The Expert's View with Rebecca Herold

Preventing Social Media Blunders

Do's And Don'ts For Using Social Media In Healthcare Settings
Preventing Social Media Blunders

Many healthcare organizations are looking for innovative ways to use social media to improve patient care and communications. But first, they must take some essential steps to address the risks involved.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

Consider some of the recent incidents that have occurred as a result of improper social media use:

  • On Dec. 9, 2013, multiple media outlets reported that a patient sued a physician and hospital after pictures of an intoxicated woman in the emergency room were posted on Facebook and Instagram.
  • On July 8, ABC News reported that an emergency room nurse in New York was fired after posting a photo of an empty trauma room after clinicians saved the life of a man hit by a subway train.
  • On July 30, MLIVE.com reported an emergency room physician in Grand Rapids, Mich., was fired for violating HIPAA after she made the comment, "OMG. Is that TB?" about a photo on Facebook.

Here are three steps to take to minimize social media risks - and avoid the publicity that comes with missteps.

1. Define types of information never be posted to social media sites.

One problem that I've heard over and over is that those who inappropriately posted information, images, comments, etc., to social media sites did not think the information was patient information, or that it was not protected by HIPAA.

Take the case from the first example above. The doctor posting the images and unflattering remarks to Facebook and Instagram was a physician from that hospital who was asked to be present but was not the attending physician. He was also an acquaintance of the patient. There was speculation that he felt the images were not protected health information since he was taking them as a friend and not as the primary physician.

All personnel must clearly understand the types of information that is considered to be PHI. They must understand that PHI remains PHI even if the employees think they can use it in other ways as friends or family. They must also realize that protections for PHI are still required even if the patients or insureds have posted similar information or images online themselves.

Suggested Actions:

  • Clearly define and document the PHI collected, stored, processed or otherwise accessed within your organization;
  • Explain to employees that the PHI must never be posted to social media sites without the clear and documented consent of the associated individuals, following the policies and procedures that you create;
  • Provide real-life examples to reinforce understanding.

2. Establish clear and comprehensive policies

Given the exponential growth in social media use, and the increasing numbers of breaches resulting from inappropriate posts to social media sites, every covered entity and business associate needs to have a documented social media policy, with supporting procedures. The policies and procedures need to include clear direction on what is appropriate and inappropriate to post to social media sites.

Suggested Actions:

  • Meet with key stakeholders to determine the actions that are acceptable and not acceptable, based upon associated risks, with regard to posting information and images to social media sites;
  • Be sure to clearly indicate that even when employees are away from work or using their own personally owned computing devices, PHI must never be inappropriately posted online;
  • Give an individual or team responsibility for monitoring social media policy compliance.

3. Provide training and ongoing awareness communications.

In many, perhaps most, of the incidents involving inappropriate posting of patient information on social media sites, those doing the posting stated they didn't think they had done anything against their organization's policies - or that they didn't have any social media policies. Most organizations do not provide regular training on their policies, or the training they provide is ineffective. And they don't send regular reminders to keep employees aware. Providing effective social media training and ongoing awareness reminders is an essential step toward preventing social media breaches.

Suggested Actions:

  • Create social media training to support your policies and procedures. Or, use existing training that aligns with your policies. I've found classroom training or online live webinar training works best because these approaches allow for interaction and questions.
  • Create and use case studies for interactive discussion to see how learners would react to different types of situations involving social media.
  • Send ongoing awareness communications to remind personnel of appropriate uses of social media and policies on posting PHI or other types of personal information.

Information security and privacy expert Rebecca Herold is a partner and co-owner of HIPAA Compliance Tools and CEO of The Privacy Professor. She is also author of more than 15 books, including, Managing an Information Security and Privacy Awareness and Training Program, and a new edition of her book, The Practical Guide to HIPAA Privacy and Security Compliance, which will be published in October by CRC Press.



About the Author

Rebecca Herold

Rebecca Herold

The Privacy Professor

Rebecca Herold is President of SIMBUS LLC, a cloud-based privacy and security firm and also CEO of The Privacy Professor, a consultancy. She is also author of 19 books on information security and privacy.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.