Social media data generated by patients, caregivers, and family members is not protected health information and not addressed by HIPAA.
Facebook has stayed in the headlines since its inception on the Harvard University campus by its founder, Mark Zuckerberg. But in 2018, Facebook probably would have preferred to be out of the media and congressional spotlight. Why? The social media giant is under scrutiny for allowing third parties to access what may be regarded as private data to be weaponized in a controversial 2016 U.S. presidential election. A related issue was how much money Facebook earned from this breach, setting aside advertising revenue, which is the core of its business model.
Healthcare organizations’ use of social media is widespread (Griffis, H. M., Kilaru, A.S., Werner, R.M., et al., “Use of social media across U.S. hospitals: descriptive analysis of adoption and utilization,” Journal of Medical Internet Research, Nov. 27, 2014). For example, The Cleveland Clinic has nearly a million Facebook followers (Brohan, M., “ How Cleveland Clinic connects with patients via social media,” Internet Health Management, Digital Commerce 360, May 4, 2017.)
Healthcare leaders could assert that they are protected from inappropriate use of patient data by HIPAA, but that is not correct. HIPAA only protects personal health information. With consolidation increasing, healthcare organizations collect more data than falls under the protection of HIPAA. Social media data generated by aspiring patients, current patients, caregivers, and family members is not PHI and not protected by HIPAA. Accordingly, progressive organizations such as MD Anderson Cancer Center at the University of Texas have developed social media policies.
As with any new technology, there are advantages and disadvantages. Megan Maisel, director of integrated media communication, MD Anderson Cancer Center, discovered that social media was positively beneficial during Hurricane Harvey to communicate with patients, caregivers, and employees (Showalter, J.S., “ MD Anderson Shares Positive Social Media Experiences,” Legal & Regulatory Forum, HFMA, January 2018). Others have written about the disadvantages of social media in healthcare settings highlighting that HIPAA is not the only law that regulates privacy online (Showalter, J.S., “Unintended Consequences: Patient Privacy in the Age of Social Media,” Legal & Regulatory Forum, HFMA, January 2018).
Should Healthcare Organizations Monetize Social Media Data?
Monitoring social media use and developing policies that address social media content are critical to maintaining patient and staff privacy. The next step is to consider any monetary benefit of sharing that data. Ethical decision-making in this area should take into consideration the effects on a wide array of stakeholders. And ethical decision-making in healthcare requires yet another consideration borrowing from the Hippocratic Oath, “First do no harm.”
Ethical Decision Making: Stakeholder View
There is a wide array of stakeholders who may benefit, be harmed, or may neither benefit or be harmed (see exhibit below).
Stakeholder Analysis of Monetizing Social Media Data
There is not a clear-cut decision as to whether to monetize social media data. Accordingly, ethically centered healthcare leaders must address each opportunity on a case-by-case basis, and they must do so with clear criteria that considers strategy, operations, finance, and ethics.
Ethical Decision Making: First Do No Harm
Ethically centered healthcare leaders must also consider the Hippocratic oath of “first do no harm.” Non-maleficence is the ethical duty related to the oath. One can argue that a breach of privacy and identity may result in harm. The harm may include, but is not limited to, an invasion of privacy, the revelation of a stigmatizing diagnosis or treatment, the tainting of a credit rating, or the theft of money or one’s identity. The key ethical duty for healthcare leaders is to place the duty to protect all stakeholders from harm over the need to monetize data. Similar to securing patient data in electronic health record systems, healthcare leaders must make decisions that protect stakeholders from harm regarding the access, content, ownership, and use of social media data.
Healthcare leaders manage a complex array of data vendors including social media. As such, it is essential that healthcare leaders engage with attorneys specializing in social media to draft business agreements that specifically address the risks of harms related to monetizing social media data. As in the case of Facebook, your healthcare organization may not be directly responsible for harming an individual. Instead, the party to which the patient data was sold may cause harm. However, the healthcare organization bears some responsibility for not drafting and enforcing a more rigorous business agreement with the vendor.
Health Data Use Should Enhance Stakeholder Well-Being
Social media is here to stay, and monetizing data of all types—including social media data—will continue. The action taken should not be a Luddite approach suggesting that technology should come to a halt. Instead, healthcare leaders should take actions to oversee how technology is used and designed.
As such, healthcare leaders owe an ethical and legal duty to first do no harm. Furthermore, healthcare leaders should strive for beneficence. Are you utilizing social media data in a way that enhances the health and well-being of all stakeholders, or just a few?
William Marty Martin is a professor and director of Health Sector Management and Organizational Diversity MBA concentrations, DePaul University, Chicago.