Evaluating legal risks in photos of nursing home residents on social media
Prompted by recent media reports and lawmaker focus, the Centers for Medicare & Medicaid Services recently instructed State Survey Agency Directors to survey “nursing home policies and procedures related to prohibiting nursing home staff from taking or using photographs or recordings in any manner that would demean or humiliate a resident(s),” including posting on social media.
CMS specifically stated that “staff” is not limited to employees but also includes “consultants, contractors, volunteers, and other caregivers who provide care and services to residents on behalf of the facility.” With surveys to begin in early September, nursing homes should be aware of potential legal implications of noncompliance and take steps now to prepare for the upcoming policy reviews. (These risks can also impact other facilities, including assisted living, hospices, and hospitals.)
Violation of conditions of participation
Taking, posting, and sharing unauthorized images of residents via social media (e.g., Facebook, LinkedIn, Snapchat, Instagram, etc.) can constitute abuse in violation of the Federal Conditions of Participation (COPs) for nursing homes.
CMS identified several provisions in particular that may be violated by such unauthorized posting of photographs or videos, including 42 CFR § 483.13(b)–(c), the COPs related to patient freedom from abuse and staff treatment of residents. CMS also specifically identified 42 CFR §483.10(e), the COP related to resident privacy and confidentiality, and referenced requirements related to training of staff and the facility’s response to allegations of abuse, citing relevant COPs for these items as well. CMS makes clear that violations can occur even if the images are not ultimately posted or shared and that the mere taking of a photograph can constitute abuse if it, or the way in which it is used, “demeans or humiliates a resident(s), regardless of whether the resident provided consent and regardless of the resident’s cognitive status.”
Violations of the COPs via social media postings can lead to a variety of negative consequences for nursing homes, including adverse licensure actions, civil monetary penalties, and other sanctions by Federal and state regulatory authorities.
Violation of HIPAA Privacy Rule
Posting photographs or videos of residents without proper written authorization can result in a HIPAA violation and trigger HIPAA breach analysis and reporting requirements. The HIPAA Privacy Rule protects the privacy of protected health information (PHI) from unauthorized use or disclosure. The Privacy Rule applies to “covered entities,” which includes nursing homes that submit claims electronically. Any use or disclosure not otherwise permitted under HIPAA must be approved by the patient via a HIPAA-compliant Authorization.
Simple consent by a patient will often not be sufficient to meet the specific requirements of a HIPAA Authorization, even if that consent is in writing. If a use or disclosure is made that either does not fall into one of the permitted categories or is not appropriately authorized, the HIPAA Breach Notification Rule is triggered, and the nursing home must assess whether the use or disclosure constitutes a breach and document that assessment. If the use or disclosure is in fact a breach of PHI, the nursing home must notify affected individuals within 60 days of the breach. If the breach affects more than 500 residents of a State or jurisdiction, notice to the media is required as well. In all cases, the nursing home must also report the breach to the U.S. Department of Health and Human Services (HHS).Notably, the HHS Office for Civil Rights recently announced its intent to open more investigations of breaches involving fewer than 500 affected individuals.
Posting pictures to Facebook or other social media sites can easily lead to a breach of PHI. Even the disclosure of minimal information can amount to a breach. For example, a full-face photograph combined with the name of the facility and posted without a HIPAA-compliant authorization can trigger breach reporting requirements.
Similarly, a partial photograph combined with a resident first name can also trigger breach reporting requirements. Even a well-intentioned photograph (for example, by a volunteer organization posting photos of an event at a facility) can amount to a breach if the posting is not appropriately authorized.
Failure to comply with HIPAA by posting images or videos of residents to social media sites can lead to investigations by OCR, civil monetary penalties, and criminal penalties. The civil monetary penalties under HIPAA are tiered and can range from $100 to $50,000 per violation per day during the time the covered entity is in violation of the applicable provision.
The tier system takes into account a variety of factors, including a covered entity’s knowledge of the violation and corrective actions taken. Given the extensive coverage of issues surrounding posts to social media by nursing home staff, it is unlikely that OCR would take a lenient position for a covered entity that has failed to implement policies against such unauthorized disclosures.
Violation of state laws
In addition to federal regulatory violations, there are numerous state-specific laws that may apply to an unauthorized taking or posting of photographs or videos. Many states have adopted their own privacy or breach notification rules, similar to the federal HIPAA rules. If a state law is more protective of individual rights, nursing homes will be required to follow the state law. In addition, state or common law claims for invasion of privacy or other privacy torts may be available for patients to bring against nursing homes as a result of unauthorized photographs or videos, whether or not they are posted to social media. These laws may afford individuals a private right of action, meaning that individuals or their families may be able to sue nursing homes directly, in addition to any actions brought by the federal or state governments.
Steps to take now
In anticipation of surveys, nursing homes should review their social media policies, procedures, training, and implementation addressing social media activity now, and should be prepared to produce these policies (and evidence of compliant implementation) at the next survey.
As nursing homes review their policies, they should confirm that the policies expressly state that they are applicable to “consultants, contractors, volunteers, and other caregivers who provide care and services to residents on behalf of the facility,” in addition to employed staff. Facilities should ensure that ancillary providers and volunteer organizations, including well-intentioned church or community volunteers, understand the limitations placed by law on social media postings.
Nursing homes should review existing photography and social media training of staff (including volunteers and volunteer organizations), and consider refresher training (or develop such training if it does not already exist).
In addition to a review of the policies and training, nursing homes should consider conducting a self-audit of implementation, including confirming that the response process is being followed as required to “report all allegations of abuse, provide protections for any resident involved in the allegations, conduct a thorough investigation, implement corrective actions to prohibit further abuse, and to report the findings as required.”
Finally, nursing homes should designate one person or department to oversee any social media presence the nursing home decides to cultivate. Social media can be an effective tool to connect with patients and families, to engage the community, or to advocate for industry change.
However, social media use can create many risks. If a nursing home chooses to officially permit social media activity by its staff, it should monitor any social media websites or postings to ensure that they remain compliant with applicable requirements.
Nursing home survey teams will be requesting and reviewing nursing homes’ policies and procedures, as well as evaluating training and implementation, starting in early September 2016. Review of these policies will be a part of standard surveys, whether a Traditional or Quality Indicator Survey. Per CMS, surveyors are to “implement this policy until each nursing home has been surveyed for the inclusion and implementation of such policies.”
Accordingly, nursing homes should take steps now to ensure that they are prepared for this review.
H. Carol Saul is a partner in the Healthcare Practice at Arnall Golden Gregory and leads its Hospitals and Health Systems Initiatives. Madison M. Pool is an associate in the Healthcare Practice at Arnall Golden Gregory.