Health care social media is emerging as a preferred method of communication between some patients -- especially younger ones -- and their providers, but without privacy and security plans in place, the use of such tools might make doctors and hospitals run afoul of federal compliance laws.
Public sites such as Facebook, Google Groups, LinkedIn, Twitter and blogging sites carry with them many potential HIPAA compliance problems, despite their upside to potentially drive patient engagement, one of the overarching themes of meaningful use stage 2.
Are you prepared for HIPAA audits?
How the HITECH Act changes HIPAA compliance
Emerging mobile health impacts HIPAA privacy, security mandates
How do you know if business associates are HIPAA compliant? Answer this, and other HIPAA questions on the Health IT Exchange.
Yet despite its risks, social media can create that necessary patient engagement in the form of patient support groups, direct patient messaging of practitioners and marketing opportunities, said Jim Sheldon-Dean, principal for Charlotte, Vt.-based consultancy Lewis Creek Systems in a webinar sponsored by compliance vendor MetricStream.
Furthermore, HIPAA requires practitioners to make a best effort in respecting their patients' preferences for communication, so it's important to at least consider using these channels.
Using these tools can be complicated by the potential for HIPAA audits under a program recently launched by the HHS Office of Civil Rights (OCR). The bottom line? If you're a health care provider sticking your toe in the social media pool, manage all these compliance matters by creating policies that can stand up to the auditors' scrutiny.
"Are you able to withstand an audit if the feds decide it's time?" said Sheldon-Dean, who added that HIPAA audits typically come with a three-week notice, which isn't enough time to craft a social media policy and execute it. That means health care providers need to start creating policies now. "Can you justify what you're doing, are you prepared to say, 'Yes, [we were] in compliance as we did this, we knew what we were doing, and what we're doing is compliant practice.' You have to be able to defend yourself."
Sheldon-Dean offered some best practice ideas for physician offices and hospitals to organize their approach to social media health care -- and write a policy with HIPAA compliance in mind:
- Define your purpose for using social media, and assign roles to employees for marketing, patient interaction and professional support. Employees who are not assigned social media roles should understand they are not authorized to unilaterally represent the organization on social media sites. How will your organization handle breaking news, and who will do it? Write it into your policy.
- If social media is used for any treatment purposes, devise a mechanism to track use of patient data and retain it in the patient's medical record.
- All employees should understand in the policy what is appropriate and inappropriate sharing of protected health information. While that might be obvious for many cases (don't share patient information on personal sites), define appropriateness for less-obvious cases (such as physician-to-physician consults).
- Spell out in your policy when it is and isn't appropriate to use social media for treatment purposes -- and create an approval process for doing so (i.e., staffers should not be allowed to use their judgment and do it on their own, but instead they need to vet it through a HIPAA-conversant authority who approves). After that, put in place a monitoring process to track and retain the treatment process.
- Make social media channels part of your HIPAA risk analysis. Accepting reasonable risks for the use of social media is fine; justify it in the documentation. Prepare an action plan in case of breaches.
- Written policies should be concise, cover general categories of content such as blogs and wikis, define the difference between personal use and business activity, define responsibilities for official representatives of your organization, and provide examples of dos and don'ts.
- Once the policy is in place, establish regular reviews and update it. Train employees on it, don't just hand it out. Finally, document the evolution of the social media policy -- its updates, the whys behind them, and how staffers were alerted to those updates.