HIPAA and Social Media (Part 2 of 3)

Last week, I explained that I was prompted by recent HIPAA cases in the news to dedicate a 3-part blog series to HIPAA in the context of 2011. In last week’s blog, I focused on some of the recent HIPAA infractions. This week, I discuss HIPAA and Social Media, because with the prevalence of social media today, an examination of HIPAA now would be otherwise incomplete.

1996: let’s think back. It was a leap year. Alanis Morissette won a Grammy. Bill Clinton was re-elected. Ladies wore long floral skirts and chunky heels. HIPAA was enacted. And there was no Facebook.

No Facebook??

Yes, kids, we lived in a world with no Facebook!

When HIPAA was enacted in 1996, email was steadily growing in popularity, but social media sites like Facebook were not even on the horizon. Well, not in most people’s minds, anyway. In the 15 years since, social media arrived and captivated our interest. People now communicate with all kinds of other people via social media — friends, family, colleagues, neighbors, teachers / students, etc. — so why would patients not also communicate with doctors via social media? And why would patients not seek information about healthcare organizations on social media sites — everyone else is engaging in conversation on these sites, so why not healthcare organizations and personnel?

One of the biggest roadblocks is HIPAA. Many healthcare organizations and personnel worry that by using social media, they will violate HIPAA and the safeguards it prescribes for protecting confidential patient information; if patient information is accidentally disclosed via social media, this would mean big HIPAA sanctions (if you don’t believe me, see last week’s blog!).

It’s true, there are risks, but with precautions, healthcare organizations and personnel can reap the benefits of social media (it’s an easy and popular way to disseminate information and have a conversation) while remaining HIPAA compliant.

Really, I see two simple rules for ensuring HIPAA compliance while using social media:

1. NEVER post information about real patients. For the purposes of education, healthcare organizations might want to post information about public health initiatives, best practices, etc. This is fine, and in fact, can be highly beneficial to the community, but the healthcare organization must be sure to never publish information or examples about real patients.

Information about real patients should not even be published in response to patient questions. For instance, if a patient “friends” a doctor on a social media site and subsequently asks a question of the doctor (via “wall post” or private “message”), the doctor should be extremely careful to not offer confidential patient information in the answer. If unsure, the doctor could always request that the patient call or visit to further discuss.

It’s important to note that if a patient (or family member or friend of a patient) posts sensitive data on a social media site, this is perhaps tactless, but it is not a HIPAA violation ;) However, the healthcare organization or personnel should be careful to not respond by further revealing information or by confirming / denying the information that was posted. Also, the healthcare organization or personnel should not edit the post, because once it is touched by an entity that is covered by HIPAA, a HIPAA violation can apply.

In your adventures on the Internet, you may have noticed that some healthcare organizations or doctors DO post information about real patients. For instance, some hospitals post success stories, etc. In such cases, we can assume that written permission has been received from the patients.

2. Beyond never posting sensitive information about real patients, training is key to social media success for entities covered by HIPAA. This means that all personnel who are covered by HIPAA should be made aware of the strict safeguards that protect patient information; it’s important for healthcare personnel to understand that HIPAA rules extend to social media.

Surely, healthcare organizations could benefit from the conversation that occurs on social media sites. I’m confident that with appropriate diligence, HIPAA and Social Media can coexist.

Oh, one last thing: when we think of social media sites, we think of photos, right? It is a good idea for hospitals and other healthcare organizations to post signs stating that photo-taking is not permitted on the premises (and have staff enforce the rule). This way, when photos of the new baby or of Grandma recovering from surgery show up on a social media site (potentially breaking another patient’s privacy rights by accident), the healthcare organization can be confident in the fact that they discouraged this behavior. (Again, HIPAA cannot penalize patients or patients’ family / friends for this behavior.)

Tune in next week for Part 3 of my 3-Part HIPAA Now Series: The Future of HIPAA

– Jane Bolton Lacombe
Jane is the Product Marketing Coordinator at Messaging Architects.