Editor's note: In a generation more likely to seek health information online than see a doctor, social media is playing an increasingly critical role in healthcare decisions. Today more than 40% of consumers say that the information they read in social media affects how they deal with their health1—and two-thirds of doctors use social media for professional purposes.2
With statistics like these, it's not surprising that a growing number of healthcare entities are incorporating social media into their communication plans. In the article below, Manatt reveals how you can effectively harness social media's power to reach and influence your target audiences—and what you can do to minimize the risks that often can accompany an active social media presence. The article is based on our webinar for Bloomberg BNA, "Best Practices for Using Social Media in Healthcare: Maximizing Impact, Mitigating Risk." If you missed the program, click here to view it free, on demand, and here to download a free copy of the presentation.
Part I: Maximizing Impact
Social media has become a shorthand designation for person-to-person information shared using a wide variety of online and digital platforms, such as Facebook, Twitter, Pinterest, Tumblr and LinkedIn. Most started as desktop applications, but all have experienced dramatic growth in their transition to mobile platforms.
Social media applications originally were designed to allow individuals to create self-defined networks of friends or like-minded strangers and share information, stories, links and pictures. As social media became more prevalent in the late 2000s, commercial interest exploded. Companies saw social media as another channel to deliver their messages to their audiences.
The problem is that very few social media users want to hear "corporate messages" and certainly don't consider themselves an "audience." Therefore, they weren't attentive to companies' early efforts to engage in this space. The core attribute of social media—user-defined networks of relationships—requires a fundamentally different way of engaging.
11 Keys to Success
Companies are not the sole source of trusted information on social media. In fact, most of the information that people rely on comes from friends, colleagues and in some cases organizations that they have self-selected to join their social networks. Research shows that 41% of users say social media would influence their choice of a doctor or hospital—and 9 out of 10 18- to 24-year olds would trust medical information others shared on social media. It's important to remember that those 18- to 24-year olds are tomorrow's patients, members and employees.
Clearly, social media is an essential communications tool, but one that requires a different dynamic and different skill set than traditional media. There are 11 keys to social media success that we will discuss in this article:
- Connect the dots.
- Have a plan.
- Tell a story.
- Answer the question.
- Get in shape.
- Take a risk.
- Trust the team.
- Listen and learn.
- Seize the day.
- Guard your flank.
- Revise, revise, revise.
1. Connect the Dots
Every healthcare organization has a series of mission-critical communities, including patients, caregivers and employees, as well as local, state and national stakeholders and leaders. Each community has its own unique infrastructure and culture. The active support of these mission-critical communities is fundamental to every organization's long-term success.
The relationship between these communities and healthcare organizations is shifting. Each person may belong to many communities. Each considers him- or herself unique and will resist being treated as part of an "audience." To garner the loyalty of these people whose active support is vital, organizations must engage with them on their terms and with their agreement.
It's important to recognize that these communities overlap. For example, in delivery systems, nurses and doctors can become patients. Patients may be donors. Caregivers may play community leadership roles. For managed care organizations, as well as for pharma and device manufacturers, patients may learn of organizations through their physicians or a wide array of patient-focused third-party organizations. Social media quickly exposes any disconnects in what these overlapping communities are hearing. Therefore, it's crucial to have one cohesive social media strategy to protect against delivering mixed messages to mission-critical communities.
2. Have a Plan
Design a campaign to engage the hearts and minds of mission-critical communities. Develop a message platform that is the core theme of your organization's mission. In a political context, it was compassionate conservatism for President Bush, hope and change for President Obama. For healthcare organizations, it can be trust, quality, convenience or mission focus.
Many organizations develop their message platforms using a simple two-by-two box of us versus them. How would we describe ourselves? How would we describe our competition or our mission-critical communities? How does our mission-critical community describe itself? And how does that mission-critical community view us? This approach is fundamental to developing a message platform for social media because ultimately it becomes the guidepost to engaging in conversation with mission-critical communities.
We recommend forming a multistakeholder governance approach to developing a social media strategy across various communities. When creating a message platform, make sure to include all parts of the organization. The goal is to engage people, not audiences. Therefore, it's very important to understand what's happening from the outside in among your communities.
3. Tell a Story
The best campaigns are stories. Social media users are engaged in a continuous conversation with their networks of self-identified friends and relationships. Most folks are just listening. Some are posting to the community, looking to share something they found. Others react to the conversation, commenting on a post or a tweet. But whether listening, talking or reacting, social media is a conversation, not a message. If organizations simply view social media as a place to deliver a message—a different version of a newspaper or magazine—they won't last long.
The challenge is to enter the conversation and begin to shape it gradually and consistently with the values of the people on the other end in a way that mirrors the organization's message platform. It's critical to frame the conversation in an authentic voice that mirrors how people actually talk to one another.
Use the rule of thirds. A third of the time, talk across platforms about brand awareness. A third of the time, focus on the community's interests. And last, a third of the time, engage individuals in that community on a more personal level.
4. Answer the Question
Answer any questions. Don't simply send a link or direct people to another page. Make it easy for people to find a doctor, make an appointment or learn about a treatment.
5. Get in Shape
Engaging mission-critical communities in conversation is a new skill. Get teams in shape. There's no substitute for practice. Anyone playing an active role in social media strategy needs to have a hands-on appreciation for social media. This is not something that can be delegated. Each person on the team needs to listen through these new channels.
You gain credibility when senior leadership is actively engaged. Research shows that 82% of consumers are more likely to trust a company whose CEO is on social media—yet only 30% of Fortune 500 CEOs are on social media.
6. Take a Risk
Making the leap from the old world of messages delivered to audiences to engaging in conversation is a big jump. But it's critical to start. Because as risky as social media can be, the bigger risk is not to engage.
7. Trust the Team
As organizations develop or redesign their social media, they need to trust their digital natives. The most compelling conversation-based strategies will come from colleagues who grew up with podcasts, posts and tweets.
Organizations should recruit their social media teams from their current staff. Employees know their organization's culture, products and services better than anyone. Every organization has a lot of social media users among its employees with a deep understanding of the new environment. But don't give them the keys to the car without reminding them of traffic rules. Have explicit social media policies in place, and ensure they are well understood and widely disseminated.
8. Listen and Learn
A critical part of any state-of-the-art social media strategy is the combined art of listening and learning. It's important that your strategy includes continuously scanning the environment. Best-in-class organizations have established formal listening posts. Listen to what people are saying to learn how to engage in the conversation—and, more importantly, determine needed changes in business processes.
In addition, watch what people are searching for on Google. That's just one of the diagnostic tools that can give organizations a heads-up they can use to refine and reshape conversations. It's good to get "likes" on homepages and retweets of tweets, but it may be more important to engage with communities on their terms and in their networks.
It's also critical to consider the value of participation and outward engagement. Don't make community members always come to you. Engage them in conversations about their choice of hospitals, health plans and products. Consider the experience of the Mayo Clinic. The average number of listeners to Mayo's podcasts jumped by 76,000 in a single month after it started using social media.
It's important to remember that listening alone isn't enough. Organizations need to be prepared to change based on what they learn. For example, a hospital in the Midwest picked up repeated complaints being retweeted about long wait times. The administrator was able to not only identify the issue but to resolve it. On the other side of the coin, organizations need to find ways to reinforce the positive feedback they hear on social media.
9. Seize the Day
To be an authentic voice in the conversation, organizations must be present in the constant focus groups that are being conducted online. There's no room for delay.
Consider the time the lights went out during the Super Bowl a few years ago. A team of people at Oreo reacted in the moment and tweeted out the message that "You can still dunk in the dark." It immediately got 15,000 retweets and 20,000 likes on Facebook. That's just one example of how an organization reacting quickly to a change in circumstance can bring its brand to the forefront.
UCLA Health's live-tweeting and Vining an entire brain surgery while the patient played guitar is another great example. The event formed an incredibly positive impression on many levels. People came away perceiving UCLA Health as technology-savvy, committed to its artist patient and medically sophisticated.
The key thing to remember is that time is the enemy in social media. Just 18 minutes after an initial tweet, half the retweets are done. The half-life for Facebook is 30 minutes and for YouTube is 7.4 hours. Organizations that can't act in the moment get lost in the conversation.
10. Guard Your Flank
Social media is not a risk-free environment. Don't assume that because a tweet's half-life is 7 minutes, it's gone from the record after that. It's there forever. Use the coffee shop test. Anything not appropriate to talk about in a conversation over a cup of coffee in the hospital cafeteria or corporate lunchroom shouldn't be talked about online.
There will be things that can't be anticipated—from data breaches to malicious comments. Have a tested crisis management plan in place, and retest it quarterly, so people don't fall out of practice.
11. Revise, Revise, Revise
Social media plans are good for about three months before either technology or the conversations being monitored significantly change. Failing to adapt plans will mean conversations get stale, understanding of the prevalent technology becomes out of date and organizations lose the credibility they gained over time.
Part II: Mitigating Risk
While there are risks associated with social media in any industry, regulatory constraints mean risks are heightened in the healthcare industry. With proper policies, training and monitoring, however, there's no reason that healthcare organizations can't use social media as effectively as others.
The Context in Healthcare
There are obviously many ways in which the healthcare industry is using social media, from sharing new research to discussing new technologies and treatments. Increasingly, social media is the way healthcare organizations and professionals are communicating with patients and marketing their brands. In this article, our primary focus will be on the risks associated with the marketing and branding space.
Legal Risks: HIPAA and Other State Privacy Laws
Potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and other state privacy laws was for many years one of the primary reasons the healthcare industry was slower than some others to embrace social media. The nature of social media creates significant risks of violating HIPAA and state privacy regulations.
HIPAA prohibits disclosing any individually identifiable health information transmitted or maintained in any form or medium, including social media platforms. The prohibition covers any information that can be used to identify a patient and that relates to his or her physical or mental health condition or the provision of healthcare, even if the person is not identified by name. Organizations are responsible for disclosure of this information by their employees.
The informality and fast-paced nature of social networking sites create substantial potential for mistakes. There are many ways that people are identifiable on social media, even when their names are not shared, such as through a Facebook profile picture. People erroneously assume they're not triggering HIPAA because a patient's name is not being used. But in fact, most of the ways people are identified in social media would fit within the HIPAA trigger.
For example, at a Rhode Island hospital, an emergency room doctor posted information about a trauma patient on Facebook. The name of the patient wasn't included, but the doctor provided enough information for the patient to be identifiable in the community. That was sufficient to trigger a HIPAA violation. At that time the hospital did not have a social media policy in place.
There also was a case involving a paramedic posting details about a rape victim on his MySpace page. Again, the patient wasn't mentioned by name, but there was enough information to allow identification by the community. The paramedic's employer was fined for his actions.
In fact, there are numerous examples of medical professionals being fined for posting information about medical procedures without disclosing the patient's name. Perhaps one of the most egregious cases involved a nurse in Portland who posted pictures of a car accident victim's buttocks on Facebook. Because of its severity, people in the community knew about the accident and therefore could identify the patient. The nurse was sent to jail and permanently banned both from being in the nursing industry and using social media sites.
What are the themes shared across these cases? In each instance, though the patient's name wasn't provided, there was enough information for the community to identify the person. In addition, in all these cases the problems arose from the actions of employees—often posting information on their own social media pages. It's critical to remember that organizations are responsible when their employees disclose information.
Most HIPAA violations that occur over social media are based on a common set of misconceptions. Common mistakes in social media include:
- The mistaken belief that communication is private and accessible only by the intended recipient.
- The mistaken belief that the content of posts has been deleted and is no longer accessible. Remember…on social media everything is permanent.
- The mistaken belief that if the site is private (i.e., limited to select recipients) the disclosure of patient information is harmless.
- The mistaken belief that there is no breach if the patient's name is not disclosed.
- The mistaken belief by employees that disclosure on their own personal social media networks is not actionable.
Legal and Ethical Risks
Social media also poses legal and ethical risks that are unique to the healthcare industry. There is a fine line between sharing information and providing medical advice. Because social media is based on personal interactions, there is the increased danger of inadvertently offering medical guidance to patients or prospective patients. Other risks include:
- Creating the chance for claims of operating without a license if patients are located in another state. With social media, there is no way to know where people are when they are communicating with you.
- Failing to provide the necessary disclosures. Character limitations on platforms such as Twitter make it difficult to disclose the required information.
- Breaching confidentiality laws and creating ethical issues. Some of the most common social media interactions—such as friending or Googling patients—can raise ethics questions and breach privacy laws.
The American Medical Association (AMA) has issued guidelines on social media usage that are valuable to keep in mind:
- Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.
- Use privacy settings to safeguard personal information, but understand that privacy settings are not absolute.
- Maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.
- Report unprofessional postings to the appropriate authorities.
- Do not post any identifiable information about clients, patients or affiliate care providers.
- Avoid searches on people that you relate with professionally.
- Create separate professional and business pages in social media. Keep personal content distinct. (Manatt would add the caveat to remember that posting information about patients or treatments on one's personal page could still raise privacy and HIPAA violations.)
Marketing and Branding Risks: FTC Testimonial and Endorsement Guides
The Federal Trade Commission (FTC)—the primary agency that regulates all advertising and marketing communications—has set a regulatory framework for any use of social media for advertising or marketing purposes. While there is no specific statute on point, the FTC's Testimonial and Endorsement Guides are the most significant sources of regulatory guidance. Any time an organization engages "social media influencers" on its behalf or presents testimonials, its communications are subject to the FTC Testimonial and Endorsement Guides. There are four provisions of the Guides that have gotten organizations into trouble.
- Any connection between the endorser (including bloggers or any social influencers) and the advertiser must be disclosed.
- The advertiser is responsible for making sure that those disclosures are made throughout the social media universe.
- The advertiser is also responsible for any claims made by the endorser.
- The advertiser must be able to independently substantiate claims made through testimonials.
In the last year, the FTC's views have become increasingly restrictive in three areas. The first is what constitutes an endorsement, the second is what constitutes material connection, and the third is how to disclose those connections adequately when they exist.
The increasing restrictions started with an action that the FTC brought several years ago against Ann Taylor. Ann Taylor invited bloggers to a fashion show. Those who attended received a goody bag and entry into a mystery gift card drawing worth up to $500 at Loft. Many bloggers went home and blogged about the fashion show and their reactions—but did not mention the fact that they had gotten the gifts from Ann Taylor. The FTC's position was that not mentioning the gifts was a violation of the FTC's Testimonial Guide, and it was Ann Taylor's responsibility to make sure that the bloggers made those disclosures.
The FTC brought a similar case against Hyundai, when Hyundai's media agency offered gift cards to bloggers. Hyundai was running a Super Bowl promotion, and all the bloggers were doing was generating buzz about the promotion—not even Hyundai's cars. But again, the bloggers failed to disclose receipt of the gift card. The FTC did not require Hyundai to enter into a consent decree. In this case as well as in the Ann Taylor case, the FTC did something called a closing letter which said, "we're not going to make you sign a consent order, but we're going to let the world know that you did something wrong."
The only reason the FTC did not take formal action is that the promotion had been done by an individual at the media agency, not by a Hyundai employee. In addition, both Hyundai and its social media agency had social media policies in place that prohibited what happened.
In the most extreme case, the FTC brought an action against Cole Haan for a sweepstakes promotion asking people to pin pictures of Cole Haan shoes, as well as destinations to which they would like to travel. People who pinned pictures received an entry into a sweepstakes. The FTC took the position that the mere act of pinning constituted an endorsement, and a sweepstakes entry was a "material connection that had to be disclosed." In other words, Cole Haan needed to make sure that consumers disclosed that they were pinning pictures, because they were hoping to win a prize.
FTC Testimonial and Endorsement Guides: Key Lessons Learned
These cases may seem trivial, but they teach some important lessons:
- The most common social media task can constitute an endorsement, even if the person isn't expressing an opinion or belief. For example, if a hospital asks new mothers to post pictures with their babies to show positive experiences in the neonatal unit, the mere act of posting would constitute an endorsement.
- Any incentive, no matter how nominal, could be considered material.
- Advertisers can be held liable for claims made by endorsers.
- Advertisers can be held liable for failure of endorsers to disclose material connections—such as if they received something for the endorsement.
- Advertisers must have a social media policy in place for employees and advocates. That is one of the first things the FTC will look to—and it can make the difference between a slap on the wrist and a full-blown enforcement action.
- Make sure PR agencies know the rules. Most FTC cases resulted from PR agency activities.
- Make sure to have robust monitoring procedures in place. Failure to monitor can be a violation.
NOTE: Subsequent to the webinars, the FTC released answers to questions people are asking about the Guides in the form of FAQs which may be found here. Through the FAQs, the Federal Trade Commission has taken a "deeper dive" into forms of social media promotion that were in their infancy just a few years ago. We discuss them in detail here.
Disclosures in Social Media
Many social media platforms have tight space constraints. The FTC does not accept the lack of space as an excuse for failing to make necessary disclosures—and it wants to see those disclosures as close as possible to the triggering claims. Disclosure at the bottom of a page, requiring consumers to scroll, could be a problem. The FTC does not consider scroll bars a "sufficiently effective visual cue."
The FTC also is taking a more restrictive view of hyperlinks. It's important that hyperlinks be clearly labeled, so consumers know exactly what kind of information they contain. The FTC does not like generic names for hyperlinks. Avoid hyperlinks entirely for health or safety information, as well as when information is integral to the claim.
When disclosing that an ad or post is sponsored, the common practice in social media is to use hashtag sponsor or hashtag ad. Be aware that the FTC doesn't like abbreviations like hashtag "spon." They prefer full words to ensure consumers understand—so spell out "sponsor."
User-generated content poses risks of liability for copyright infringement and trademark infringement, as well as for libel and defamation. If organizations are using people's names and likenesses, there could be a risk of privacy/publicity violations. If claims are being made, there's the added risk of false product claims. The good news is that there are ways to mitigate these risks. In addition, there are two relevant safe harbors:
- The Digital Millennium Copyright Act (DMCA), providing immunity for copyright infringement, as long as safe harbor requirements are met. DMCA requires that there is not actual knowledge the material is infringing. If something is infringing on its face, it must be taken down. In addition, there must be provisions for people to notify the organization if any material is infringing—and procedures for taking it down immediately. Finally, there can be no financial benefit from the infringing activity.
- The Communications Decency Act, providing immunity for defamation, torts, Lanham Act, privacy and publicity, as long as the organization is not a "content provider." Organizations cannot participate, in whole or in part, in creating the content or they could lose immunity. Don't modify content or provide samples or templates.
The best protection is to include strong content submission guidelines that prohibit use of third-party infringing works, third-party marks, photos or likenesses without required releases, and offensive/defamatory works.
Reusing Third-Party Social Media Content
What if an organization wants to repost or retweet a positive comment? The rules of engagement are very different when retweeting for marketing purposes than for personal reasons. Just because a platform allows sharing doesn't necessarily mean it's all right to use the content for marketing purposes.
The Big Risk: Reputational Damage
The risk of reputational damage has many potential sources. Damage can come from unauthorized employee conduct, negative conversations that consumers or others initiate, or an organization's own social media conversations that get out of control.
A good example is a recent McDonald's campaign called McDStories. McDonald's intended to receive stories about what people love about McDonald's. Instead, people hijacked the hashtag and applied it to share negative stories. McDonald's had to pull the campaign within two hours of launching—but people continued to post with the branded hashtag. Even though McDonald's pulled down the campaign, it couldn't stop the conversation.
McDonald's provides a cautionary tale. Be sure to think through a hashtag before launching—and understand its potential to go viral. Realize that once a brand launches the campaign, the audience controls it.
The risk of reputational damage in the healthcare industry is perhaps even higher than others. In the healthcare environment, it can be harder to defend against negative comments because of concerns about violating confidential information or someone's rights of privacy or publicity. To mitigate risk, have a strong social media policy in place, train staff thoroughly, moderate and monitor conversations, and create a risk management team.
A Guide to Effective Social Media Policies
To be effective, social media policies should be directed both to social influencers and employees. In addition, they should be simple and written in clear, understandable language. They also should include a set of key elements, including:
- Who can access social media from an organization's network.
- Instructions on proper activations of network settings.
- Inappropriate uses of social media on an organization's network and personal social media sites.
- Examples of inappropriate conduct. This is particularly important for healthcare organizations, because it may not be obvious what constitutes protected healthcare information (PHI).
- Prohibitions against disclosing confidential information.
- Risks of copyright/trademark and other intellectual property violations.
- Prohibitions against defamatory or harassing conduct.
- Consequences of inappropriate use.
- Incorporation of privacy and other conduct policies.
- Responsibilities of employees on their social media sites.
- Notification that employees are at personal risk for civil liability.
When crafting policies, it's important to balance restrictions on employees' social media activities against National Labor Relations Board (NLRB) considerations. The NLRB has taken action against companies whose social media policies have been so broad that they could have theoretically prohibited employees from talking about working conditions or wages.
In addition to strong policies, implement a comprehensive training program to be sure employees fully understand all requirements, prohibitions and consequences. Consider a "certification" program for those authorized to use social media on behalf of the organization. Finally, remember to monitor conversations and engage moderators to review content prior to posting.
An On-Call Crisis Management Team
A crisis management team should be on call, if unexpected problems arise. There are four keys to effective crisis management:
- Always be credible, honest and transparent. Often the cover-up is worse than the crime. Return phone calls, and insist on a free flow of accurate information.
- Do no harm. Admit mistakes quickly—and be careful about undertaking any action that might create legal exposure.
- Disclose, disclose, disclose, and always get—and stay—ahead of the news. It's better for organizations to put bad news out themselves.
- Keep the organization's head held high. Social media problems happen every day. In most cases, the companies haven't done anything wrong. State the facts and move forward.
Social media is a core communication tool for organizations today. It poses exciting opportunities to participate in meaningful conversations with your audiences. Particularly in healthcare, it also can present significant risks. Make sure to have clear social media policies and training programs in place and work closely with counsel and an experienced crisis management team to ensure a full understanding of any potential legal or reputational pitfalls and how to avoid them.