How Doctors Can Avoid Social Media HIPAA Violations: It’s Not Rocket Science

January 28, 2013 • By Dan Hinmon, Principal

flickr: ttarasiuk

The case of a Rhode Island physician fired and fined for violating HIPAA regulations on her personal Facebook page may have the unfortunate effect of discouraging some hospitals from embracing social media.

It shouldn’t. By following simple steps, the physician and hospital could have avoided the entire fiasco.

Here is what we know. According to the Boston Globe:

Dr. Alexandra Thran, 48, was fired from the hospital last year and reprimanded by the state medical board last week. The hospital took away her privileges to work in the emergency room for posting information online about a trauma patient.

Thran’s posting did not include the patient’s name, but she wrote enough that others in the community could identify the patient, according to a board filing. Thran, who did not return calls for comment yesterday, also was fined $500.

Here are  three fundamental rules (included in our e-book “9 No-Nonsense Rules to Ensure a HIPAA-Compliant Social Media Strategy,” co-written by attorney and blogger David Harlow) that apply to this unfortunate event.

Limit liability by establishing clear policies and procedures

Apparently Westerly Hospital had no social media policy in place. Hospitals need to understand that employees, including emergency room physicians, are engaged in Facebook and other social media platforms in their personal lives. A clear employee social media policy is essential to give them clear guidance – even if the hospital does not have its own social media platforms.

Train your staff in policies and procedures

Once you develop social media policies, make sure everyone in your hospital is thoroughly trained.

Understand HIPAA and protected health information

Because the offending post has been deleted from Facebook, we are left to speculate about its content, but it is clear that protected health information was shared. Even though the patient was not named, information was included that resulted in the patient being recognizable.

This violates HIPAA 101. Since it is difficult to know what clinical information may or may not be recognized, physician blogger Kevin Pho, MD, points out that it is “better to be safe and obtain written patient permission before posting a patient story online.”

Some additional lessons

We have not heard the end of these examples. Bryan Vartabedian, MD, and author of the popular blog 33 Charts, writes that “this is just one casualty of an evolving communication medium. Expect more.”

If not careful, short-sighted hospitals will use this physician faux pas as an excuse to avoid embracing social media. That would be a big mistake.

It’s not rocket science. This problem could have been avoided by following three simple steps. Standing on the social media sidelines will deprive hospitals, their physicians, their staff and their patients of powerful and effective education, sharing and connecting tools.

How we help

Hive Strategies gives webinars, presentations and workshops to help hospitals and physician clinics learn the skills they need to thrive during health care reform. Read about our services. Start a conversation. Email us or call us at 503-472-5512.

Tags: 33 charts, Boston Globe, Bryan Vartabedian MD, David Harlow, Kevin Pho MD, Rhode Island, Westerly Hospital