The latest mashup: Health care social media and HIPAA compliance

Experts encourage health care providers to engage in social media, provided that they establish policies to help physicians avoid ethical traps and HIPAA compliance issues.

NEWTON, Mass. -- Healthblawg author David Harlow is so convinced of the power and ubiquity of health care social media that he feels it's only a matter of time before using it will be required as part of accountable care organizations' patient engagement rules -- if it's not already.

The tricky part for health care providers will be combining technology and written policies in such a way as to enable HIPAA compliance while opening up contact between patients and the caregivers who treat them, the Harlow Group principal said in a presentation at the New England Regional Annual Conference for the Health Care Compliance Association.

"I'm here to tell you: You can use social media and remain on the right side of the law -- the question is, how?" said Harlow, who also is an attorney. "You need to think clearly about your goals…and how you can leverage these tools to achieve some of these goals."

Unless your organization sets goals on how social media use will further its health care mission, it will be a me-too proposition and will look that way to the patient community.

Harlow offered several tips and cautions to conference-goers, whether they're planning a social media strategy or already count themselves among the ranks of health care social media users.

Set expectations. Unless your organization sets goals on how social media use will further its health care mission (alerting patients on Twitter about health risks, marketing on Facebook, etc.), it will be a me-too proposition and will look that way to the patient community.

Don't reinvent the wheel. Study principles from other health care social media policy documents, such as the American Medical Association's Professionalism in the Use of Social Media and the Department of Veterans Affairs' Use of Web-based Collaboration Technologies.

Look beyond legal. Don't just have the privacy officer pen the policy. Promote buy-in by getting 20-somethings who use social media sites as well as senior management involved in reviewing and refining it. The policy should cover not just how the organization will use social media to accomplish its goals. It should also provide guidance for what employees should and shouldn't do on their personal social media accounts -- for example, don't talk about patients, because it's easy to inadvertently let slip HIPAA-protected data, and there are consequences for doing that.

Be prepared. Update your health care social media policy every year at least. Harlow recommends six-month intervals -- social media's evolving that quickly.

Define terms of use clearly. If you don't, some patients might do inappropriate things such as request prescription refills in your Facebook comment space. This also gives you permission to delete spam and other off-topic content.

Scrub social media accounts daily. Make sure the organization assigns someone to review comments and posts daily to remove inappropriate material that violates terms of use. This doesn't mean to remove negative comments or "reviews," Harlow said. In fact, when someone complains, try to track him down offline and attempt to solve the issue he's complaining about (such as long emergency department waiting room periods). If you can do that, you might turn an online troll into a brand ambassador for your facility.

Define what to respond to -- and how. Say an employee notices a negative review of your hospital on an independent review site or at another site with which you are not affiliated. Should you respond? Make a policy that sorts it out ahead of time to empower employees to decide -- perhaps using the United States Air Force social media flow chart as a model.

Caution physicians about too much patient interaction. It's easy to step over the ethical and regulatory lines and accidentally practice medicine on social media, or accidentally reveal HIPAA protected data. In one example: Patient X posts "I just tested cancer-free today!" on your hospital's Facebook page. There aren't many responses outside of "Congratulations! And here's a link to our cancer care center…" that don't reveal some point of HIPAA-protected data -- care provider, acknowledgment of specific services, diagnosis and so on.

Even when a patient initiates the conversation and reveals one point of data on a public site, most responses expose your organization to potential violations. This goes double for physician bloggers -- it's difficult to fictionalize stories or write "composite patient" stories that adequately de-identify real-world patients, Harlow said. He recommended against allowing such posts.

Adopt a risk management model to guide social media activity. There are four components to prove negligence in most court cases -- establishing duty of care, breach of that duty, direct cause and harm. Can your health care social media activity pass the "potential negligence" test?

If you might use protected health information, disclose it up front. Sites such as PatientsLikeMe.com are transparent about their revenue model. If you're planning to use PHI, you should be, too, in order to protect yourself against potential litigation.

Show employees how to exercise good judgment. Social media policies should be part of every employee's training, not sitting in a binder on a shelf.

Don't forbid the use of social media sites. A recent National Labor Relations Board report said "overly broad" prohibitions of social media use on the job are illegal. Even if your hospital did have such a policy, Harlow said, it would be too difficult to track smartphone use. It might be a good idea to run this portion of a health care social media policy by hospital counsel.

"Blocks on those sites feel reassuring, and make me feel that things are going to be all right," said Rick King, privacy officer for the Massachusetts Eye and Ear Infirmary, "but I think we have to acknowledge that social media [sites] have become a really important part of the digital landscape. It's not something we can bury our heads in the sand, say it's blocked and not worry about it."

Let us know what you think about the story; email Don Fluckinger, Features Writer.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close