Social media and patient privacy lessons ripped from the headlines

You can't make this stuff up. Sometimes, the greatest lessons come straight from the headlines.

FierceHealthcare readers often write in with questions about patient privacy in the evolving world of social media. That includes our Fierce editors, who have questions of their own about the increasingly gray areas of what's right and legal.

With that in mind, FierceHealthcare examined what hospitals are doing to ensure patient information stays safe, especially as they and their patients use social media even more.

Notorious cases of patient privacy violations via social media

Remember these scandals in recent history?

> A certified nursing assistant at Kindred Transitional Care and Rehabilitation in Indiana took a photo of a paraplegic's butt after he had a bowel movement and posted it to Facebook in May 2011, telling her coworker, "This is too funny. I need to take a picture of this," RTV6, an ABC affiliate, previously reported. The medical facility fired her, and the nursing assistant faced a voyeurism charge.

> A physician at Westerly Hospital in Rhode Island recounted her emergency room experiences on Facebook in April 2011. Although the doctor didn't include the patient's name, she included enough detail about the patient's injuries that a third party was able to identify the patient. The incident led to a guilty charge of unprofessional conduct and $500 fine by the state medical board.

> Emergency nurses and staff from St. Mary's Medical Center in California posted a photo on Facebook of a stab victim, who died soon after the photo was taken, the Los Angeles Times reported in April 2010. Coworkers, as required, reported the event. The involved staff members were fired or disciplined, the Associated Press reported.

> Hospital employees at Tri City Medical Center in California in June 2010 allegedly used Facebook to discuss patients. Six registered nurses at the hospital were put on administrative leave, North County Times reported.

______________________________

"It's just Facebook. ... It's just a name out of millions and millions of names."
_______
_______________________

> At Providence Holy Cross Medical Center in California, an employee in December 2011 posted a picture of a patient's medical record on his Facebook account, apparently to make fun of the woman, according to the Daily News of Los Angeles. He wrote, "Funny, but this patient came in to cure her VD and get birth control." When others scolded the employee, he responded, "People, it's just Facebook. ... It's just a name out of millions and millions of names. If some people can't appreciate my humor, then tough. And if you don't like it, too bad because it's my wall, and I'll post what I want to."

Who's responsible to protect health information under HIPAA and HITECH?

One of the biggest lessons from recent cases is that patient information can be very broad.

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA for short, and Health Information Technology for Economic and Clinical Health (HITECH) Act, are patient privacy rules in which covered entities must secure protected health information (PHI).

What's PHI? "Basically anything used to identify a patient," Tatiana Melnik, an associate at Dickinson Wright in Ann Arbor, Mich., told FierceHealthcare. PHI can be patient names, photos of their faces or even tattoos, as well as medical conditions or location.

And who's responsible for protecting that information? "Covered entities," which can be hospitals, physicians, nurses, health plans or business partners that handle PHI.

"People don't seem to understand that posting that kind of information, is in fact, a breach because they think 'I'm one of millions. It's very difficult to find out where I am,' where in fact, that's not the case," Melnik noted. "It's much easier than people than think to find out who someone is."

And there are some rogue employees. "Sometimes, the person knows it's wrong, and they're doing it anyway," Melnik noted.

______________________________

"People don't seem to understand that posting that kind of information, is in fact, a breach because they think 'I'm one of millions.'"
_______
_______________________

Good intentions can spell trouble

Even well-intentioned providers may inadvertently violate HIPAA and HITECH. For instance, if a care coordinator who is friends with a patient on Facebook notices that her patient lost some weight and congratulates her by commenting, "I hope your diabetes has improved" without the patient mentioning her condition first, that could be a breach.
 
"That kind of thing, it's very easy to make because you think you're being friendly, and there's no malice intended … but it's still a breach," Melnik said. She added that a best practice is for providers to avoid "friending" patients, although she acknowledged that's harder to do in smaller communities.

One of the most common situations of social media fumbles are patients posting about other patients. Although it's not a breach of HIPAA or HITECH (because patients aren't considered "covered entities"), the hospital still has a responsibility under state law to protect patients.

For instance, if a patient wants to compliment his nurse by posting a photo, the picture could have the name of another patient's medication in the background. Remind patients that photography must go through the public relations department. Also consider posting no-cellphone notices in the hospital.

Have a social media policy and train employees on it

The best way to spell out guidelines for employees is, of course, by having a social media policy.

But there's no need to reinvent the wheel. The social media policy need not be different than your existing policy on patient privacy, Melnik explained. The hospital can have a social media-specific policy if it likes.

At the same time, you want to make sure you are allowing your employees to freely discuss working conditions in their personal lives.

"You want to make sure you're not overstepping boundaries," Melnik said.

She advised hospitals look to the National Labor Relations Board's social media policy as an example, as well as other hospitals' social media policies.

And even more importantly, once you have that social media policy in place, be absolutely sure to train employees.

"It's really important to make sure employees are trained. It's actually much worse to have a policy and not enforce it," Melnik said, adding that hospitals could be held liable for having a policy and ignoring it.

Know and set the consequences

In some cases, a social media PHI breach might not call for an immediate employee termination. For instance, if the care coordinator let the patient take a photo of another patient's medication, it's up to the hospital's discretion of how hard a line it wants to draw.

"It's doesn't have to be, 'Well you violated it, and you're automatically terminated.' You can absolutely have flexibility and analyze what happened," Melnik noted.

But some hospitals do automatically terminate employees because the risk is too great.

Check business agreements

Equally important to informing employees of the social media policy is letting business partners know. Business partners and contractors also are considered "covered entities"--from the electronic health record vendor to the company that services the photo copier and handles PHI.

______________________________

"It's actually much worse to have a policy and not enforce it."
_______
_______________________

"Err on the side of having them sign a business associate agreement" for anyone that has access to patient information, Melnik said.

In the agreement, make sure to spell out notification requirements so the hospital has time to investigate and report. Covered entities are required to report a breach of more than 500 affected individuals within 60 days.

"That clock starts running as soon as someone in your organization knew or should have known by conducting reasonable diligence," Melnik said.

Don't be afraid of social media

And finally, the notorious cases of providers behaving badly on social media offer lessons, but HIPAA and HITECH shouldn't deter hospitals from using social media, which can be a powerful tool.

"There are all kinds of services and educational things that hospitals can provide through using social media that could be very helpful to the community and increase their profile at the same time," Melnik said.

Related Articles:
Who's responsible for protecting patient privacy on social media?
5 social media tips for apprehensive hospitals
Is it time to update your social media policy?
Patients choose hospitals based on social media
Healthcare social media a 'moral obligation'
Why hospital social media is a full-time job