Posted on

Social media and patient privacy lessons ripped from the headlines

Social media is dangerous and will cost institutions millions to manage and be sued over. What is to stop a nurse or doctor from innocently posting something that happened in a hospital or their practice on social media just to tell his family and friends? In the past, it was spoken at the dinner table (possibly) and rarely went beyond the house. Now any innocent or non so innocent breach of information is immediately transported around the world to billions of people. And what of the data? What is private information? Is posting “a patient had a smell body in my office today” or describing a situation that happened and making comments on it. Is this private? An invasion of privacy? Only the lawyers will decide and today when you can sue for anything and get money form it – i would be very worried – heck I would be scared. Hence my suggestion to medical institutions – STAY OFF SOCIAL MEDIA – you cannot control it nor can you control people.

You can’t make this stuff up. Sometimes, the greatest lessons come straight from the headlines.

FierceHealthcare readers often write in with questions about patient privacy in the evolving world of social media. That includes our Fierce editors, who have questions of their own about the increasingly gray areas of what’s right and legal.

With that in mind, FierceHealthcare examined what hospitals are doing to ensure patient information stays safe, especially as they and their patients use social media even more.

Notorious cases of patient privacy violations via social media

Remember these scandals in recent history?

> A certified nursing assistant at Kindred Transitional Care and Rehabilitation in Indiana took a photo of a paraplegic’s butt after he had a bowel movement and posted it to Facebook in May 2011, telling her coworker, “This is too funny. I need to take a picture of this,” RTV6, an ABC affiliate, previously reported. The medical facility fired her, and the nursing assistant faced a voyeurism charge.

> A physician at Westerly Hospital in Rhode Island recounted her emergency room experiences on Facebook in April 2011. Although the doctor didn’t include the patient’s name, she included enough detail about the patient’s injuries that a third party was able to identify the patient. The incident led to a guilty charge of unprofessional conduct and $500 fine by the state medical board.

> Emergency nurses and staff from St. Mary’s Medical Center in California posted a photo on Facebook of a stab victim, who died soon after the photo was taken, the Los Angeles Times reported in April 2010. Coworkers, as required, reported the event. The involved staff members were fired or disciplined, the Associated Press reported.

> Hospital employees at Tri City Medical Center in California in June 2010 allegedly used Facebook to discuss patients. Six registered nurses at the hospital were put on administrative leave, North County Times reported.

“It’s just Facebook. … It’s just a name out of millions and millions of names.”

> At Providence Holy Cross Medical Center in California, an employee in December 2011 posted a picture of a patient’s medical record on his Facebook account, apparently to make fun of the woman, according to the Daily News of Los Angeles. He wrote, “Funny, but this patient came in to cure her VD and get birth control.” When others scolded the employee, he responded, “People, it’s just Facebook. … It’s just a name out of millions and millions of names. If some people can’t appreciate my humor, then tough. And if you don’t like it, too bad because it’s my wall, and I’ll post what I want to.”

Who’s responsible to protect health information under HIPAA and HITECH?

One of the biggest lessons from recent cases is that patient information can be very broad.

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA for short, and Health Information Technology for Economic and Clinical Health (HITECH) Act, are patient privacy rules in which covered entities must secure protected health information (PHI).

What’s PHI? “Basically anything used to identify a patient,” Tatiana Melnik, an associate at Dickinson Wright in Ann Arbor, Mich., told FierceHealthcare. PHI can be patient names, photos of their faces or even tattoos, as well as medical conditions or location.

And who’s responsible for protecting that information? “Covered entities,” which can be hospitals, physicians, nurses, health plans or business partners that handle PHI.

“People don’t seem to understand that posting that kind of information, is in fact, a breach because they think ‘I’m one of millions. It’s very difficult to find out where I am,’ where in fact, that’s not the case,” Melnik noted. “It’s much easier than people than think to find out who someone is.”

And there are some rouge employees. “Sometimes, the person knows it’s wrong, and they’re doing it anyway,” Melnik noted.

“People don’t seem to understand that posting that kind of information, is in fact, a breach because they think ‘I’m one of millions.'”

Good intentions can spell trouble

Even well-intentioned providers may inadvertently violate HIPAA and HITECH. For instance, if a care coordinator who is friends with a patient on Facebook notices that her patient lost some weight and congratulates her by commenting, “I hope your diabetes has improved” without the patient mentioning her condition first, that could be a breach.

“That kind of thing, it’s very easy to make because you think you’re being friendly, and there’s no malice intended … but it’s still a breach,” Melnik said. She added that a best practice is for providers to avoid “friending” patients, although she acknowledged that’s harder to do in smaller communities.

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered “covered entities”), the hospital still has a responsibility under state law to protect patients.

For instance, if a patient wants to compliment his nurse by posting a photo, the picture could have the name of another patient’s medication in the background. Remind patients that photography must go through the public relations department. Also consider posting no-cellphone notices in the hospital.

Have a social media policy and train employees on it

The best way to spell out guidelines for employees is, of course, by having a social media policy.

But there’s no need to reinvent the wheel. The social media policy need not be different than your existing policy on patient privacy, Melnik explained. The hospital can have a social media-specific policy if it likes.

At the same time, you want to make sure you are allowing your employees to freely discuss working conditions in their personal lives.

“You want to make sure you’re not overstepping boundaries,” Melnik said.

She advised hospitals look to the National Labor Relations Board’s social media policy as an example, as well as other hospitals’ social media policies.

And even more importantly, once you have that social media policy in place, be absolutely sure to train employees.

“It’s really important to make sure employees are trained. It’s actually much worst to have a policy and not enforce it,” Melnik said, adding that hospitals could be held liable for having a policy and ignoring it.

Know and set the consequences

In some cases, a social media PHI breach might not call for an immediate employee termination. For instance, if the care coordinator let the patient take a photo of another patient’s medication, it’s up to the hospital’s discretion of how hard a line it wants to draw.

“It’s doesn’t have to be, ‘Well you violated it, and you’re automatically terminated.’ You can absolutely have flexibility and analyze what happened,” Melnik noted.

But some hospitals do automatically terminate employees because the risk is too great.

Check business agreements

Equally important to informing employees of the social media policy is letting business partners know. Business partners and contractors also are considered “covered entities”–from the electronic health record vendor to the company that services the photo copier and handles PHI.

“It’s actually much worst to have a policy and not enforce it.”

“Err on the side of having them sign a business associate agreement” for anyone that has access to patient information, Melnik said.

In the agreement, make sure to spell out notification requirements so the hospital has time to investigate and report. Covered entities are required to report a breach of more than 500 affected individuals within 60 days.

“That clock starts running as soon as someone in your organization knew or should have known by conducting reasonable diligence,” Melnik said.

Don’t be afraid of social media

And finally, the notorious cases of providers behaving badly on social media offer lessons, but HIPAA and HITECH shouldn’t deter hospitals from using social media, which can be a powerful tool.

“There are all kinds of services and educational things that hospitals can provide through using social media that could be very helpful to the community and increase their profile at the same time,” Melnik said.

Patients choose hospitals based on social media

With one-third of consumers using social media for seeking or sharing medical information, 41 percent say tools like Facebook, Twitter, YouTube and online forums influence their choice of a specific hospital, medical facility or doctor, according to Tuesday’s report from consulting firm PwC.

In a survey of more than a thousand consumers, more than two-fifths of individuals said social media did affect their choice of a provider or organization. Forty-five percent said it would affect their decision to get a second opinion; 34 percent said it would influence their decision about taking a certain medication and 32 percent said it would affect their choice of a health insurance plan.

The PwC report follows a study last summer by hospital market research firm YouGov Healthcare, which found that 57 percent of consumers said a hospital’s social media connections would strongly affect their decision to receive treatment at that facility.

Following the release of the study, YouGov Healthcare Managing Director Jane Donohue told FierceHealthcare, “We were surprised that consumers were going to review sites and blogs as often as they are going to the official hospital sites.” She added, “Clearly, any successful social media strategy is going to have to monitor and engage those [review site] conversations because you don’t control them. With your own content on Facebook and Twitter, you have a lot of control, but you certainly need to be engaged in those conversations.”

However, as one reader noted on the story, “This is the kind of research that ends up misleading healthcare managers to go down a strategic path to nowhere. … Social media is a valuable and growing tool for communication, but it is nowhere near the usage deciding factor.”

Even if the studies overestimate social media’s impact on consumer behavior, other experts say it goes beyond marketing.

“Savvy adopters are viewing social media as a business strategy, not just a marketing tool,” Kelly Barnes, US Health Industries leader of PwC, said in a company announcement.

Farris Timimi, medical director for the Mayo Clinic Center for Social Media, said social media in healthcare is a “moral obligation,” at the ninth annual World Health Care Congress in in National Harbor, Md., on Monday, FierceHealthIT reported.

“Our patients are there. Our moral obligation is to meet them where they’re at and give them the information they need so they can seek recovery,” Timimi said. “This is not marketing; this is the right thing to do.”

Who’s responsible for protecting patient privacy on social media?

Picture this: A patient videotapes another patient, who is drunk in the trauma center. The staff doesn’t notice. The hospital’s media relations department later stumbles across the footage on YouTube. Although the video portrays the staff members in a very good light, caring for the intoxicated man, the patient’s likely embarrassing event has gone public.

This scenario played out in real life at a Lifespan hospital in Rhode Island and was the topic of discussion on a thought-provoking Hospital Impact blog post last week by Nancy Cawley Jean, senior media relations officer of social media at Lifespan.

Jean explained that the hospital contacted Google to pull the video, although unsuccessfully, when YouTube’s parent company said it wouldn’t remove the video because it didn’t violate its user agreement. The hospital also called local police, who said they couldn’t help. The video still lives online.

Boy, did the article generate some heat! Readers were fired about up “freedom of the press,” just as much as patient privacy–some arguing the hospital had no right to try to censor the video, while others said it did the right thing. Here are some of the comments readers had:

“Unless the person taking the video was a hospital employee, he/she has no duty to protect the privacy of the patient.”

“How exactly do you expect [staff]–who are busy saving lives by the way–to notice some idiot with a cell phone, uploading this crap?”

“As a health worker, your first line of responsibility is the patient and protecting their safety and their privacy.”

The situation Jean described proved that patient privacy in the social media age is an evolving issue and hospitals need to get ahead of it. Was the patient’s privacy breached? Is the hospital responsible?

In short, it’s not likely a HIPAA or HITECH violation.

“While what happened is very disconcerting, it is not likely a HIPAA breach because the activity was carried out by an individual,” Tatiana Melnik, an associate at Dickinson Wright in Ann Arbor, Mich., told FierceHealthcare.

Because HIPAA and HITECH are directly aimed at healthcare providers (i.e., covered entities), as well their business associates and subcontractors, the regulations don’t cover patient-produced content. But–and it’s a big BUT–that doesn’t mean the hospital is off the hook. For situations like these (and it depends on the specific circumstances), the hospital and the person who took the video could still be held liable under state laws on emotional distress, invasion of privacy and negligence, Melnik explained.

The hospital already has a systemwide policy that says photographing and videotaping must go through media relations. The only exception is practitioners taking photos of patients for documentation purposes, in which the patient signs an agreement at admission time, Jean told FierceHealthcare.

“Our security department is vigilant in identifying anyone taking a photo or videotaping and has often notified the media relations team at all times of day or night to manage a situation involving photos or videos on campus [that are] not approved,” Jean said. But as this situation demonstrated, some photographers and social media-happy people slid by.

How should hospitals handle those situations?

“We deal with each on a case-by-case basis. Some situations have involved calling the police,” Jean said.

Readers of the blog post went as far as to recommend banning smartphones altogether.

“There used to be a time when we were asked to turn off mobile phones in hospitals. This was because of the interference it could cause to the equipment. While this may or may not be true, why not reintroduce this rule?”

“Perhaps the hospital should develop some new privacy policies, by which, no one is allowed to bring cell phones in or they will be confiscated, or people should be searched prior to enter the hospital, like in the airports.”

Well, as for Jean, she said the YouTube video holds some tough lessons.

“We have learned that it’s vital to catch these things while they are happening, and not after they are posted.”

In addition to the existing photography policy, Jean said the hospital is developing some new privacy policies, specific to patients and visitors using smartphones to take pictures and video, which will likely result in signage about the inappropriate use of personal devices for recording.

“We have learned that it’s vital to catch these things while they are happening, and not after they are posted because it is near impossible to have a video taken down if the one who posted it is not willing to do so,” Jean said. “I believe it’s an important message for staff to be more aware of what patients and visitors are doing, and they should feel empowered to ask people to turn off and put away phones and not take pictures or videos.”

Jean also said it’s important to constantly monitor what’s being said about the hospital, which she does through Google Alerts.

“Even if you aren’t talking about yourself in the social media world, you can be sure that others are,” she wrote.