of the CCPA if it doesn’t cure any alleged violation within 30 days after being notified of alleged noncompliance.

SB 561, however, would have allowed the attorney general to bring enforcement actions for a violation of the CCPA even if a business had “cured” the alleged violation. The proposed amendment would no longer allow a company to seek guidance from the attorney general about how to comply with the CCPA.

Instead, SB 561 stated that the attorney general “may publish materials that provide businesses and others with general guidance” on how to comply with the CCPA.

What is the Difference Between HIPAA and FERPA?

· ·

HIPAA and FERPA are both federal laws designed to protect the privacy and security of individuals. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the healthcare industry where the Family Educational Rights and Privacy Act of 1974 (FERPA) applies to the education industry.

HIPAA provides privacy and security for protected health information (PHI). Created by the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule protects sensitive patient information by setting forth patient rights and standards for health plans, health care clearinghouses and health care providers who collect and store patient identifiable information in electronic form.  The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.  

FERPA is in place to protect the privacy of student education records and designates rights for students and their parents. According to the Department of Education, education records include such information as academic report cards, transcripts, class schedules, disciplinary records, contact information, and family information. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Educatons.  FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level.

The HIPAA Privacy Rule does not typically apply to primary and secondary schools. In grades K–12, student health records are considered to be educational records. This consideration is either because student health information in education records is protected under FERPA or because the school is not a HIPAA-covered entity. In fact, FERPA applies to most public and private postsecondary institutions and to student records at campus health clinics of these institutions. In that case, they are either referred to as education records or treatment records under FERPA and therefore are excluded from the HIPAA Privacy Rule, even when the school is a HIPAA-covered entity.

In the case where a health plan at a higher education institution is treating nonstudents, they are still not considered to be bound by HIPAA unless they transmit health care information in electronic form in connection with the submission of claims for payment.

Regardless of whether HIPAA or FERPA applies, state laws concerning privacy need to be considered as well. State laws are more specific and rarely conflict with HIPAA or FERPA. And, if more than one law is applicable, the more stringent one typically applies.

What is Risk Management in Manufacturing?

· ·

Risk management in manufacturing refers to the unique challenges that the manufacturing industry faces in managing risks. Cybersecurity risks can be especially challenging to manage.

Increased digital connectivity via artificial intelligence such as robots, the internet of things (IoT), augmented reality, and other forms of new technology can make factories more efficient. But every connection serves as a possible portal for cybercrime.

And the stakes for manufacturing organizations can be especially high. A breach of one factory or facility could cause shutdowns or damage to its sister factories, resulting not only in lost productivity and revenue, but also, possibly, worker injury and even death.

Special risk management considerations for manufacturing companies include:

Enhanced Risk Assessment

Assessing a manufacturing company’s potential risks doesn’t just entail examining its own IT systems and cybersecurity. Risk identification should extend throughout the supply chain, starting with providers of the raw materials its factories use, and include third-party vendors.

Strategic Risk Identification

What risks are likely to be your greatest concern years into the future? In a Deloitte survey of manufacturing companies, executives said cybersecurity would be their number-one risk management priority. Compliance with critical infrastructure risk management frameworks such as National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, is key, especially for companies affected by federal security regulations regarding critical infrastructure.

SCADA Quality Assurance

Keeping Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) always on is crucial, so quality assurance testing is imperative. SCADA systems monitor and control a plant or equipment in industries such as manufacturing, telecommunications, water and waste control, energy, oil and gas refining, and transportation. Upgrading and updating systems and software, and monitoring them continuously, are also key. Our 11-step guide to managing manufacturing risk can help.

Automated GRC

Numerous case studies show that software such as the Reciprocity ROAR® Platform can greatly simplify the task of risk management for manufacturing organizations, and ensure compliance with regulations and standards come audit time.