This blog is part four of an eight-part series on launching your hospital’s social media strategy.
Some hospitals are allowing HIPAA anxiety to keep them from embracing social media platforms such as Facebook, Twitter, YouTube. LinkedIn, Foursquare and blogging. But there are now more than 900 U.S. hospitals engaging patients through these social media. And there is solid information to keep you on firm ground, if you follow these nine no-nonsense rules. Thanks to David Harlow, a healthcare law and consulting attorney, for many of these ideas.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that says that a patient has control of his or her own protected health information. No one else can release that information without consent of the patient.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) gives state attorneys general the right to pursue violations of patient privacy as well.
The exception: The patient’s protected health information can be used for healthcare operations. It can be shared internally, from a hospital to a physician, from a physician to a hospital, and to payment companies for insurance purposes. But this information cannot be released beyond that circle without the consent of the patient.
The key point: The same rules regarding patient privacy that apply to everything else you do in healthcare also apply to social media activities. Remember that even the fact that the patient/doctor relationship exists is itself Protected Health Information.
Consult with your legal advisers early and often.
This blogpost is not meant to provide legal advice – just guidelines for implementing a HIPAA-compliant social media strategy. Seek legal advice for your particular hospital.
Limit liability by establishing clear policies and procedures.
Determine a coherent set of internal and external policies and procedures regarding patient privacy that are tailored to your hospital.
Involve leaders, evangelists and frontline staff in the development of these policies and procedures. These policies should: explain appropriate use of social media platforms
- explain appropriate use of social media platforms
- clearly define how information posted there will be used
- specify what degree of privacy can be expected
- state clearly that these forums are not to be used for personal medical advice
- state clearly that the site is NOT monitored 24 hours a day, seven days a week
Post these policies prominently on your social media sites and incorporate them into off-line documents such as your Notice of Privacy Practices.
Train your staff in policies and procedures.
You have a code of conduct. Now you just need to extend it one step beyond an Internet usage policy to cover social media platforms as well.
Make sure that all your employees who are participating in your social media have been trained, that they clearly understand your policies and procedures and that they follow them.
Social Media guru Ed Bennett has gathered a nice collection of policies on his website, Found in Cache.
Do not practice medicine online.
While it is possible to conduct a hospital-patient relationship online, best practice would be to initiate the relationship in real life and obtain appropriate authorization from the patient to continue the dialogue on line. Even then, don’t practice medicine online.
Some patients are more open than others, and are willing to post details about themselves that others consider private. If someone posts these details in a public forum, that posting constitutes consent to the disclosure itself. Your response, however, should never disclose protected health information.
Take conversations offline.
When you feel that comments or questions on your social media platform are approaching HIPAA violations, take them offline. Ask the patient to call your hospital for more details.
Prominently post your policies and procedures on all your social media platforms.
For instance, on Facebook have a separate tab for policies. On your blogposts, place a policies link just before your comments section. Make sure patients understand your policies and know how your hospital will interact with them. When you include prominent disclaimers and plenty of warnings, these postings constitute consent to the public discussion.
Regularly monitor your social media platforms.
Review your social media platforms at least daily. That helps you respond quickly to the good and bad that comes your way, and helps you build those strong, trusting relationships that can be so powerful. You should remove any posts or comments that violate HIPAA regulations by disclosing protected health information. Whenever you remove a comment or post, be sure to follow best practices by briefly explaining why.
Review this blogpost for a calming voice when you start worrying about negative comments. And remember our core values at the heart of hospital social media. When a patient posts his or her own protected health information on your hospital Facebook page or in your blog comments, it is not a violation of HIPAA. That’s because he is free to release his own information.
Here are some questions and answers that may help as you monitor your social media platforms.
“Is our hospital liable for non-employee postings on forums we host?”
No. Andrea White, a senior account supervisor who is a specialist in health policy implementation at Lovell Communications in Nashville, Tenn, writes that Section 230 of the Communications Decency Act “protects you as a sponsor of an online forum. A healthcare provider cannot be held liable for postings made by other parties just because it owns or sponsors the forum.”
David Harlow adds an additional cautiion, however. “This law may help if you’re being sued for lewdness or slander,” he says, “but in the healthcare privacy realm we’re held subject to a different set of standards. There are numerous overlapping regulatory schemas.
“It becomes important to be able to monitor and potentially take down information if it reveals private information protected by HIPAA. Even if it’s posted and you don’t get to it right away, if you run a schedule of scanning and scrubbing on a daily basis, that will work in your favor.”
“Can we remove posts randomly?”
Yes, according to White, with one important caveat. “You can take down or leave up comments as you deem necessary with no consistency in the practice and you are covered either way. However, if you edit a third party’s post then you become the co-author and assume liability. The moral is that you need to either respond to a comment, delete it, or leave it as it is. But NEVER edit it.”
“What liability do we have if we invite participation in a forum?”
“Are we liable for postings by a patient’s family or friends?”
No, says John Cummins, an editor with Health Leaders Media. He writes:
“I asked the Department of Health and Human Services’ Office of Civil Rights about it. They replied: ‘Entities subject to the HIPAA Privacy and Security Rules are covered entities: health plans, healthcare providers, and healthcare clearinghouses. Generally speaking, a covered entity would not be responsible for the actions by a patient’s friends or family.’”
“What if patients post photos they have taken in the hospital on social media sites?”
No problem, if you post signage saying that picture taking is not permitted. John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, and a nationally recognized expert in HIPAA compliance, advises hospitals to post signs at the entrance to the emergency department or near emergency department examining rooms stating that picture taking is not permitted. That way, if a visitor ignores the rules, takes a picture and posts it online, the hospital can at least demonstrate that it was exercising reasonable measures to protect patient privacy. “To me, the posting prohibiting picture taking would represent another example/level of ‘due diligence’ on the part of the hospital,” Parmigiani says.
Kate Borten, CISSP, CISM, concurs. Borten is president of The Marblehead Group, a firm that provides information security and privacy consulting for the healthcare industry. Borten explains that HIPAA expects healthcare providers to take “reasonable” measures to protect patient privacy, but also “accepts situations such as waiting rooms where patients can be seen by the public or a family member accompanying a patient to a bed in the ER. As long as the hospital wasn’t doing something out of the norm, then it shouldn’t have any liability when a member of the public snaps a picture.”
Borten casts some additional light on hospital’s responsibilities. HIPAA makes an “absolute distinction” between the hospital’s workforce (a term defined in the regulations) and everybody else. “Organizations are responsible for the actions of their workforce, but not for the rest of the world,” Borten says.
Visit and revise your policies and procedures regularly.
As social media evolves, as technology increases, as you gain more experience and as your comfort level grows, you will need to revise and update your policies and procedures. Plan to review them about every three months.
Follow these steps and you should steer clear of HIPAA violations. Remember to contact your legal department to make sure that your policies and procedures are in compliance.