Just how clear is your social media policy?

Does your hospital have a social media policy? And if so, does it extend to employee use of sites not hosted by your organization?

One thing I've noticed while perusing hospital social media policies that were lurking on the web is that most seem to refer only to terms and conditions that apply to medical center-sponsored websites.

That may be shortsighted.

Consider the case of Cheryl James, an Oakwood hospital worker in Michigan who was fired over Facebook comments she made about a cop-killer patient. "She never imagined posting something on Facebook from her own computer on her own time would get her fired," WJBK Fox 2 reported.

Oakwood Healthcare, Inc., the parent company of the hospital, more than a year ago "developed comprehensive social media guidelines based on a careful review of industry best practices, while keeping patient privacy at the forefront," Media Relations Manager Paula Rivera-Kerr wrote in an email to FierceHealthcare. The rules apply whether at work or at home, she noted.

Giving out details that make it possible to identify a patient even if his or her name has not been revealed can result in termination, because it amounts to a breach of HIPAA rules and regulations, an Oakwood media statement says.

Still, Ms. James' costly mistake and other Facebook disclosures that violated patient confidentiality make me think we should pause a moment and treat this as a teachable moment.

If even a healthcare organization that had developed social media guidelines applicable to work or home saw a worker go astray, what can be done to make policies even more clear, so workers understand which actions could constitute a breach of patient privacy and jeopardize their jobs?

I thought Kaiser Permanente's social media policy offered up some best practices worth noting. First, it spells out the terms for using Kaiser Permanente-hosted sites and non-Kaiser hosted sites. And within that "other" category, the language on member/patient confidentiality seems explicit, yet easy-to-understand:

"Employees may not use or disclose any member/patient identifiable information of any kind on any social media without the express written permission of the member/patient. Even if an individual is not identified by name within the information you wish to use or disclose, if there is a reasonable basis to believe that the person could still be identified from that information, then its use or disclosure could constitute a violation of the Health Insurance Portability and Accountability Act (HIPAA) and Kaiser Permanente policy."

It also helps that Kaiser tells you the policy also applies to the use of social media when away from work, when the employee's Kaiser affiliation is identified, known, or presumed.

Another approach is to write a blanket policy so that those who work at your organization know HIPAA extends to what they write on Facebook on their own time and computers. Here's an example of relevant language from the Cleveland Clinic's social media policy:
"You are prohibited from posting any content that is personal health information including patient images on any Social Media Site," it says.

But how broadly that should be interpreted is unclear, because the intro to the section suggests that the terms must be followed by those who post on any Cleveland Clinic social media site.

Here's another example of something hospitals and healthcare systems could consider doing, if they haven't already, to make it easier for staff to absorb the rules. Have two sets of guidelines for your social media policy. This example  comes from Ministry Health Care and Affinity Health System's CIO Will Weider. You'll see the draft legal document where all capitalized terms are defined. Ideally, the CYA legal document should satisfy your lawyers and regulatory and compliance folks.

But since legal documents are not always the best way to convey information that you want to sink in, consider writing a separate set of employee guidelines in a more reader-friendly format that includes generous amounts of white space. And don't be afraid to really push certain key messages. Here's an example from Ministry Health Care and Affinity Health System's more user-friendly guidelines:

"Don't betray our patient's trust (and don't get arrested)
Remember, disclosing confidential patient Protected Health Information (PHI) in an inappropriate manner is a federal offense. The penalties include significant fines and/or arrest. Ministry employees should never publicly make comments about the care of a specific patient, especially online. Even acknowledging the care of a patient is an unacceptable disclosure of PHI."

Just in case you missed the part that warns against disclosing protected health information, the next section takes a stronger tone with a heading that says: Don't get fired.

The privacy issue is reinforced in the first bullet point, which tells you not to post work-related information that may compromise the organization's business practices or patient privacy and security. Tying the privacy violations with legal or employment ramifications drives the point home, doesn't it? - Sandra