Fraud Management & Cybercrime , Social Media

Risk Management and Social Media

To ensure patient privacy, healthcare organizations need to adopt clear-cut social media policies and educate staff about how to comply, says Jonathan Teich, M.D., assistant professor of medicine at Harvard University.

Building awareness of the risks involved in the use of social media, such as the potential to violate patient privacy, is essential, Teich says. The HITECH Act called for much tougher penalties for violating the HIPAA privacy and security rules. The recently introduced proposed HIPAA modifications spell out those sanctions in detail.

In an exclusive interview (complete transcript below), Teich, who also is chief medical informatics officer at Elsevier Health Sciences:

Predicts that health insurers, patient associations, community associations and others will join hospitals and clinics in using social media as a new way to communicate about healthcare issues. Advises that a social media policy should make it clear that information about an identifiable patient should never be discussed on social media.

Stresses that staff education about social media policies should be treated as a high priority, much like education about sexual harassment, discrimination or "any other behavior with zero tolerance."

At Elsevier Health Sciences, Teich leads efforts to use the publisher's content base for electronic references and clinical decision support tools.

He is a board-certified attending physician in emergency medicine at Brigham and Women's Hospital. He was the founder and the first director of the hospital's Center for Applied Medical Information Systems Research as well as the Clinical Informatics Research and Development department at Partners Healthcare System, the parent company of the hospital. He also was the primary designer of many of the hospital's clinical information systems.

Teich has been active in medical informatics and health information technology for more than 20 years.

ANDERSON: Some organizations are experimenting with using social media to help educate patients or market their services. How do you expect the role of social media in healthcare to gradually evolve in the coming years?

JONATHAN TEICH: Well, with all the trends that are going on right now, we are going to see more of it, that's probably an easy prediction. But I can see where not only providers, but also payers, patient associations, even community associations, will be really vying for the patient's text-top, as they once vied for the patient's desktop, perhaps. I think we will see more in the way of one-way things, such as notifications. I think we will see more personalization of the notifications. So it wouldn't be surprising to see social media become more of a way to do the kinds of communications that sometimes we get in the regular mail nowadays, such as notifications of new available services, notifications of procedures and health maintenance intervals that are due.

As the security catches up with the flexibility of this medium, people will realize that it is such an easy way to get the people wherever they are whenever they are....So, I would expect to see more sectors of the healthcare world getting involved. I would expect to see a lot more one-way notification systems. And, I think we will see more experimentation with two-way communication.

ANDERSON: Recently, one California hospital announced it planned to fire five employees and discipline another because they used social media to post personal discussions about specific hospital patients. This points to the security risks involved in using social media. Should hospitals and others develop clear policies on the appropriate use of social media to help minimize security risks?

TEICH: Well, I think that's absolutely necessary....Any new technology gets embraced widely because it's easy, it's fun and it's what is going on. But the social importance and the social justification sometimes don't catch up for a year or two. And the example you're talking about is one of several where people have really not understood what the privacy bounds are and just how widely their information is going to get distributed. So, in the absence of the natural evolution of the social context, I think that this information is so sensitive that hospitals and other organizations are going to have to say, "Look, while you're using this, we're going to have to tell you in advance some very important 'do's' and 'don'ts' about this." Otherwise, I think that people's natural tendency will sometimes take them the wrong way.

ANDERSON: So what are the essential components of a social media policy, some of those 'do's' and 'don'ts?'

TEICH: The easiest thing you could do would be to create a rule that says nothing about your current work experience can be placed on any social network. That would certainly be the "no information, therefore, no bad information" kind of version. But...we have to acknowledge that people will be using it, and we have to give them more specific guidelines. The obvious thing, of course, is that nothing about not only an identifiable patient, but nothing about any single patient or any small group of patients, should be placed on social media. For example: "Oh, the patients on my unit are really such and such this week." It's just important to treat this the same way that we would treat conversations about patients in public. There really can't be anything that can identify a patient; there really can't be anything that is specifically describing what is going on with a patient, or one's emotional reaction to a patient. So, that's probably number one.

Number two has to do with professional remarks, particularly criticism of other persons in the unit, others who one works with, criticism about the hospital management or vice versa, the kinds of things that people may feel comfortable saying on the golf course, or in a small gathering with one or two friends. Everyone has to realize that the social media is not the same thing. So there probably needs to be some kind of discussion about making sure that you understand that if you make any kind of professional criticism...understand that anything you say is very likely to be spread and noted widely.

And a third issue has to do with professional relations in another way. Sometimes we find that when professionals and their subordinates or superiors are together as friends on Facebook, for example, then it can get difficult. For example, the higher up may be off on some perk-based vacation and will photograph all these vacation spots, not quite realizing that it has a different affect on some of the subordinates. So that is a more subtle thing, where you say, "Gee, maybe I shouldn't be extravagantly displaying all the fun stuff I get that my friends don't get."

Added to that, I would say probably one more thing, which has been said over and over again: Doctors and nurses really cannot be friends on social media with their patients, at least not if that is the only basis for their relationship. It's just too hard to keep these really widespread channels clean and pure. If the relationship is based on a professional contact, then that probably has to be kept to much more private channels. All in all, it's a matter of understanding that very little social media stays private.

ANDERSON: What is the best way to educate staff members about a social media policy? What should be the sanctions for violating it, and how do you educate people about the sanctions?

TEICH: Our hospital, and of course every other, I'm sure, has mandatory educational sessions for discrimination in the workplace, for sexual harassment, for other kinds of behaviors that simply have a zero tolerance to them. And, in those cases, we go beyond just having to read about it. There is usually some kind of mandatory session where you actually have to be present and watch someone showing some examples. I think that whether that's done person-to-person or whether that is done in some kind of audio/video mode, it is probably important to see some examples, so you can understand what is going on.

So there should be educational sessions that involve hearing and seeing what some of these social media can do. I think that it has to be something that gets communicated periodically in your professional group. So if you are a resident, in your residents' meeting association or your professional practice group, it has to be treated very seriously. And, the sanctions presumably fit the crime, of course, but if an offense about a patient becomes as derogatory as some other kinds of harassment, then it probably needs to be dealt with the same way.

ANDERSON: Should hospitals and other healthcare organizations use data loss prevention technology or some other type of technology to help monitor staff use of social media and prevent patient information from being posted?

TEICH: This is a case where, sure, you could, and certainly, it would be effective, but you would have to be careful about being too rigid on what you do.

I think it's important to understand that social media, if it progresses the way it has been progressing, is going to be a very common phenomenon and a very transparent phenomenon. By the same token, once upon a time, when I first started out, hospitals had personal computer committees that would dictate how people would use personal computers. Well, nobody would hear about such a thing nowadays, because a personal computer is like a pair of shoes; it's just something that one has. If social media develops in the same way, then you can't be too totalitarian about how you regulate it....

At some point, we have to say, "These are the things that you should do and that you shouldn't do, these are the kinds of examples. And, if you do them anywhere at any time, and it comes back, then you are going to be in big trouble."

ANDERSON: Do you have any other final advice for those considering how to use social media while protecting the privacy of patient information?

TEICH: Well, I think awareness is paramount, and it's awareness of a kind that we have never seen before. You know, in every hospital, in every elevator, there is always a sign that says, "Remember, you shouldn't be discussing patient information in an elevator." And yet people still do, with some with veiled references, and usually not including people's names. But people feel like they can do that because they feel like they look at the people around the elevator, and say, "Well, the chances of my getting into trouble here are not very high."

But that elevator conversation, once it has been made, is done. Anything that you post on social media is forever. And it's really a matter of saying, "Look, there is a huge awareness issue that is necessary. These things have an infinite lifetime, and they can be read over and over and over again." So it's a matter of saying, "This is more important than all those other signs we've put up there before."

...So we should be trying to put the notion in everyone's mind that social media are really the most vulnerable, the most prolific media....So that's number one. And second, it's important to...expose examples where comments on social media have led to trouble....We still have to rely on the fact that we are working with professionals. We can't treat everybody with a complete shackle, as we talked about in the last question. It's going to be all about awareness.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.