Complying with HIPAA requires clear social media strategy for staff

December 31, 2012

You can take action to leverage social media in your practice without running afoul of HIPAA and hospital PHI policies.

While the emergency department (ED) at Martin Memorial Medical Center in Stuart, Fla., struggled to save a shark attack victim’s life, two paramedic students who were in the ED as part of their college training took digital photographs of the patient, who later died. When their instructors noticed the picture-taking, they ordered the students to stop, informed them of the hospital patient privacy policy, and advised them to delete the photos from their cell phones. Unfortunately, the students already had emailed the photos to friends.

The medical center’s parent organization, Martin Memorial Health Systems (MMHS), launched a full investigation into whether the Health Insurance Portability and Accountability Act (HIPAA) had been violated. Of course, it had. MMHS interviewed more than 50 people during its three-week investigation. The health system eventually disciplined all parties involved but fired no one.

How does this case differ from other, higher-profile cases involving HIPAA violations? Hospital personnel did not violate privacy regulations by intentionally entering some famous patient’s medical record to take a gander at its contents, nor were the HIPAA violators doctors who innocently exchanged the patient’s protected health information (PHI) on Facebook to consult on a diagnosis. These violators were students, not even ED personnel. They were outsiders who happened to be present in the ED at the time. Yet MMHS was still responsible for the PHI disclosure violation.

Can such an incident happen on a smaller scale - say, in your private practice? Absolutely. Could your practice survive such an investigation, especially if you ultimately receive stiff fines or lose your privileges at a hospital where you practice medicine? Probably not.

But you can take action to leverage social media in your practice without running afoul of HIPAA and hospital PHI policies. Here’s how:

Get to know the sites. Daniel Shay, J.D., who practices law with Alice G. Gosfield and Associates in Philadelphia, says that physicians need to take the time to familiarize themselves with how the various social media websites operate to better understand and explain the dangers to their staff.

“If you don’t have a Facebook or Twitter account, sit down with your child and ask him or her, ‘What’s this all about?’” he says. “If you’re going to be developing a social media strategy, you need to get on a social media site and figure out how it all works.”

Mr. Shay, who primarily focuses on physician representation, fraud and abuse compliance, Medicare Part B reimbursement, and HIPAA compliance from the physician perspective, notes how easily and quickly PHI can get disseminated on the social media site Twitter. When members receive a message (a “tweet”) from someone they follow, they can instantly “retweet” it to all of their followers, thus spreading the information exponentially.

“These are things worth taking into account when you’re developing a social media strategy,” Mr. Shay says. “Understanding the nature of social media itself is a good starting point.”

Remove identifying information. “Using social media is like riding a hospital elevator,” says Bradley H. Crotty, M.D., F.A.C.P., a fellow at the Harvard Combined Program in General Medicine at Beth Israel Deaconess Medical Center, Boston. “There’s no control over who hears the information you might share with another physician, or its context.”

In addition, information travels rapidly - and largely permanently - once it has been posted to the Web. It’s critical that you remove as many identifying details as possible when openly discussing cases.

“It’s best for patients and doctors not to collaborate on medical advice or treatment over social media platforms,” he says. “This is an active area with much potential but also many concerns.”

Seek patient consent in advance. “Healthcare providers, physicians, nurses and other medical staff are obligated to not share patient information,” Dr. Crotty says. “While that seems fairly straightforward, it becomes tricky if they want to share how their day’s going with their online social networks or blog about an interesting experience they just had in the office.”

Blogging about the practice and sharing patient data via the Internet or smartphones with other physicians during consults have become fairly standard procedure - so much so, in fact, that if patients were to find out that their information was being shared with strangers, even other physicians, they might react badly to the news.

“Even if one were to withhold identifying information, most people would not appreciate their medical case being discussed on the Internet,” Dr. Crotty says. “In fact, small details such as location, time and narrative may actually expose their identity.”

After removing all identifying information from a communication, a best practice when considering writing about a case online would be to ask the patient, ‘Is it OK to write about this aspect of your case on my blog?’ and obtain the patient’s consent, Dr. Crotty says.

Develop two strategies. Research conducted by the Pew Research Center found that 59 percent of all U.S. adults have used the Internet to research drug or healthcare-related topics. One Pew study, titled “The social life of health information, 2011” by Susannah Fox, associate director of the Pew Internet and American Life Project, states that although patients continue to view health professionals as the first place to turn for answers to their health concerns, they also view online resources and advice from their peers as significant sources of health information.

Therefore, in addition to developing a social media strategy to ensure that your practice doesn’t violate HIPAA, you should develop another strategy to promote, monitor, and protect your “brand.” Thinking in terms of practice branding, however, might not come naturally for you as a physician because your expertise is in medicine, not marketing.

But from a branding perspective, “Social media holds tremendous promise in healthcare,” Dr. Crotty says. “Patients live in homes and communities, not in their doctors’ offices.”

Social media, he says, offer you new and creative ways to engage with patients. Today’s practices can use social media to curate patient resources or tweet announcements about practice closures. Patients can opt in to follow doctors and practices online and even interact directly with their physicians. This ability can be an effective use of social media - but Dr. Crotty advises restraint.

“Cultivating a professional social media presence or even a professional home page that contains just your biographic and contact information will meet the needs of most patients who are searching for your information online,” he says.

Establish ‘dual citizenship.’ Dr. Crotty suggests that doctors cultivate a Web identity/presence for their patients to see and visit, but he advises doctors to develop and maintain online “dual citizenships” containing both a public/professional identity and a restricted/private identity. He further suggests that physicians maximize their privacy settings around their personal information.

“The goal is to publicly project a professional identity for patients while also being able to participate in social media with friends and family in a less public way,” he says.

It’s awkward for physicians to receive friend requests on Facebook, for instance, so “adjusting privacy settings for personal profiles is a good first step toward ‘dual citizenship,’” he explains.

Have a policy in place. Have formal PHI policies in place to communicate to staff members the importance of their actions in this area, Mr. Shay says. PHI policies should include clear guidelines and repercussions for violating them.

“Hopefully, educating your staff about HIPAA will prevent this from happening,” Shay says. “But if and when an improper disclosure does happen, you need to have policy in place that determines how you’ll proceed.”

Manage staff usage. Learn whether and how your staff members use social media, because knowing that information can help you create effective policy, Mr. Shay says.

“You can set your network to block certain popular websites, making it impossible for your office computers to access those,” he says. “That’s not going to stop smartphones, though.”

Another point worth examining is how smartphones are used in your practice. It’s not enough to just have a social media policy for your practice’s computers; you need a smartphone policy as well.

“If you don’t ban their use altogether, staff should be told that if they use their smartphones to check their email, take pictures or send chats while at work, they need to keep their HIPAA training in mind,” Mr. Shay says, noting that the newest smartphones include cameras with such high resolutions that staff members and caregivers can easily snap photos that inadvertently include highly readable PHI.

“It’s one thing if they take pictures and delete them a few minutes later,” Mr. Shay says. “The mere taking of pictures isn’t the problem as much as is the pictures’ content and where they go.”

Some practices take digital photos to include in their patients’ electronic record, which is fine and within the bounds of HIPAA. “But if someone takes one of those photos and posts it on Facebook, (then he or she is) likely violating HIPAA,” Mr. Shay says.

It’s futile to try to prevent your office personnel from ever using their computers or other devices for anything other than work-related activities, Mr. Shay says. Staff members may check email and visit social media sites, so the question becomes: If they are doing so, how do you ensure that they don’t use social media in a way that discloses PHI and violates HIPAA?

You can accomplish this by educating them on the relationship between HIPAA and social media, Mr. Shay says.

“Remind them that any information that identifies patients - whether it’s a name, a photograph, a description of unique symptoms perhaps accompanied by other bits of patient information - all of that can be PHI,” he adds.

For instance, if a staff member connects with someone outside of the office on Facebook, complains about a patient, and mentions details about that patient, he or she might be violating HIPAA, Shay says.

Or suppose you decide to photograph yourself at work and the camera happens to catch in the background a clear shot of a patient’s electronic health record file on a computer screen. “If that screen is displaying PHI and you upload it to the Internet, that’s potentially a HIPAA disclosure as well,” he says. “So it’s important to stress with your staff how easy it is to inadvertently capture and transfer PHI and to reiterate the importance of preventing PHI from getting onto social media websites.”

Don’t forget online forums. Staff members aren’t the only medical personnel needing ongoing social media training. You also can disclose PHI through social media sites such as LinkedIn, which focuses mainly on professionals and which features online healthcare-related forums and groups in which providers can interact with one another.

These online forums are popular gathering spots for all kinds of professionals who commiserate over the challenges and difficulties of their work. What distinguishes healthcare from other professions - and where medical professionals can get into such trouble - is the sensitivity of the information they discuss and the privacy laws intended to prevent such sharing of PHI in public. It’s critical that you and your staff remember to enforce HIPAA and to protect patient privacy in these forums, Mr. Shay says.

“Both online and offline, you need to be careful about this kind of stuff,” he says. “You could be sitting at a bar discussing your day with another physician and inadvertently identify a patient.”

Keep it quiet. HIPAA allows you to exchange PHI with another doctor for treatment purposes. “If you’re sharing PHI on a patient with another physician who’s also treating that patient, you’re allowed to disclose that information. That’s not a HIPAA violation,” Mr. Shay says. “The mere fact that you exchanged that information electronically doesn’t make that an improper disclosure in a social media setting.”

If, however, you’re inadvertently overheard by someone who shouldn’t be receiving the information, that’s almost as bad as posting it online. “That overheard discussion might not go any further, but it’s still a disclosure,” he says. DT