Key Components of a Social Media PolicyAddressing Risks, Preventing Breaches
Innovative staff education can help minimize privacy risks involved in using social media, says risk management expert Paul Anderson.
Physicians, nurses, marketers and others who work at healthcare organizations need to be educated about how the HIPAA privacy rule can be violated even if a social media discussion about a patient doesn't reveal the person's name or Social Security number, says Anderson, director of risk management publications at the ECRI Institute, in an interview with Information Security Media Group's Howard Anderson (transcript below).
The best way to educate staff about protecting patient privacy when using social media, Anderson says, is by providing examples of violations. "Rather than just issue a series of 'thou shall not' statements, share examples of situations where privacy has been violated," he says. "If you can show staff examples of how it's gone wrong, it serves as a great educator."
He stresses, however, that if social media are used "in a thoughtful, planned way, the potential benefits of improved patient and community communication can far outweigh the risks."
The institute recently published an in-depth report on controlling the risks involved in using social media in healthcare. In the interview, Anderson pinpoints three essential components of a social media policy, as described in the report:
- Spell out that sharing photos of anyone without their written authorization is a HIPAA violation.
- Offer a definition of personally identifiable health information. "What cluster of descriptors do you have to avoid when you're talking about patients, beyond the obvious ones like name or Social Security number?"
- Create an environment in which staff members are encouraged to contact specific in-house experts to ask social media policy compliance questions "if they're not sure of what the boundaries are."
At the ECRI Institute, Anderson oversees patient safety and risk management publications, providing guidance for hospitals, long-term care organizations and ambulatory care settings. ECRI Institute is a non-profit organization that researches the best approaches to improving patient care.
ECRI InstituteHOWARD ANDERSON: For starters, why don't you tell us a little bit about the ECRI Institute and your role there?
PAUL ANDERSON: ECRI Institute is an independent, non-profit organization, and for more than four decades we've researched the best approaches to improving patient care. And we do that in a lot of ways, such as by evaluating medical devices and by researching the evidence-base behind specific treatments or interventions. As the director of risk-management publications, I oversee a dedicated staff that researches and writes for providers across the continuum of care - acute, long-term and ambulatory care - and we identify ways to put processes and systems in place that make patient care safer while we're reducing an organization's regulatory and legal risk.
Social Media Report
HOWARD: The ECRI Institute recently issued a healthcare risk control report focused on social media. Why did you decide to prepare the report, and what's the most important message you would like healthcare organizations to consider?
PAUL: We issued the report really because social media are growing so rapidly throughout all of healthcare and we get a lot of questions from our members about the best way to manage all of those risks. Healthcare as an industry has been a little reluctant to move into social media, and risk managers, particularly, are very sensitive to all the ways that it can go wrong: the damage that you can do to your reputation, the privacy violations and so on. But despite that reluctance, healthcare organizations are adopting social media and individual providers obviously are as well. The takeaway for me is that, yes, it can go horribly wrong, but it doesn't have to. And so when I'm talking to organizations, I say, "If you use social media in a thoughtful, planned way, the potential benefits of improved patient and community communication can far outweigh the risks, again, if you're doing it thoughtfully."
Top Privacy Risks
HOWARD: What do you see as the most significant privacy risk posed by using social media in healthcare?
PAUL: The thing with privacy and social media is that social media make it really, really easy and really inviting to violate patient privacy. Social media, particularly blogs, but also Twitter and Facebook, are great for telling stories, and stories are great teaching tools and they're great marketing tools. But if you're not careful in the story that you're telling, it's also really easy to start sharing details about a patient that you don't have the right to divulge.
The other piece is that people don't often consider all the ways that you can violate patients' privacy under HIPAA. It's not just using a patient's name or a Social Security number. If you describe enough details about a person that a third-party could identify them, if you say, "Oh, we had a 42-year-old Hispanic male who had XYZ symptoms on June 23 at Memorial Hospital," eventually you've given enough information away that you've effectively violated the patient's privacy. [It's easier] do that with social media than other traditional forms of media.
Mitigating Privacy Risks
HOWARD: What are the most important steps that a healthcare organization can take to mitigate privacy risks in using social media, and what privacy provisions should be spelled out in a social media policy?
PAUL: It sounds clichÃ©, but I think the organization has to focus on education. It has to be more than the obvious. In traditional HIPAA education, we're saying things like, "Log off from computers when you walk away from the nurses' station. Don't share passwords. Restrict who can access files." With social media it needs to go beyond that. One of the great ways to do this, rather than just by issuing a series of "thou shall not" statements, is to share examples of situations where privacy has been violated. If you can show staff examples of how it has gone wrong, it serves as a great educator. I always tell my kids, "It's important to learn from mistakes, but if you can, you're better off learning from someone else's mistake rather than your own."
As for policy provisions that you should spell out, there are a few basics. First is no sharing of photos of anyone without their written authorization. You just can't do it - end of story under HIPAA. Second, the policy really needs to spell out exactly what the HIPAA definition is of personally identifiable health information. In other words, what cluster of descriptors do you have to avoid when you're talking about patients, beyond the obvious ones as I said, like name or Social Security number? The third thing is you've got to create an environment where when staff is using social media, if they're not sure what the boundaries are, if they're not sure if something is okay, they have to be in an environment where they can ask and get answers. You've got to identify somebody who can answer that and you've got to create an environment where it's okay, because if you do, my experience has been that people will then try to comply with those rules. But if you don't set out those guidelines, people will keep tweeting anyway, they'll keep using Facebook and you won't like what the outcome is because now there are no boundaries and they can come back and say, "Well I didn't know."
Preventing Employee Violations
HOWARD: How can organizations make sure employees don't violate the privacy of patients or co-workers or others while making personal use of social media, and what about addressing the free speech issues involved here?
PAUL: Unfortunately, in the end, you probably can't make absolutely sure that privacy is not violated, and that's why this is so scary to some folks, particularly risk managers. The risk managers probably have to come to terms with the fact, unfortunately, that privacy is eventually going to be violated and your role as a healthcare organization then is to limit that to the greatest extent possible and react appropriately when it does happen.
What you have to do again is educate your staff so that they know where the appropriate boundaries are and make sure they know that, under the law, they have an individual obligation to protect patient privacy that extends beyond their employment and that they can be held individually liable for those violations.
As far as free speech goes, I'm not a constitutional lawyer, but there are obviously boundaries to free speech. The famous one is you can't shout "fire" in a crowded theatre. Well the same thing goes here. Your right to free speech ends when it infringes on my right to privacy as a patient, even if it's on your personal Facebook profile that I may never see. There are lots of other examples of social media, reputational issues more than privacy ones, where an employee has a lot more leeway to say things that the employer might not like, but it's protected by free speech; patient privacy really isn't one of those areas where free speech is an issue.
HOWARD: How should organizations go about handling privacy violations committed via social media by former employees? What issues does that raise?
PAUL: If the violation occurs after the term of employment - and I want to clarify this is not only employees but it also covers volunteers or independent contractors - if it's after the term of employment ends, the organization likely won't be sanctioned for violating HIPAA because the law talks specifically about actions by covered entities and their employees, present tense. It doesn't mention former employees. Now, still you obviously want to stop it from happening, and for a healthcare organization to make sure that they do that, they really have two steps that they need to try to follow.
First is, while the person is still employed or still volunteering, make sure that they're properly educated about their individual privacy obligations and that they understand that their individual obligation extends beyond the end of their employment. From a good risk-management perspective, you probably want to have them sign something to that effect and keep it on hand. Now the second step is, when you do become aware of a privacy violation, you want to have your legal counsel reach out to the person who has committed that violation, notify them that what they have done does violate a patient's privacy, advise them to remove the offending post, and obviously you want to keep a record on hand of that communication between the legal counsel and whoever posted that offending information.
Managing Privacy Issues
HOWARD: Finally, what other advice would you offer regarding how to manage the privacy risks involved in using social media in healthcare?
PAUL: The thing is that doctors and nurses have always violated patient privacy, whether it's at the nurses' station or in the elevator or at the bar or wherever, and they're going to keep doing it. The difference with social media, obviously, is that it's much more public and much more permanent. So it's scary and you probably can't stop it. For me, again it just comes down to constant education and examples of violations and really hyper-vigilance to remove any offending posts after the fact.
When you're talking about [using] social media on behalf of the organization, on official accounts, obviously you can limit the number of people with access to those accounts so that they can be tightly controlled and make sure that those folks are appropriately trained. But when you have all of these staff members, and if you think of a hospital with hundreds or thousands of people working there - and most of them are probably using social media on their own - from the organization's perspective, you have to be able to say, "We did everything we could to stop it," and that usually comes down to just education, education and education over and over.