April 16, 2012
By: Heather Boerner
In California, a hospital employee posts a patient’s chart to Facebook and makes fun of the patient for seeking STD treatment and birth control.
In Rhode Island, an ER doctor, distraught over the death of a patient, shares that she’s heartbroken, switching the patient’s gender and how she died to protect her identity.
In Wisconsin, an ultrasound tech posts that she’s thrilled that one of her patients is having triplets.
These stories demonstrate the use of social media in the workplace. And all three are violations of the Health Information Portability and Accountability Act (HIPAA) that could nab their employers up to a $50,000 fine.
HIPAA Rules in a Social Media World
““Breaching patient confidentiality is a total no-go, and it has less to do with HIPAA than our standards,” said Will Weider, vice president and CIO of Wisconsin-based Ministry Health Care and Affinity Health System. “At this point, I don’t know that there are many grey areas.”
Indeed, Twitter, Facebook, Tumblr and other social media platforms have transformed the way hospitals market themselves and how patients find them.
But when healthcare workers recklessly tweet, post to Facebook and share patients’ private health issues online, it not only violates HIPAA, it also hurts the healthcare industry’s ability to attract and retain patients.
A clearly laid out social media policy can ward against such snafus. Yet only about 20 percent of hospital systems currently have a social media presence, with a larger proportion operating under general social media policies.
Weider’s policy, which is considered by some to be one of the most forward-thinking in the industry, went online in 2009.
What that means, says David Harlow, principal of The Harlow Group, a Boston-based health care law and consulting firm, is that social media-naive healthcare groups may think a simple ban is preferable to having actual social media guidelines in place.
“That doesn’t work really well because people just use Facebook or Twitter on their smartphones,” said Harlow, who blogs at HealthBlawg. “They can snap a picture and post something inappropriate maybe even more easily from their phone than they can from a desktop computer.”
Social media in the workplace requires clear expectations and policies. Here’s what every social media policy for healthcare organizations should include.
Everything from posting a picture of an ER waiting room -- where a victim of domestic violence could be sitting -- to mentioning anything that identifies a patient, including their condition, prognosis or, as described above, how many kids they are going to have, has the potential to violate HIPAA rules.
“It’s inappropriate to even acknowledge that someone is receiving care here,” said Weider. A patient’s medical experience is their own to share and not something employees should ever disclose, especially on something like Twitter.
Next, explain to staff that no matter how well you try to camouflage a patient’s identity in order to share a story online, you’re likely to fail.
“We’re literally doubling the amount of data available online every couple of days,” said Harlow. “Something that’s de-identified today will not be de-identified next week. That’s why people who blog about patient stories really need to come up with fictitious patients or composites, rather than basing their posts on actual patient histories.”
“What’s a private network?” asked Ed Bennett, a social media expert who also works with the University of Maryland Medical Center and sits on the advisory board for the Mayo Clinic Center for Social Media.
“What if you only have three Facebook friends in your group? What about 300 or 3,000? At some point, you cross the threshold.”
Since people can retweet, share and pass along whatever someone writes on a social network, your social media policy must communicate that whatever employees type into a keyboard is public -- and, with online caches, permanent.
“The way we approach it is lovingly, the way you would with a family member,” said Weider. “When staff tweet about their work, they can assume it is being read by our patients and their fellow employees.”
Keep It Respectful
Patients should never see staff tweeting or updating their Facebook status. “There’s never a time when you want to be looking at Facebook in front of a patient,” said Weider. “That’s never perceived as a positive thing. But on breaks and away from a patient, it’s fine.”
Keep It Alive
Finally, it’s not enough just to have a social media policy, said Harlow. You have to train and periodically remind staff of it.
Weider’s Affinity Health System did an initial in-service on its policy and addresses social media in the workplace in annual employee refreshers.
Harlow suggests revisiting the policy and offering staff refreshers every six months, as well as including your social media policy in employee onboarding sessions.
“You want the policy to be really alive among the staff,” said Harlow.
Once you have a social media policy that works to keep patient information secure, you get a surprising result, said Weider.
“There’s a huge potential benefit for our organization,” he said. “I wanted to attract tech-savvy employees who know how to leverage this technology. I didn’t want a policy that would scare away the workforce I try to attract.”
Even better, says Weider, is that, “People love working here, and they share the things happening at the hospital and clinic on social media.”