Social Networking Policies for PhysiciansReport Offers Helpful Guidelines for HIPAA, HITECH Compliance
Social media hold great potential for educating patients and marketing services. But they also present great potential privacy risks. That's why it's so important to stress to staff that information about specific patients should never be posted on a social network.
Back in June, Tri-City Medical Center in Oceanside, Calif., announced plans to fire five employees and discipline another because they used social media to post personal discussions about hospital patients.
Physician practices, as well as hospitals, looking for a good starting point for the basics of a social media policy should take a close look at these documents.
Policies backed by powerful sanctions, including terminating staff for violations, can go a long way toward preventing breaches.
The Ohio State Medical Society's new document offers a wealth of common-sense advice on the use of social media. For example, it advises: "Take time to consider who might read your post, blog or comment. Even if you are careful about who you "accept" as a friend, your friends can pass on your post to their friends, etc. etc."
It also advises physicians who want to take advantage of social media to create a personal page and a secondary page that represents the practice, "allowing patients to become fans of only the latter."
But perhaps the most valuable segments of the document are two detailed sample policies regarding social media use in the workplace. The policies, stress, for example, "Do not disclose any individually identifiable information regarding a member, business affiliate, client or patient."
Physician practices, as well as hospitals, looking for a good starting point for the basics of a social media policy should take a close look at these sample documents.
Social Media Policy LeadershipAs we've noted earlier, one of the leaders in the development of social media policies is the 37-hospital Adventist Health System. In addition to enacting a comprehensive policy, which incorporated methods used by other corporations and healthcare organizations, Adventist crafted an educational program for all staff members and established sanctions for violating the policy. Plus it's using Web filtering and data loss prevention technology to help monitor staff use of social media and prevent patient information from being posted.
And in a recent interview, David Parks noted that Alegent Health, an eight-hospital system, is using social media monitoring tools to help protect against potential breaches.
"We are looking at what is being put out there on blogs, Facebook pages, Twitter, that sort of thing," says Parks, operating counsel and regulatory compliance and privacy officer. "Because we will then be able to identify when Alegent, or any of the Alegent patients or facilities, are being mentioned, and maybe be able to catch something on a publicly facing site that we might be able to nip in the bud if we feel that there is perhaps some breach potential there."
And remember, under the HITECH Act, penalties for violating the HIPAA privacy and security rules are toughened, as spelled out in proposed HIPAA modifications. And penalties can apply to individuals as well as organizations.