WZZM13 is reporting that several employees of Spectrum Health in Grand Rapids, MI have been fired over a picture of a patient posted on Facebook.
A source tells WZZM 13 News that an off-duty employee was in the emergency room when he saw an attractive female. He took a picture of her back side and posted it on Facebook. His message read, “I like what I like.” The woman was not identified and her face could not be seen.
The employee who posted the picture was fired and so was everyone that liked it.
Among those who were fired include a registrar, a physician’s assistant, and an emergency room doctor. Not all were direct employees of Spectrum; some worked for a company that provided employees to the hospital.
What can organizations do to protect themselves?
We are seeing more and more cases of HIPAA related breaches due to social media. Social media related breaches are a real threat and it is critical that organizations protect themselves. Here are some steps that every organization should take:
- Employee Training – Ensure that all employees receive training on how to protect patient information. Employees need to understand how important it is to protect patient information and how to avoid data breaches. Do not assume that employees understand the risks. Do not assume that employees know what a HIPAA violation is. Employee training should be focused on HIPAA privacy and security.
- Policies and Procedures – Ensure that your organization has written policies and procedures on how employees should protect patient information. Again, don’t assume that employees understand how to protect patient information and the steps that they should follow. HIPAA policies and procedures should be documented and shared with employees including all new employees. Policies and procedures should be accessible to all employees; they do no good sitting in a binder on a shelf.
- Workstation Use Policy / Social Media Policy – every organization should have a documented workstation use policy and/or social media policy. A workstation use policy clearly defines what is acceptable and what unacceptable employee activities is. The policies should clearly define the use of social media and detail how employees should protect patient information on social media. Policies should define the use of smartphones, pictures and posting information about patients.
The trend seems to be clear that more and more employees are violating patient privacy through the use of social media. Organizations need to take a step back and ensure that employees clearly understand what they should and should not do on social media. Without a detailed plan to ensure that employee awareness is raised, it is just a matter of time before an organization has a HIPAA related breach due to social media.
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!