EXECUTIVE SUMMARY

Case managers now have access to technology that makes their jobs easier, but should be careful to preserve patient confidentiality, experts say.

  • Don’t use unsecured devices to send emails or text messages to patients’ family members or caregivers.
  • Consider alternatives, such as a delivery service, when sending information to patients’ primary care providers or discharge destination, unless messages are encrypted.
  • Be careful what you post on social media, particularly photos in your work area.

Today’s technology can be a valuable tool that helps case managers perform the myriad tasks they have to complete in a day. But using technology can leave case managers wide open for ethical breaches and violations of HIPAA, warns Ellen Fink-Samnick, MSW, ACSW, LCSW, CCM, CRP, director of social work education for Athena Forum.

“Case managers have to manage a steady flow of patient information throughout their work day. They use technology for discharge planning, insurance review, quality outcomes, Medicare, Medicaid and other insurance regulations, and other activities. But when they use technology, they need to take steps to preserve patient confidentiality,” she adds.

For instance, a case manager calls a patient’s family and accesses the patient record on the computer. While waiting for the family to return the call, the case manager goes to a meeting with another family, leaving the patient’s protected health information on the screen.

“This scenario and other privacy breaches happen because case managers have to do things quickly and they don’t have time to think. But they still have to be careful that patient information is protected,” Fink-Samnick warns.

Start ensuring patient confidentiality by making sure the department’s records are available only on a need-to-know basis, Fink-Samnick recommends.

“People will snoop. If someone who is famous ends up in the hospital, it’s tempting for staff to access the records either out of curiosity or, in some cases, to sell the information to a media outlet,” she says.

She explains the case of a small hospital system that treated a group of local teenagers who overdosed on drugs or alcohol during a party. “People who were not involved with treating the patients started looking at the charts, at first just for patient status, then for more details. A lot of people were fired,” she says.

Frequent communication with patients and family members is essential, but communication through unsecured devices may not be the best practice from a legal and ethical standpoint, Fink-Samnick says.

“Just because it’s easier for patients and family members, it’s not necessarily the best practice for case managers. Healthcare data breaches that yielded protected healthcare information about patient and families started in 2009. More than 90 million people were impacted by a single episode,” she adds.

Case managers need to be sure the devices they use to contact patients and families after hours are secured and cannot be hacked, she says.

For instance, case managers should not send text messages to patients and families unless the hospital has provided a cell phone that enables secure texting.

Hospitals should have a comprehensive policy and procedure for sending protected information by email and the case management staff should be thoroughly trained on how to comply, adds Elizabeth Hogue, Esq, a Washington, DC-based attorney specializing in healthcare issues.

Case managers should take extra care when they transmit protected health information, whether it’s to patients or to other providers, Hogue says. First, she advises, consider alternatives to the disclosure of protected health information in email. Make a phone call or send the information on a CD, DVD, or flash drive by an overnight delivery service. Or, use encryption to protect the information you email. Encryption programs must meet the standards published by the National Institute of Standards and Technology, she points out.

“Case managers and discharge planners may find encryption very cumbersome. You have to remember to encrypt your message if your hospital’s information system doesn’t encrypt automatically. Then, patients or providers have to have a password to open the message,” she points out.

However, the Office of Civil Rights ruled that if a patient emails you, you can conclude they have consented to email communication and reply without encrypting your message, Hogue says.

When case managers take their work home, they need to make sure the device they use to download patient information is secure and HIPAA compliant, Fink-Samnick says.

Social media presents a different, but equally important, set of potential HIPAA and ethical breaches, Fink-Samnick says.

Fink-Samnick advises case managers not to become friends on Facebook with patients and families, no matter how close the relationship becomes.

Clinicians know they shouldn’t talk about patients in public areas. The same is true about social media, says Patrice Sminkey, RN, chief executive officer for the Commission for Case Management Certification.

Be careful what you post on social media, as it can come back to haunt you, she says.

“Case managers should remember that anyone can do a search and find out what they have posted if they don’t have the highest privacy settings,” she says.

Can posting a photo or comment on social media get you fired? Absolutely. An Internet search will turn up dozens of cases of nurses and other clinicians losing their jobs over something they posted on Facebook, Instagram, and other social media outlets.

Sminkey tells of a clinician who posted a selfie taken in a patient’s room on social media. When the photo was enlarged, a small part of a monitor containing patient information was revealed. The clinician was fired.

“The selfie included an unintended snapshot of the patient’s electronic medical record. This was a simple error in judgment that ended up getting the clinician fired,” she adds.

When a celebrity is a patient, starstruck staff may be tempted to post it on social media, Sminkey says. “It may be fun or exciting to reveal that you’ve seen the celebrity, but what seems like fun could be devastating to your career,” she warns.