This conference season has already been a busy one: I organized HealthCamp Boston 2012, which was an exciting one-day unconference that took place right before Medicine 2.0, where I spoke. I hope that local HealthCamp attendees can keep in touch, and maybe this time around we won't wait three years for the next HealthCamp Boston. Unfortunately, I couldn't make it to Medicine X or Health 2.0 on the left coast this year, but I hope to see some of you in Boston at the Connected Health Symposium later in October.
Here are some of my upcoming speaking engagements:
The Effect of ACOs on the Health Care and HIT Ecosystems
Let's Talk HIT Speaker Series Scratch Marketing + Media
Cambridge, MA
October 18, 2012 An informal presentation and discussion - join us if you are local.
Having completed an initial 20 HIPAA privacy and security compliance audits since last fall, and with 95 additional audits in the pipeline, OCR has just released its HIPAA privacy and security audit protocol, together with information about the audit pilot program. As always, information like this is extremely valuable to the regulated community. Covered entities and business associates should avail themselves of the information contained in the audit protocol and related materials so that they may prepare themselves for the eventuality of an audit or investigation -- whether as part of the current audit plan or otherwise -- and focus their compliance efforts.
From the OCR website:
The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
The protocol covers requirements for the Breach Notification Rule.
OCR reported on the first 20 audits it conducted as well:
Facebook has announced a new box you can check off on your profile: organ donor. (It's available in the US & UK so far, for a total of almost 200 million members; more countries in the works.)
What does this mean and why should you care?
At bottom, this means that Facebook is adding yet another data point to the myriad bits and bytes it already has on so many of us (What's your birth date? Have you ever broken a bone? etc.), which it slices and dices in order to target ads and sell to third parties (and flog news of its upcoming IPO). Checking off the organ donor box on Facebook doesn't make you an organ donor (you need to register with your state DMV), but serving up easy links to organ donation registration sites and motivating registration by showing that friends have registered (or at least checked the box) -- i.e., "norming," in the parlance of BJ Fogg, as quoted in the NY Times piece linked to above -- is likely to increase donor registration, and to increase family awareness of the choice at (or, preferably, before) the time when family members are called upon to carry out the wishes of a donor.
If you are spooked by the idea of Facebook having this information about you, I would ask whether you make your birth date visible on Facebook. I don't; revealing birth date makes identity theft that much easier, and I'm more spooked by that possibility than by the prospect of everyone on Facebook knowing my organ donor status. I am not concerned (as some are) about someone making the decision to treat me as nothing more than a vessel for donated organs, and I think that it should be possible to strike a balance between a good death and preserving organs for transplant.
Anything we can do to legitimately increase the supply of organs for donation is a good thing -- too many people languish and die while waiting for an organ. My problem with this solution is that it is as much about Facebook as it is about organ donation. While I would expect donor numbers to go up as a result of this initiative, the numbers are not likely to be too significant, because implementing the choice to donate organs requires doing more than clicking something on Facebook -- it requires going through all the steps necessary to memorialize an organ donation in the real world.
I would like to see Facebook using its muscle to lobby for a presumed consent law -- meaning that in the absence of formal directives to the contrary, the presumption should be that a person has consented to organ donation at the appropriate time, reversing the presumption now in effect in this country. The company has taken an interesting first step, and it will be interesting to see if it pursues this issue beyond the limits of its own pages and monetization strategy.
Welcome to the latest edition of the HealthCare SocialMedia Review, the blog carnival that's all about health care social media. Today we take a look at some of the privacy and security issues relevant to the medium, and at some other current and topical posts from around the blogosphere. But first, pour yourself another cup of coffee, put your feet up, and have a listen to a lighthearted ode to an emblem of secrecy from an earlier age:
Tell some folks you have a secret, and they'll be all over you, cajoling it out of you.
When my late grandmother was an irrepressible little old lady in her late 90's, she would chat people up wherever she met them, and folks would invariably ask her how old she was. She would smile and respond: "Can you keep a secret?" As her next victim leaned in, nodding his or her head, she'd let loose the zinger: "So can I."
Responsible users of health care social media understand that a juicy anecdote can make a point far more effectively than a dry textbook recitation of facts and figures, but we also appreciate the need to make sure, sometimes, that "the names have been changed to protect the innocent," the need to keep some things secret. This imperative exists in a relationship of dynamic tension with the need to share information in order to promote better understanding of disease and health at both the individual and population level. Neither is an absolute; both need to be observed, and each has its exceptions. Welcome to the exciting world of health care social media!
Last week marked the first edition of the TEDMED conference in its new home, and one of the TEDMED talks highlighted this tension by essentially posing the question: Would you join the Facebook of medicine? Leslie Saxon wants to "get 8 billion heartbeats on speed dial" via everyheartbeat.org, bringing the Quantified Self movement to everyone, and her message was heard loud and clear across the pond by 3G Doctor, who blogged about her talk.
Mark Browne has another take on the QS approach, and the way in which patients may need to be engaged in their health care, inspired by a Google Street View car sighting. (Let's assume the Google Street View car isn't listening in on patient data transmissions, though.)
Regina Holliday was at TEDMED too, sharing the action through her painting, and she gives voice to her art on her blog; a painting of hers from this conference is explicated through a post about spit. (Disclosure: The HealthBlawger is a member of The Walking Gallery.)
It's nice to see a new generation grappling with the issues raised by the use of social media in medicine. Medical student Emily Lu has a post up at KevinMD.com on the ethics of social media use in medicine -- she offers more questions than answers, but the questions are key ones that demand our attention. As we work towards answering these questions for a new generation, an older generation (not that old), in the person of Bryan Vartabedian, says that when it comes to doctors and social media, the sky is not about to fall anytime soon.
Physicians and patients are often the focus of discussions about health care social media, but other health care professionals are, of course, using these tools as well. Barbara Ficarra highlights their use by nurses, and calls attention to a nursing tweetchat (#APRNchat ... not to be confused with #RNchat).
Most of you have probably heard of Pinterest by now, and maybe some of you are using this platform. Marie Ennis O'Connor points out the good and the bad, and suggests (man, I love having a non-lawyer say this) actually reading the Terms of Service.
For anyone considering dipping a toe in the health care social media waters, a top-of-mind question is always: Is it worth the time and effort? At Walking the Path, Fard Johnmar suggests that ROI isn't the right metric, and that there are other ways to measure the full economic benefits of digital health content.
Pharma has a continuing love-hate relationship with social media, and last week, Boehringer US posted social media guidance for employees -- on YouTube. Kinda cheesy feel to it, IMHO, but it distills it all down to four points: (1) You are responsible for your behavior, (2) Understand the tools, (3) Think about your audience and (4) You are our eyes, ears, and voice.
If we're looking for succinct, accessible policy statements on the use of health care social media, then personally, I prefer the 12-word social media policy of Dr. Farris Timimi, Medical Director of the Mayo Clinic Center for Social Media (disclosure: I'm on the Center's advisory board):
Responding in part to the FDA's issuance of incredibly limited social media guidelines, Laurie Gelb offers some thoughts on a way forward for pharma and social media on The Health Care Blog.
While we're on the subject of social media guidelines, be sure to check out the HIMSS social media workgroup white paper posted on the HIMSS blog with a call for comments and a nod to Lee Aase, Director of the MCCSM.
Aside from the do's and don'ts, U.S. health care organizations need more work in the whys and wherefores department. A recent study shows that in the US of A, health care organizations use social media mostly for marketing, unlike their counterparts in a number of other countries, where use is more focused on communication -- among providers or otherwise. (Of course, our market-based health care economy may have just a little bit to do with that focus, no?)
Speaking of the market ... "Free" is never really free, and we pay for some online tools by exposing ourselves to ads. Context-sensitive ads based on health content are cause for concern over at David Williams' Health Business Blog. This brings to mind the new Google privacy policy, which says the 'plex has a hands-off policy when it comes to "sensitive personal information," including "confidential medical facts" (gosh, did a lawyer write this policy?) -- but we've seen this movie too, in an earlier NY Times piece about Target and, well, targeting.
Finally, please consider the relationship between the government and social media tools. Just as social media has lowered barriers, geographic and otherwise, between physician and patient, and among collaborators, so, too, has it lowered barriers to engagement with those elected and appointed to serve in our nation's capital. Let's examine the activity related to Federal stimulus dollars focused on health care, as an example. First, the government, in the form of ONC, is blogging about state health information exchange grantees taking part in the ONC consumer innovation challenge. (See more about the ONC and consumer/patient engagement courtesy of Nikolai Kirienko.) Second, there are numerous tools to use in analyzing the proposed regulations on Stage 2 of Meaningful Use of Electronic Health Records (e.g., bookmarked regs and comparison chart shared socially) as well as exhortations to comment on the proposed regs (you may sample a few courtesy of Dave Chase, Brian Ahier and Project Health Design), tools to use in commenting officially and unofficially, and tools to be used in aggregating comments so that they may be filed officially (hat tip to Nate Osit), which have been shared socially. This is so very different from the bad old days of the Pony Express, which is what we used to communicate with Washington when I was starting out in practice. (Not really. Just checking to see if you're still awake.)
Gentle reader: You did it! This is the end of the line. Thanks for riding with us this week on the HCSMReview Express. In the immortal words of Michael Dukakis, speaking about the run for the White House (not about enduring this lengthy edition of HCSMR), It's like running the Marathon (and yes, the Boston Marathon runners did wend their way through my leafy suburb on Monday, as they do each year). We hope you come back and try it again.
HealthCare SocialMedia Review has information about the next edition (which will be up in two weeks' time) and instructions on how to submit your posts for review in future editions.
Ladies and gentlemen, boys and girls, the floodgates are open: Please submit your posts for the upcoming sophomore outing of HealthCare Social Media Review -- the blog carnival for health care social media, featuring the most recent fortnight's crème de la crème of blog posts on the topic. (Follow the link for submission instructions via web form or via email to david AT harlowgroup DOT net.)
We'll focus on privacy and security issues, but other topical submissions are welcome as well. Just get everything in by 6 pm ET on Monday April 16 (earlier, if you'd like to be kind to your humble HealthBlawger).
Through the alchemy of the interwebs, the posts you submit will be transformed into golden flax, woven together into a seamless thing of beauty -- and you will count yourselves lucky to read it right here next Wednesday morning, April 18.
Tell your friends and neighbors, and we'll reconvene at HealthBlawg just a few short days from now . . . for the one, the only, HCSM Review #2.
Nissenbaum argues that the real problem "is the inappropriateness of the flow of information due to the mediation of technology." In her scheme, there are senders and receivers of messages, who communicate different types of information with very specific expectations of how it will be used. Privacy violations occur not when too much data accumulates or people can't direct it, but when one of the receivers or transmission principles change. The key academic term is "context-relative informational norms." Bust a norm and people get upset.
However, after reading this piece (and, admittedly, not having read Nissenbaum’s academic papers), the contention that this is the first and last word on the question of context-sensitive privacy and sharing -- “What you tell your bank, you might not tell your doctor. What you tell your friend, you might not tell your father-in-law.” -- rings hollow for me (as it has for the Wall Street Journal Ideas Market blog, as well).
A whole 'nother issue is the issue of whether norms have any lasting value: How long before today's privacy norms -- even assuming there are some shared norms in this arena -- are replaced by tomorrow's norms? (On a related note, even the status of evidence-based medicine as a gold standard for guiding clinical practice has been questioned; contrarians hold that personalized medicine for an individual may require approaches that run counter to EBM as proven out over a population.)
Facebook and Google+ tout their context-sensitive sharing tools, which allow for limited sharing of posts to segmented audiences, and most of us understand that we barter personal data for the “free” services they provide; furthermore, this barter exchange usually benefits us as individuals as well -- we get better-targeted messages online as a result. I would certainly prefer to see Facebook and Google+ be a little more transparent about their use of personal data, and other sites and services also need to be transparent. At least some folks out in the wild are pretty sophisticated about their wants and needs when it comes to health care social media privacy and security, and I’m just not sure that we need a new paradigm fueled by jargon from the ivory tower -- though perhaps further inquiry would lead me to conclude otherwise.
In the health care and health care social media context, we all need to be aware of our own needs and desires concerning sharing of personal information, and we all need to be aware of the ways in which personal information is shared and used, and re-shared and re-used, by the platforms and repositories that we use. Armed with this knowledge, we can work to establish our own context-sensitive norms, and work to ensure that they are honored.
Many users of social media tools for health care purposes have already internalized context-relative informational norms that must be layered on top of existing privacy and security concerns unique to the health care arena. To those who have not: the HealthBlawger hopes that this post will alert those who have not to avail themselves of the plethora of resources available to them: other health care social media privacy and security content here on HealthBlawg, the Mayo Clinic Center for Social Media (disclosure: I sit on its external advisory board), among many others -- please share any favorites in the comments. These resources should help folks fine-tune individual and institutional approaches to the use of these powerful tools.
The going rate for a compromised medical record seems to be $1000 (well, at least that's the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall. The computer contained unencrypted protected health information on about 4.24 million members. The eleven class action suits are likely to be consolidated for ease of handling by the courts.
For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal. The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.
The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach. It remains to be seen how these facts end up affecting the final damages awarded in this case.
The takeaway for other covered entities and business associates out there: If the OCR HIPAA audits aren't enough of a motivation to get cracking with beefed-up data privacy and security protections, the potential exposure of Sutter Health in this class action suit should be reason enough to get started on this work as soon as possible, and to make it a high priority. Suits like these may be grounded both in state law and in indirect theories flowing from HIPAA/HITECH breaches (since there is no private right of action under HIPAA). The exposure is there, and a number's been put out there to quantify it. However expensive and inconvenient data encryption and other privacy and security measures may be, they are surely worth avoiding $1,000-a-head lawsuits and months of negative publicity.
In part, it's the same old sloppy story: unencrypted laptop loaded with PHI stolen out of a rental car ... sheesh, when will they ever learn? (See: Privacy and Security: Joke or No Joke?) Cleaner policies and procedures, and internal enforcement, would have made this a non-event, not reportable, off the front pages, and out of court. Instead, the buisiness associate and the covered entity have gotten plenty of negative publicity, which will include a trip to the Wall of Shame. Perhaps the advent of the HIPAA audits by government contractor KPMG, together with unpredictable actions of state attorneys general will motivate business associates and covered entites to get with the program.
2. The Minnesota AG is also going after the business associate on the unfair and deceptive business practices front -- for failing to disclose to patients the way in which they use their data (they make one set of disclosures to patients, another to Wall Street). See full complaint against Accretive Health (PDF).
As I've been saying for a while, we're going to see more aggressive HIPAA enforcement from beyond the Beltway; this case is an exemplar of just one manifestation of the phenomenon. Another is the growth of private lawsuits bootstrapped on violations of HIPAA or related state laws (this, despite HIPAA's clear statement that it does not provide for third-party lawsuits).
In addition to the HIPAA issues, there's the predictive modeling and consumer transparency side of the case: Accretive, a management consultant to a hospital system, was being paid based on a percentage of cost savings, and was using PHI in its predictive model of patient-specific health care costs. The complaint alleges that this use was not made clear to the patients, though I don't beleive the allegation was made that such use would be improper if appropriate disclosures were made.
Should more explicit disclosures about the uses of health data be made even if not required by federal or state law? I sometimes counsel clients to be more proactive than may be strictly necessary in this department, in order to be sensisitve to the "man on the street" perception of privacy rights -- even in situations where the law does not require that certain data be handled as protected health information subject to HIPAA. The benefit is broader than compliance and risk mitigation; it signals a sensitivity to a hot-button issue that may improve customer relations and improve risk management.
I have been asked to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts. You may wish to begin with Part I.
Professional responsibility and malpractice liability
The American Medical Association has promulgated a social media policy; so has the Veterans Administration. The two represent very different approaches. The AMA essentially advocates proceeding with caution, and being cognizant of the damage that one’s own social media activities – and one’s colleagues’ – may do to the profession. The VA, on the other hand, is out in front on this issue – just as it was with electronic health records – encouraging the use of social media tools to disseminate information and engage patients and caregivers in productive dialogue likely to improve overall wellbeing and health care outcomes.
Patient care should not be provided in open social media forums, but appropriate disclaimers on blogs, Facebook pages, YouTube channel pages, and the like, should be sufficient protection for providers seeking to use these tools for sharing of general advice and information.
As in other settings, there are emergency exceptions. If the only way to communicate lifesaving information to a patient is via a public social media channel, then a clinician should not refrain from doing based on a concern about a privacy violation.
Daily deal websites
Groupon, Living Social and other daily deal websites are being used by health care providers -- though thus far mostly by those that are not covered by traditional commercial or governmental health insurance (e.g., dental, chiropractic, acupuncture services). This may change as the health insurance landscape changes over time. There are a number of legal issues, and their resolution will depend, in part, on where you are situated, since many of the relevant rules are state laws, which vary. For example:
Groupon collects 50% of the price of the groupon as its fee; is that illegal fee-splitting under applicable state law?
Is the 50% fee an illegal kickback in exchange for a referral? Are you subject to federal laws in this area in addition to any state laws?
Do provider agreements with third party payors prohibit the offering of discounts to plan subscribers? (If you can get over the first two issues, you may need to screen out patients who are insured by carriers who limit your ability to discount or risk being in default under an agreement with your biggest customer.)
There is at least one more issue to consider, as well: State laws on gift certificates and their requirements touching on expiration dates. Lawsuits have been filed alleging that the relatively short life of the daily deal violates state gift certificate laws.
With the proliferation of high-deductible health plans, and FSAs, HSAs and the like, the general public is becoming more price sensitive in paying for health care services; while health care providers need to become more creative in order to address this issue, they must also remember that they are subject to a wide-ranging set of regulations above and beyond other consumer-facing businesses.
Social Media Policies and Procedures
Despite the legal landscape, it is possible for a health care provider to develop a robust social media program. The critical first step is developing a set of policies that respects the legal and regulatory limits, and that is consistent with the organization's level of readiness to engage through social media. Establishing clear guidelines will allow clinicians and staff to participate in the online conversation without having to review individual posts on a regular basis with legal and regulatory advisors. An existing policy from another organization may be used as a starting point in the development process, but local customization is key.
An external-facing social media policy should set limits and expectations for people who come to the organization's web properties – web site, Facebook page, blog, YouTube channel, Twitter stream, etc. -- so that, for example, a poster who violates the terms of service will be on notice that a hospital whose staff should be monitoring social media accounts at least daily may decide to take down a post (on a forum such as Facebook) if it does not comply with the policy.
An internal set of policies and procedures is also needed to address internal operational and policy issues for both official and unofficial channels. Staff need to be sensitive to the fact that they are, in effect, brand ambassadors on a 24/7 basis, and that if they mention their employer in their own posts on their personal Twitter accounts or Facebook pages, they should do so consistent with company policy – noting that “tweets are my own” or words to that effect. Some organizations may desire to insist on all employees' “radio silence” except for designated spokespersons.
The best policies are those that are developed through an inclusive process, rather than a top-down process, so that the employees most likely to be active on social media may offer input to the process sand also feel ownership of the final product in a way that will promote adherence.
No matter what the tenor of an individual organization’s policies may be, they must be implemented – they do no good up on the shelf. Staff must be trained on the policies, and are retrained as policies are updated on at least an annual basis. Adherence to the social media policies should be a condition of employment, just the same as adherence to any other employer policy, and the distribution of policy documents and training may be integrated with a broader employment process within your organization.
Sine this is a rapidly changing arena – and since social media comfort levels in an organization may change relatively rapidly – social media policies should be reviewed on a regular basis, at least annually.
Conclusion
The cat is out of the bag. Even if you wanted to avoid social media entirely, it is simply too late to attempt to do so. Even if your practice or institution does not have an active social media presence, it is likely that others are already discussing you on line. It is important to set up a social media monitoring program right away, if you do not already have one in place, so that you may respond in the real world to issues flagged in cyberspace.
You can become an active participant in health care social media and stay on the right side of the law, and these days it is becoming more and more imperative to use this toolset for marketing, patient communication and care management.
Be sure to check out Part I of this two-part series on health care social media, which lays out the range of issues and concerns and goes into greater detail on HIPAA issues.
I have been asked recently to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative on HealthBlawg, in two parts. Check back later this week for Part II.
Introduction
“Why do you rob banks?”
“That’s where the money is.”
The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation. A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line. Why be active in on line social networks? That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more. Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids. In today’s wired society, on line social networking is the new word of mouth. Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.
Over half of Americans rely on the internet when looking for health care information. Many on line searches are conducted on behalf of another person. Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed. In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.
Only about twenty percent of U.S. hospitals have a social media presence, and likely a similar proportion of other health care providers. Thus, while some health care providers have been using social media for years, there is still an opportunity to reap the benefits of being an early adopter. Whether or not a provider is on line, others are likely discussing that provider – on review sites, on Facebook, even on Twitter – so whether or not one establishes a social media presence, it is imperative to establish a listening post to keep abreast of what is already being posted on line – complaints, recommendations and other information will come to light, and steps may be taken in the real world to ameliorate situations giving rise to complaints and to capitalize on praise and referrals.
Finally, health care reform is pushing health care providers into social media. The Meaningful Use regulations will soon require that providers seeking incentive payments for adoption of electronic health records must make greater use of personal health record portals, and programs like the Medicare Shared Savings Program, or Accountable Care Organization program, require patient-centeredness and patient engagement, which in this day and age require the use of online social tools.
With all of these motivating factors, why are health care providers reticent, and slow to adopt the use of social media tools? There are numerous legal and regulatory issues triggered by the use of social media and some health care providers are put off by the perception of the risk involved. However, there are legal and regulatory risks (and attendant market and business risks) to the decision to remain uninvolved.
The key issues for consideration include the following:
Privacy and security rules, under HIPAA as well as other federal and state laws, and the ever-diminishing ability to fully de-identify protected health information
Professional responsibility codes, including both professional society codes of ethics and state regulations promulgated by boards of registration in medicine
Malpractice liability for professional advice rendered via social media
Issues raised by daily deal sites such as Groupon and Living Social, including anti-kickback, fee-splitting, insurance contracts, state insurance laws and gift certificate laws
Liability under Federal Trade Commission rules for failure to disclose a financial relationship in conjunction with an online rating, review or other commentary
Trouble with the National Labor Relations Board if employee discussion of working conditions in unreasonably limited (even in non-union shops)
If not managed appropriately, it is clear that these issues may lead to significant liabilities, ranging from civil and administrative fines, to negative publicity, to private lawsuits predicated on HIPAA or state law violations. (Even though HIPAA does not provide for third-party liability some state laws do, and creative lawsuits may seek to bootstrap private liability on a HIPAA violation as well.)
However, it is possible to manage all of these issues through the development of comprehensive social media policies – both outward-facing (i.e., to patients and the general public) and inward-facing (i.e., to physicians, other clinicians, and other staff) that are tailored to a specific medical practice or other health care organization. The policies themselves must be tailored to local conditions, because each practice, each health care organization is at a slightly different point on its own health care social media journey, its comfort level with social media tools, and its thoughts about how to use these tools, and to what end.
Here is further detail about several of the key categories of legal issues identified above:
HIPAA and other privacy concerns
Privacy concerns arising from HIPAA and state privacy laws start from the proposition that only a patient has the right to authorize the release of his or her own private health information. Thus, while an individual patient is free to blog about her medical condition or experience with the health care system without implicating HIPAA or other privacy rules, provider-generated social media content with identifiable patient information used without consent would raise red flags. Provider discussions of cases on social media should follow the “elevator rule” or the “coffee shop rule” – If you wouldn’t say it in a crowded elevator or coffee shop, don’t post it online.
As one emergency room physician recently learned the hard way (she was dismissed by her employer and sanctioned by her state medical board), even a de-identified Facebook post about a patient may easily be re-identified using information from third-party sources. The HIPAA rules list eighteen categories of identifying information that must be stripped from a record or patient story in order for it to be considered de-identified. Number eighteen is, essentially, anything else that may be used to re-identify the de-identified information. Since we are, collectively, doubling the amount of information posted online on a regular basis, that which is de-identified today may well be easily re-dentified tomorrow.
Thus, the best practice would be to write about composite/fictionalized patients, or simply get patient consent. Providers may wish to rewrite their HIPAA NPPs (notice of privacy practices) to include some level of consent to communication with or about a patient on Facebook, for example, if that is something that would make sense, and that might happen on a regular basis.
Other disclosures made inadvertently may lead to difficulties as well. For example:
A cell phone photo taken in a hospital emergency room of a friend proudly displaying a newly-stitched wound may inadvertently capture the image of another patient in the background. That post may be a HIPAA violation attributable to the hospital, even if it did not post the photo.
An employee of a public hospital tweets her displeasure in seeing a clinic staffed up for the convenience of a political figure seeking service off-hours. Her public sharing of identifiable health information led to her being fired.
Positive test results posted by a patient on Facebook might invite response on a human level, but the response must be more measured. For example, if a patient posts on a hospital Facebook wall after getting some good test results, “I'm cancer free one year later,” hospital staff can't post much more than “Congrats; everyone should check out our cancer center's web page.” Even in a situation like this, where the patient self-identifies first, there is no consent to unlimited public discussion of his condition.
Please check back later this week for Part II, which will touch on professional responsibility and malpractice issues, daily deal sites and the development of policies and procedures for provider organizations engaged in the use of health care social media.
