A Social Media Policy ChecklistTips for Preventing Privacy Violations
An informal survey late last year by the American Health Information Management Association found that a little more than half of organizations had a formal social media policy in place, says Cecilia Backman, associate director of health information management at Parkland Health and Hospital System in Dallas. Backman, who collaborated on the survey project, was a speaker at this week's AHIMA Legal Electronic Health Record Summit.
Staff members at hospitals and clinics need to be aware that social media sites do not use encryption and are fundamentally unsecure, Backman stressed. Thus, they must make sure that information about patients is never posted on any social media site, such as Facebook and Twitter.
Privacy PrecautionsSteps that organizations can take to minimize the risks involved in using social media, Backman said, include:
- Conduct a social media risk analysis that addresses operational and well as technical issues;
- Develop a formal social media policy that addresses all identified risks and covers staff as well as volunteers, contractors and independent practitioners - anyone who might have access to patient information;
- Spell out in the policy expectations for the ethical behavior of those who create content for social media sites on behalf of the organization or use social media in any way, both at work or on their personal time;
- Specify sanctions for violations of the policy and provide extensive annual staff training;
- Modify medical staff rules, employee privacy agreements as well as business associate agreements to address the use of social media; and
- Monitor mentions of your organization on various social media sites to guard against potential health information breaches.
We certainly want to use social media, but we have to be able to ensure the privacy and security of patient information.
When it comes to social media, "We need to tread lightly and carefully as we move ahead," Backman stressed. "We certainly want to use social media, but we have to be able to ensure the privacy and security of patient information."
Preliminary results of HealthcareInfoSecurity's inaugural Healthcare Information Security Today survey show that 55 percent of respondents say their organization has a formal social media security policy in place. Of those, 40 percent have taken disciplinary action for violations of the policy.
There's still time to participate in the survey to help us provide you with a detailed overview of the privacy and security policies of healthcare organizations. We'll be reporting on all the results in the weeks to come.