Memo: subsidiary websites

The question

We have our [redacted] website but just found that our substance abuse team has created another website that just specifically address addiction and the services provided. The only association it has with our office is a small little logo at the bottom of the page. And the telephone number listed goes directly to a staff members cell phone. Do you find this a issue?

The answer

Strictly regarding subsidiary websites, there is no violation or problem that arises from this issue alone. Many hospitals and practices enable the use of separate websites when services are differentiated substantially from the parent organization.

However, the problem with the [redacted, subsidiary] team website is that this website was created without the prior express authorization of the parent organization. The website was created and is managed outside of the normal reach of the parent organization and the project was undertaken in violation of the organization’s policies and procedures (this is assumed, based on unseen policies and procedures).

The inclusion of a staff member’s cell phone number on the site as the primary method for contacting the substance abuse team creates a problem with chain of custody. A patient suffering from substance abuse might leave sensitive information in a voicemail left on the staff member’s cell phone. Without being able to guarantee any assurances as to the privacy and security of this potentially sensitive information, such an incident could be considered an unauthorized disclosure.

Depending on the organization’s policies and procedures regarding a BYOD (bring your own device) policy and mobile device management, this creates a continual vulnerability for sensitive information to be disclosed, unintentionally or otherwise.

Additionally, the substance abuse website might not sufficiently publicize the organization’s notice of privacy practices (this is assumed, based on unseen website).

Suggested corrective action

The website should immediately be brought under the direct control of the parent organization, be made so that the site is not publicly accessible until corrective action is completed, and evaluated by the designated individuals responsible for website maintenance. Any deficiency should be brought into compliance in accordance with the organization’s policies and procedures. The staff responsible for acting outside of the organization’s policies and procedures should be made aware of the problems their actions have caused, along with appropriate disciplinary sanctions.