The tricky part for health care providers will be combining technology and written policies in such a way as to enable HIPAA compliance while opening up contact between patients and the caregivers who treat them, the Harlow Group principal said in a presentation at the New England Regional Annual Conference for the Health Care Compliance Association.
"I'm here to tell you: You can use social media and remain on the right side of the law -- the question is, how?" said Harlow, who also is an attorney. "You need to think clearly about your goals…and how you can leverage these tools to achieve some of these goals."
Harlow offered several tips and cautions to conference-goers, whether they're planning a social media strategy or already count themselves among the ranks of health care social media users.
Set expectations. Unless your organization sets goals on how social media use will further its health care mission (alerting patients on Twitter about health risks, marketing on Facebook, etc.), it will be a me-too proposition and will look that way to the patient community.
Don't reinvent the wheel. Study principles from other health care social media policy documents, such as the American Medical Association's Professionalism in the Use of Social Media and the Department of Veterans Affairs' Use of Web-based Collaboration Technologies.
Look beyond legal. Don't just have the privacy officer pen the policy. Promote buy-in by getting 20-somethings who use social media sites as well as senior management involved in reviewing and refining it. The policy should cover not just how the organization will use social media to accomplish its goals. It should also provide guidance for what employees should and shouldn't do on their personal social media accounts -- for example, don't talk about patients, because it's easy to inadvertently let slip HIPAA-protected data, and there are consequences for doing that.
Be prepared. Update your health care social media policy every year at least. Harlow recommends six-month intervals -- social media's evolving that quickly.
Define what to respond to -- and how. Say an employee notices a negative review of your hospital on an independent review site or at another site with which you are not affiliated. Should you respond? Make a policy that sorts it out ahead of time to empower employees to decide -- perhaps using the United States Air Force social media flow chart as a model.
Caution physicians about too much patient interaction. It's easy to step over the ethical and regulatory lines and accidentally practice medicine on social media, or accidentally reveal HIPAA protected data. In one example: Patient X posts "I just tested cancer-free today!" on your hospital's Facebook page. There aren't many responses outside of "Congratulations! And here's a link to our cancer care center…" that don't reveal some point of HIPAA-protected data -- care provider, acknowledgment of specific services, diagnosis and so on.
Even when a patient initiates the conversation and reveals one point of data on a public site, most responses expose your organization to potential violations. This goes double for physician bloggers -- it's difficult to fictionalize stories or write "composite patient" stories that adequately de-identify real-world patients, Harlow said. He recommended against allowing such posts.
Adopt a risk management model to guide social media activity. There are four components to prove negligence in most court cases -- establishing duty of care, breach of that duty, direct cause and harm. Can your health care social media activity pass the "potential negligence" test?
If you might use protected health information, disclose it up front. Sites such as PatientsLikeMe.com are transparent about their revenue model. If you're planning to use PHI, you should be, too, in order to protect yourself against potential litigation.
Unless your organization sets goals on how social media use will further its health care mission, it will be a me-too proposition and will look that way to the patient community.
Show employees how to exercise good judgment. Social media policies should be part of every employee's training, not sitting in a binder on a shelf.
Don't forbid the use of social media sites. A recent National Labor Relations Board report said "overly broad" prohibitions of social media use on the job are illegal. Even if your hospital did have such a policy, Harlow said, it would be too difficult to track smartphone use. It might be a good idea to run this portion of a health care social media policy by hospital counsel.
"Blocks on those sites feel reassuring, and make me feel that things are going to be all right," said Rick King, privacy officer for the Massachusetts Eye and Ear Infirmary, "but I think we have to acknowledge that social media [sites] have become a really important part of the digital landscape. It's not something we can bury our heads in the sand, say it's blocked and not worry about it."
Let us know what you think about the story; email Don Fluckinger, Features Writer.