News Stay informed about the latest enterprise technology news and product updates.

Report offers guidance for creating health care social media policy

A lot goes into a health care social media policy, from HIPAA regulations to staff Internet use. An Ohio State Medical Association report offers providers much-needed guidance.

The right to express yourself on a social networking page does not mean freedom from consequences.

Thus begins a detailed health care social media policy template for physicians running solo or small group practices published by the Ohio State Medical Association (OSMA), which represents 20,000 physicians, residents, students and practice managers. IT leaders at larger health care facilities charged with writing or updating their facility's social media policy should look to it for inspiration, too.

The association created the guidance document in response to member inquiries, said Nancy Gillette, OSMA's general counsel. The policy does not tell health care providers to avoid social media. Instead, she said, social media is a way for physicians to keep in touch with patients, some of whom are using such sites as Facebook more than they use email or more traditional means of communication.

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, "doesn't necessarily prevent you from using social media," Gillette said. "It's a question of thinking about how you're going to use it before you just rush off." (It should be noted that HIPAA predated most social networking sites and software by almost a decade.)

The thrust of the OSMA report, then, is that providers should think about what and where their employees are posting in social media or other electronic media, how their posting represents the practice, and whether or not it can create potential HIPAA violations. This goes for employees' personal communications, as well as the content of blogs and online marketing materials -- websites, Facebook pages and YouTube videos, to name a few -- created on behalf of your organization.

Secondarily, when it comes to communicating with patients online through cell phone texts, email, instant messaging, Facebook posts or other social media messages, physicians need to stop and think about two things:

•   Even though it may seem that the provider is just offering informal advice, is this a communication that more correctly represents a formal doctor-patient interaction?

•   Should this interaction really be part of an electronic health record (EHR)?

While the informality of some sites might make physicians feel as though they are giving friendly advice -- as they would when they run into a friend at the grocery store -- a social media policy helps a health care provider set and follow more appropriately formal practices, Gillette said.

For example, one physician Gillette heard present on the topic sees teenage patients who use Facebook messaging in place of email, she said. That physician thinks of these messages as she would incoming emails, Gillette added. Instead of answering questions directly using Facebook messaging, the physician tells patients to call her office -- thus setting in motion the traditional EHR documentation process.

Even without social media, it can be very easy to cross the line between what's allowed and what's not allowed.

Nancy Gillette, general counsel, Ohio State Medical Association

The OSMA guidance and's interview with Gillette provided four additional pieces of advice for IT leaders writing a health care social media policy.

•   Personal Internet use at your office happens. A social media policy should lay out how much will be allowed and how infractions, such as visits to objectionable sites, will be dealt with. Make privacy and monitoring policies clear so employees know what to expect.

•   Watch who endorses you. Employees are free to comment at "rate your practice" sites, but if they don't disclose their identities, they could be violating Federal Trade Commission guidelines for testimonials and endorsements.

•   Develop policies that keep HIPAA in mind. Messages on such sites as Facebook and Twitter offer an illusion of confidentiality, but employees need to understand what they can share with friends. Something as innocuous as cell phone pictures an employee takes in the office and posts to personal social media pages can amount to a HIPAA data breach.

•   Check with your malpractice insurer to understand your liabilities with social media use. If someone files a suit against you claiming emotional distress -- a "fairly common claim in social media suits," according to OSMA -- are you covered?

"Privacy concerns are the greatest," Gillette said. "Even without social media, it can be very easy to cross the line [between] what's allowed and what's not. When you take it to a format where the publication of thoughts or remarks [is] so instantaneous, it's really important to take a step back and think about how it should be used."

Let us know what you think about the story; email Don Fluckinger, Features Writer.

Next Steps

Mayo Clinic helps others develop social media strategy

Social media may not be a revolution, but it's in your enterprise

Dig Deeper on Electronic health records privacy compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.