by Pamela D. Tyner
Social media have become de rigueur globally. Today, millions maintain connections with their friends, relatives and business acquaintances via Facebook, Twitter, LinkedIn, blogs and YouTube. Recent studies indicate that social media popularity even predicts polling popularity and the stock market. Translated to the healthcare arena, healthcare facilities and organizations are now trained to promote their business by communicating effectively via social media. In addition, patients, physicians and employees of healthcare facilities and organizations frequently communicate and discuss patient status via cell phones, Facebook, YouTube and other social media. However, many people do not realize that use of these media may compromise health information privacy unless certain protections are implemented to safeguard them.
Invasion of Health Information Privacy
Under the confines of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health (“HITECH”) and state privacy laws, certain protections of protected health information (commonly known as “PHI”) are mandated. The increased usage of social media to reference patient whereabouts, ailments and treatment plans continues to leave healthcare employers scrambling to implement new forms of encryption, other IT protection and disciplinary actions.
Examples of Social Media and IT Breaching Confidentiality of PHI
From the trenches, here are some recent examples of social media and IT affecting the privacy of PHI:
- A day in the life of a patient posted on YouTube, posted without consent of other patients and employees of a hospital system. The Hospital asked for the individual to immediately remove the content from YouTube. In addition, the Hospital conducted a thorough investigation and notified the patients affected about the breach of their PHI.
- A patient updates his/her status via Facebook and later discovers the status update informs her Facebook friends that s/he is in the hospital. The patient complains to the Hospital's compliance department about a breach of her PHI. Afterwards, the Hospital investigates the incident and discovers the patient updating the status inadvertently notified Facebook of the individual’s whereabouts. The facility is in the process of revising its Patient Handbook to include information about updating an individual’s “location update” status while a patient as potentially identifying the individual’s hospital stay.
- Doctors, nurses and medical students revealing patient information on Facebook. Facilities are implementing social media training to medical staff, employees and allied health professionals about the potential breach of confidentiality and/or disciplinary actions that might result from their Facebook updates about patients.
- A health care institution realizes that its computer encryption system has a loophole through the usage of USB ports. The institution must scramble to protect its system information while waiting for the software company to fix the loophole.
- Articles and blogs inform consumers how to mine PHI about others.
The National Relations Board has become very active in addressing social media's impact on the workplace. In future, it is anticipated that additional government agencies and the court system will jump on the band-wagon and scrutinize social media as it relates to the healthcare environment and patient confidentiality.
Office of Civil Rights Solicits Comments on Mobile Devices and Confidentiality
In early March 2012, the Office of Civil Rights and the ONC Office of the Chief Privacy Officer (OCPO) invited members of the public to provide input on mobile devices' uses along with comments on current and emerging privacy and security best practices regarding protecting and securing health information while using mobile devices. Public commentary will help inform the OCR and OCPO for future development of an effective and practical way to bring awareness and understanding to those in the clinical sector regarding protecting and securing health information while using mobile devices. Popular health information technology remains a hot topic for the OCR; a roundtable discussion on mobile devices and safeguarding health information is planned for mid-March.
Lessons Learned and How Healthcare Employers Should React
Healthcare facilities and organizations must act quickly to assess each usage of social media to gauge whether patient confidentiality may be vulnerable to compromise. Due to the rapid evolution of social media technology, healthcare facilities and organizations’ social media and employee disciplinary policies must be scrutinized frequently for uniformity within their corporate compliance program. In addition, these entities must analyze and implement clear guidelines outlining how its physicians and allied health professionals may be constructively redirected and/or advised on the proper usage of social media to facilitate efficient communication concerning patients without compromising PHI confidentiality.