As the end of the year quickly approaches our days become filled with the hustle and bustle of the holidays. Lots of shopping, eating, decorating, and yearly traditions inundate our lives as we eagerly await all the excitements and joys of the season. The workplace is no exception to the holiday spirit. Many practices enjoy a variety of activities - costume contests, potlucks, ugly sweater contests, gift exchanges, and so many more. But we cannot allow the elation and anticipation that this time of year brings to dampen our sense of awareness and adherence to HIPAA compliance policies and procedures.
Throughout this holiday season we will highlight a few different topics of concern to help ensure your practice remains HIPAA complaint.
Social Media
Social media pose many risks for health care organizations that could potentially affect the safety and security of patient information, patient consent, employment practices, physician credentialing and licensure, the violation of HCP–patient boundaries, and other ethical issues. Therefore, it would be beneficial for health care organizations to establish employee guidelines regarding the appropriate use of social media. Consequences regarding policy violations should also be defined.
Concerns regarding the use of social media by HCPs frequently center on the potential for negative repercussions resulting from the breach of patient confidentiality.Such infractions may expose HCPs and health care entities to liability under federal HIPAA and state privacy laws.
HIPAA, as modified by the Health Information Technology for Economic and Clinical Health (HITECH) act, governs the permitted use and disclosure of patient information by covered entities, including HCPs and hospitals.The HITECH act details privacy-breach notification requirements and expands various mandates to include business associates.Section 13410(d) addresses civil and criminal penalties for violations that are based on the nature of the violation, as well as resultant harm. Although the use of social media isn’t specifically referenced, these tools can certainly present risks under HIPAA and HITECH. An HCP may breach federal HIPAA/HITECH or state privacy laws in a number of ways when posting information, comments, photos, or videos concerning a patient to a social networking site. Whether communicating with or about patients on social media, breaches of patient confidentiality can result in legal action against an HCP and potentially his or her employer. However, it is important to note that HIPAA does not restrict the distribution of medical information that has been “de-identified.”
In 2003, the Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule, which provides the first federal privacy standards for the protection of patient information to be followed by “covered entities,” such as HCPs, hospitals, and health plans. The HIPAA Privacy Rule levies heavy fines and potential criminal charges on the unauthorized disclosure of individually identifiable health information by covered entities in oral, paper, or electronic form. The HIPAA Privacy Rule also includes a “safeguards standard” that requires covered entities to reasonably protect patients’ health information from unauthorized disclosure by using physical, administrative, and technical safeguards. The safeguard standards are somewhat flexible for entities of different sizes and resources. For instance, communication between a patient and an HCP using unencrypted email might be permissible, as long as other reasonable safeguards are followed.
To comply with the HIPAA Privacy Rule, clinical vignettes posted on social media concerning patients must have all personal identifying information and any revealing references removed. This “de-identification” can be accomplished by changing or omitting key patient details (e.g., names, insurance or Social Security numbers, date of birth, and photos), by avoiding the description of rare medical problems, and by not including specific time frames or locations without the patient’s consent. However, despite these precautions, there have still been many well-publicized inadvertent breaches of the HIPAA Privacy Rule involving social media. Protecting a person’s identity when writing about patients is often more difficult than might be expected. A study of medical blogs written by HCPs found that individual patients were described in 42% of the 271 samples studied. Of these samples, 17% were found to include enough information for patients to identify themselves or their providers, and three included recognizable photographs of the patients.
The patient’s consent is a critical issue to consider when using social media. An HCP or health care organization might determine whether patient permission is needed by considering the place of publication. The use of specific HIPAA-compliant messaging systems, such as that provided within Doximity, may be theoretically safe even for patient-identifying information, assuming that the recipient has medical justification for receiving such information. However, it is ultimately up to the individual HCP, the practice, or the organization to decide when they will seek patient consent before posting de-identified case details online.
Health care institutions should address the risks posed by the use of social media in their employee policies. Policies should encompass discrimination, harassment, wrongful termination, leaking of confidential or proprietary information, damage to the organization’s reputation, and productivity as well as other issues. A health care organization may also consider establishing policies that involve disciplinary actions in response to employees’ use of the Internet, cellphones, or tablets during working hours. The establishment of such policies could diminish a number of concerns regarding the online posting of pictures or other patient information that could violate federal or state privacy laws or could distract from patient care.
Many institutional policies also prohibit the use of work email addresses on social media, reflecting a concern for security and the importance of separating personal and professional activities. The use of institutional graphics or logos on employees’ personal social media pages may also be prohibited. Potential conflicts of interest are also a concern. Most policies prohibit arrangements that involve the exchange of money for online postings or other activities, and require full disclosure with disclaimers if such a relationship exists.
Several health care institutions have policies that require a signed HIPAA authorization before any patient-specific information may be posted on social media. Other institutions, particularly medical schools, have expanded this concept to include consent from research subjects and volunteers. It is good practice for faculty at educational institutions to inform students about potential consequences for violating this and other social media guidelines, since such infractions may not only expose the student to academic or professional disciplinary actions but can also violate state and federal laws, resulting in civil and criminal penalties.
Many health care professional societies have issued guidelines for the use of social media. In 2012, the ASHP released a statement regarding the use of social media by pharmacists. The ASHP advised pharmacists to provide clinical advice only in adherence with professional standards (i.e., when a complete history is known); to recognize when a patient’s needs would be better met by other means of communication; to provide timely and accurate information when appropriate; to rebut any misleading information; to protect patient privacy; and to maintain the pharmacist’s reputation during anonymous or personal use of social media. The ASHP also recommended that hospitals or health systems that allow the use of social media establish best practices in the form of policies and procedures that balance the benefits of social media with the potential risks and liabilities of such media.
In 2010, the American Medical Association (AMA) released official guidelines for the ethical use of social media by physicians. These guidelines emphasize the need to maintain patient confidentiality; to be cognizant of privacy settings; to maintain appropriate patient–physician boundaries; to provide accurate and truthful information; to act with collegiality; to avoid anonymity; to declare conflicts of interest; and to maintain separate personal and professional profiles. The AMA’s policy also recommends that members be aware that privacy settings may not provide complete protection and that anything posted on the Internet may be permanently available online.
The Federation of State Medical Boards (FASB) published a guidance document on the appropriate use of social media in medical practice in 2011. This document emphasizes protection of patient privacy and confidentiality; professionalism and transparency; the avoidance of dispensing medical advice online; and the caveat that once information is placed online, it can be distributed interminably.
The National Council of State Boards of Nursing (NCSBN) also issued its White Paper: A Nurse’s Guide to the Use of Social Media in 2011. This document includes practical guidelines for governing the appropriate use of social media in the health care environment by nurses.
Conclusion
When used wisely and prudently, social media sites and platforms offer the potential to promote individual and public health, as well as professional development and advancement. However, when used carelessly, the dangers these technologies pose to HCPs are formidable. Guidelines issued by health care organizations and professional societies provide sound and useful principles that HCPs should follow to avoid pitfalls.