Hospitals and Providers: Five Guidelines for HIPAA Compliance in Social Media
As healthcare marketers continue to delve into social media, so too, they continue to encounter questions about the balance between engaging their audiences and exposing their organization to potential HIPAA violation. It can be a dicey question, and many legal advisors are still wary enough to keep the kibosh on social media strategies on principle.
But let’s face it, it’s a Web 2.0 world and “Because I’m afraid of it” just isn’t a good enough reason to stay analog. Your patients are in social media. So are your industry and competitors. Your employees and medical staff are using social media (without your helpful guidance) and your future employees are there, too. And eventually you are going to need a quick communications tool to respond to a community crisis or negative news. The infrastructure of social media doesn’t happen overnight so it takes planning to develop a rapid response tool that is ready to deploy, as needed.
Last week Rosemary Plorin and I had the distinct pleasure of speaking to the Tennessee Society for Healthcare Marketing and Public Relations about the “Intersection of HIPAA and Social Media.” We were able to refine guidance on this topic down to five key points. Embracing these brief tenets should help healthcare marketers assuage the concerns of fearful executives and legal counsel.
Each and every one can be handled up front through education in conjunction with protocols and permissions management. You have a code of conduct. Now you just need to extend it one step beyond an Internet usage policy to cover Web 2.0 technologies as well.
Define the universe of people that impact your actual liability. Your caregivers and employees fall under that umbrella, as do your billing services, legal counsel, marketing and PR resources and anyone else with patient demographic or clinical information (e.g. names, birthdates, diagnostic codes, etc.).
2) HIPAA does not apply to third parties like patients and patient families.
The Office of Civil Rights (the HIPAA enforcement agency) has been quoted on this point. A covered entity is not responsible for the actions of patients and patient families … only its providers and employees, and by extension, its business associates. So covered entities are not liable when Aunt Jenny posts photos of her nephew, Baby Alex, taken at your hospital. And, while the phenomenon of patients taking photos of other patients in the ER and posting them on Facebook should be proactively discouraged (e.g. putting safeguards in place like employee policies, posted notices, etc. ), it is not, technically, a HIPAA violation for the hospital. But clearly, you would rather avoid even the question of impropriety.
3) HIPAA applies to individually identifiable protected health information (PHI).
So, if your nurse goes into an online public forum and asks, “How is your Dad coping with his diabetes? Has he been checking his sugar?” the nurse has just violated HIPAA protections. In fact, it is a violation whether the nurse started the online conversation or replied to a patient posting. However, if a clinician blogs about the “Best practices for patients dealing with diabetes,” that would not be a HIPAA violation because it is not directed to or written about an individual.
4) Section 230 of the Communications Decency Act protects you as the sponsor of an online forum.
A healthcare provider cannot be held liable for postings made by other parties just because it owns or sponsors the forum. Further, you can take down or leave up comments as you deem necessary with no consistency in the practice and you are covered either way. However, if you edit a third party’s post then you become the co-author and assume liability. The morale is that you need to either respond to a comment, delete it, or leave it as it is. But NEVER edit it.
5) According to case law precedent, if you invite illegal activity then you assume liability.
Obviously, since we are communicators and not lawyers, you will want to review these guidelines with your legal team for confirmation, but these points of discussion will certainly help open the discussion.
So how is your hospital/healthcare organization addressing HIPAA concerns in social media?