You all know that sharing patient information on social media can result in legal liability, whether you are talking about HIPAA, state privacy laws, or state medical record laws. But do your employees really understand the importance of protecting patient privacy when engaging in online discussions? We think not – since we continue to see so many issues arising from the following misconceptions:
- My patients want to know more about me, so I’m going to accept their friend request.
- If I don’t say who the patient is, I can post a photo of them.
- If I don’t say who the patient is, I can talk on Facebook about my experience with them that day.
The short answer to each of these questions is NO! However, employees don’t always seem to connect their knowledge of protecting patient privacy in the treatment context, with their online discussions about their own work day. Here are some examples:
- Think about ABC’s New York Med star, Katie Duke. She was terminated for posting a photo of a trauma room after a patient was treated for wounds from being hit by a subway train. Duke posted the phone on Instagram with the hashtag, “#Manvs6Train”. In the end, the hospital concluded that Duke had not violated HIPAA, but determined that her actions were “insensitive” and warranted termination.
- What about ER nurses and staff who busied themselves posting a photograph of a stabbing victim instead of treating him. Not only did this conduct violate HIPAA, but it also raised serious questions about the standard of patient care. If you saw this post online, would this hospital be your first choice for emergency care? Maybe not.
- Oftentimes, the posts are not in any way intended to harm anyone. Rather, they come from the emotion that health care providers face day in and day out. Consider the student nurse posting a photo of a three year old chemotherapy patient and then writing about how brave the patient had been. This student nurse was likely so moved by this interaction that she felt compelled to write about it. Unfortunately for her – her actions violated several patient privacy laws.
So, what can health care employers do?
First, review your organization’s social media policy. Your policy should make clear that employees may not under any circumstances:
- Discuss patients
- Post any PHI
- Post any photos from the workplace
- Friend patients
Second, conduct training. The training should provide good examples of how employees may inadvertently or thoughtlessly disclose patient information. Providing examples of how other employees have improperly disclosed information will help make your employees think about their own online conduct.
Third, focus the organization’s social media efforts on professional networking and education. There are many health care organizations around the country that are using social media to create and build community – providing information on various medical conditions, highlighting new treatment options, or simply providing a forum for patients to interact. Patients are using health care sites to research their own medical conditions, to share information with family and friends, and to build networks with other patients. With a thoughtful social media strategy in place, health care organizations can leverage the benefits of social media while minimizing legal risk.
When was the last time you reviewed your organization’s social media policy as well as its social media marketing strategy? It might be a good time to so do.