Unintended Consequences: Patient Privacy in the Age of Social Media
When serious enough, social media posts that violate patient privacy can result in tens or hundreds of thousands of dollars in administrative penalties for the organization. Civil and even criminal liability is also possible.
Use of social media is now ubiquitous. People from the president to young children are busy on Twitter, Facebook, YouTube, Instagram, blog sites, and other platforms. Social media brings people together, allows sharing of important information, and builds a sense of community.
See related story: MD Anderson Shares Positive Social Media Experiences
Like other social media users, healthcare professionals post pictures and information about their personal and professional lives, from family vacations to another hard day at work. Unfortunately, inappropriate use of social media creates unique problems for the healthcare profession, where the confidentiality of patient information has been a concern since the days of Hippocrates. Although a valuable tool for treatment, patient education, and marketing, social media can easily violate legal and ethical confidentiality standards.
“An online search term such as ‘patient privacy and social media’ produces hundreds of thousands of results,” says healthcare attorney Mark R. Brengelman of Frankfort, Ky. “These include news stories about HIPAA violations, scholarly articles on the topic, and lists of recommended dos and don’ts.” A focus on HIPAA is understandable, after all the law has been around since 1996, but Brengelman says “what people sometimes forget is that HIPAA is not the only measure of privacy compliance.”
Brengelman, chair of the Kentucky Bar Association’s Health Law Section, points out that other standards besides HIPAA also apply to the confidentiality of protected health information (PHI). These include state licensing and medical records laws; federal and state “superconfidentiality” laws for substance abuse, HIV/AIDS, and mental health records; the accreditation standards and ethical codes of various professional groups; and the personnel policies of healthcare organizations. In short, “HIPAA created a federal right of privacy in medical records and PHI, but other rules come into focus when considering confidentiality violations,” Brengelman says.
Social media is a common source of privacy breaches, many of them stemming from seemingly innocent, well-intentioned actions. As an example of the tangled web of complications that can come from the use of social media by healthcare personnel, Brengelman cites a case with which he is personally familiar. It involved a physical therapist who was treating a child who had a brain tumor. For more than a year the child’s mother had been posting her son’s condition on a personalized website at CaringBridge.Org, where invited family and friends were able to receive updates on the child’s condition posted by his family. At one point, the physician therapist posted on her own Facebook page, “Please say some prayers for [patient name]. They just found out today his brain tumor is growing again.… Poor guy has to get his central line reinserted and chemo started again.”
Even though the patient’s mother had no objection, the physical therapist’s motives were pure, and the Facebook post contained information that had already been made public on the CaringBridge website, the Kentucky Board of Physical Therapy received a complaint and filed charges alleging that the therapist had failed to “respect the rights and dignity” of her patient (a standard embodied in state law). The charges were eventually dismissed because the state’s regulations were vague and the public nature of the previous family disclosures negated any “rights or dignity” violation. But the physician therapist suffered the anxiety and cost of defending herself until dismissal of the disciplinary action.
Myriad other examples of illicit gossip, breaches of privacy, even criminal liability can be found with very little research effort. These include the following:
- Describing patients vaguely but in enough detail that their identities can be determined based on the facts and circumstances
- Posting videos or photographs that include patients’ faces, hospital room numbers, or portions of medical records
- Sharing information by e-mail or on social media with co-workers who are not involved in patients’ care
- Commenting on others’ posts using PHI or one’s healthcare-related position as the basis for the comment
An example of the last item is a recent case involving a medical technician employed by a North Carolina hospital. While at work one day the technician learned of an automobile crash victim who was brought to the emergency department. The technician later read about the crash in news reports online and posted on Facebook: “I was working today when they came in the ER. Should have worn her seatbelt.” Because this was a relatively small town where many people know each other, the technician’s comments “went viral” on social media and she was terminated from her hospital job.
“She was probably just trying to remind people that seatbelts save lives, but her comment was apparently seen by some as being callous or uncaring,” Brengelman says. He adds, “People who work in health care need to remember that they are in a special position of trust and their posts can be easily misinterpreted. Once posted, the comments live forever in cyberspace and cannot be retracted.”
The technician’s Facebook comment may not rise to the level of a HIPAA violation because no specific PHI was disclosed, but the technician was terminated based on the hospital’s employment policies. Brengelman says every hospital must have similarly strict, concise confidentiality and social media policies. These should provide clear standards on the use of the hospital IT systems, as well as the use of personally owned devices while on the job. The policies should cover employees, volunteers, the independent medical staff, contractors, vendors, and anyone else who may be viewed by the public as representing the hospital or its affiliated organizations.
For example, the University of Texas MD Anderson Cancer Center’s social media policy applies “to the use of social media while at work and whenever [workforce members] discuss, post, share electronic files and/or images, or otherwise provide any information on a social network that has come into [their] possession or custody … by virtue of [their relationship to] MD Anderson.” The policy defines “social media” or “social network” as “an online platform where individuals or groups interact and share with others.” The policy lists some examples of problematic situations:
- Posting a photograph or video recording of a patient
- Mentioning a patient by name
- Posting a diagnostic image containing a name, medical record number, or date
- Describing a patient encounter with enough specificity that the patient or someone who knows the patient would know who is being referred to
- Responding to a post or public message from a patient with additional details about the patient’s health
These types of HIPAA violations usually lead to bad publicity, employee terminations, and adverse effects on patient satisfaction and workplace morale. When serious enough, they can result in tens or hundreds of thousands of dollars in administrative penalties for the organization. Civil and even criminal liability is also possible.
Brengelman’s review of the literature and his own experiences reveal some common-sense suggestions on the use of social media by individuals working in healthcare:
- Don’t post pictures or other patient information without patients’ express consent. (The fact that patients or their family members have already posted something about the situation does not constitute valid consent.)
- Don’t gossip about patients. (Even if you try to “anonymize” a patient’s identity, people who know the situation will figure out who you’re referring to.)
- Don’t post something online if you wouldn’t talk about it in the cafeteria or on an elevator.
- Don’t forget that everything on social media is public and lasts forever.
- Don’t use your corporate e-mail address for personal social media activity.
- Don’t forget that on personal social media accounts you are speaking for yourself, not for the organization.
And for healthcare organizations he has these suggestions:
- Do have an interdisciplinary team review your employment policies relating to confidentiality, social media, and related topics.
- Do include representatives from compliance, legal, IT, human resources, risk management, finance, and similar departments on the team.
- Do apply the policies to the entire workforce, not only healthcare practitioners.
- Do recognize that in addition to HIPAA standards, the policies must address state laws, other mandatory rules, and applicable professional codes of ethics.
- Do have a single individual (named by title) responsible for overseeing the social media policy.
- Do conduct ongoing, frequent education and communication about HIPAA, patient confidentiality, and the dangers of inappropriate use of social media.
In summary, Brengelman notes that HIPAA is not new; it was enacted 21 years ago and should be well understood by now. Likewise, state licensure laws, professional codes of ethics, or the concept of confidentiality should be firmly ingrained in healthcare professionals’ psyches and work habits by now.
Social media, however, is relatively new. When used as an official communication of healthcare entities, social media can be used to enhance hospitals’ and health system’s visibility, educate the public, and provide patients with better information. But when misused, social media also carries legal risks that could negatively affect organizations and result in personal consequences for the individuals involved. Extreme caution is advised.
Resources:
- A Nurse’s Guide to the Use of Social Media , National Council of State Boards of Nursing
- Eisenacher, R., “You May be Violating HIPAA and You Don’t Even Know It,” Becker’s Health IT & CIO Review, May 13, 2016
- Cyber Newsletter, Office for Civil Rights (OCR), May 2017
- OCR HIPAA Breach Notification Guidance, U.S. Department of Health & Human Services
- Appropriate Use of Communications Resources and Systems, HCA Ethics & Compliance Policies & Procedures (EC.026)
Interviewed for this article:
Mark R. Brengelman, JD, MA, practices health care law in Frankfort, KY, and is the chair of the Health Law Section of the Kentucky Bar Association.