As healthcare providers in an age where digital information can be just as viral as the viruses we treat, it is of the utmost importance to understand the implications of our social media posts.
Human beings are social creatures. We take tremendous pleasure in sharing our world with others. There is no better evidence than to look at the social media revolution that has taken place over the last few years. Often, when we see something cool, we want to share it with other people. As healthcare providers in an age where digital information can be just as viral as the viruses we treat, it is of the utmost importance to understand the implications of our social media posts.
So where does sharing something cool become troublesome? When you violate Health Insurance Portability and Accountability Act of 1996 (HIPAA). Social media has the power to amplify somebody’s lapse of judgment to the point where the content is seen by millions around the world in just a matter of minutes. Prior to social media, the error may have not spread to much more than a handful of people-often avoiding implications-it now is often brought front and center to the public’s regulatory eye. It becomes very easy for a potential HIPPA violation to occur and get noticed. It is quite impressive that upon HIPAA creation, disks were floppy and websites were rag tag, and we now find ourselves in the midst of massive multi-million dollar penalties served to entities violating the act.
According to U.S. Department of Health and Human Services, HIPAA called for the establishment of standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. This means that because protected health information is a major HIPAA theme, it needs to be accurately defined. Defined in the law, “health information” means any information, whether oral or recorded in any form or medium, that:
“(A) is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
“(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”1
So for the average OD, what does HIPAA mean? Most impactful, the Privacy Rule will require optometrists to inform patients about how their information can be used and what their privacy rights are. It also means setting up and implementing privacy procedures for our practices that outline and detail how a patient's protected health information (PHI) is appropriately used and adequately protected. An employee will need to take responsibility that this procedure is adopted and adhered to. For most of our small private practices, an office manager or other responsible employee will work fine. This person can also serve as a contact for handling complaints and HIPAA concerns. An employee must review these policies and document they understand. For most small private practices, this will suffice as adequate employee training. Finally, the patient’s records need to be secured. The authoritative source for guidance is http://www.hhs.gov/ocr/privacy.2
What are the basic things an OD should do to avoid HIPAA trouble? The best way to avoid trouble is to always and above all else protect and secure a person's health information. Regarding social media, the rule is simple: unless you have informed consent, never post enough personal information, such as the medical condition involved and office, for anyone to recognize who is being described. The best policy is to eliminate all info that can be used to identify the patient. The patient-doctor relationship is built upon trust. There is no quicker way to break that bond than to publically disrespect a patient, intentionally or not.
The top three HIPAA violations fall into three categories: impermissible uses and disclosures of PHI, lack of safeguards of PHI, and a lack of patient access to their PHI.3 It's of note that private practices are the most common type of covered entity that have been required to take corrective action to achieve voluntary compliance.4
Now let’s take a look at some hypothetical social media HIPAA violations.
An employee at your office tweets to her followers “OMG! James Franco was in for an eye exam today! Even with pink eye, he is still so cute!” Although this was not directly on any of the office’s social media pages, it is still a HIPAA violation because personal info, the patient’s name, was directly linked to medical info, his pink eye, and broadcast where unauthorized people had access to the info. The employee might have thought that since James Franco is a celebrity and he is all over social media, that it was OK to tweet about him. An in-office social media policy, backed with proper training and follow-up, might have been helpful in preventing this. However, if James Franco signed an informed consent form and was cool with the social media post, then all is well.
A technologically progressive and social media savvy office uses Facebook (FB) to correspond with its patients. Most commonly, messages are exchanged using the messenger feature, which because you are directly and privately communicating, is HIPAA compliant. However, if you do use FB for correspondence, be very careful. One might think posting to a patient’s timeline on FB is OK, when in reality, his timeline may be public, making it a violation. Furthermore, be cognizant that digital content can easily spread. Just because you sent it to a person in confidence, doesn’t mean he will respect that.
Healthcare providers can partake in consultation over social media provided the network meets security protocols. Direct, private messaging utilizing the minimum necessary HPI, between two healthcare providers in consultation, is OK. However, disclosing PHI in a social media group is not. Popular FB groups like ODs on Facebook need to be utilized in ways that safeguard against HIPAA breaches.
A patient writes a user review and includes his PHI. It is of the utmost importance to not breach HIPAA despite the apparent public airing of PHI. Simply do not disclose anything that has not been already publicly disclosed. The patient is free to say what he wants about himself; however, you are not. Develop and implement your own social media policy, but be sure to frame it around HIPAA guidelines.
HIPAA requires substantial research, time, and effort to correctly abide. Social media represents one area that has the potential for HIPAA violations to easily occur. However, one can avoid most problems by getting direct informed consent. If you want to risk it and post HPI without it, you must be sure to remove all information that can be used to identify the patient.
1. U.S. Department of Health & Human Services. Health Insurance Portability and Accountability Act of 1996. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/statute/index.html#1171. Accessed 11/25/2014.
2. U.S. Department of Health & Human Services. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do? Available at: http://www.hhs.gov/ocr/privacy/hipaa/faq/privacy_rule_general_topics/189.html. Accessed 11/25/2014.
3. U.S. Department of Health & Human Services. Top Five Issues in Investigated Cases Closed with Corrective Action, by Calendar Year. Year. Available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/top5issues.html. Accessed 11/25/2014.
4. U.S. Department of Health & Human Services. Enforcement Highlights. Available at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/2009/01092009.html. Accessed 11/25/2014.
5. State of Rhode Island Department of Health Board of Medical Licensure and Discipline No. C10-156. Available at: http://www.health.ri.gov/discipline/MDAlexandraThran.pdf. Accessed 11/25/2014.