Document Category:
State: New Mexico
Subject Matter: Social Media Check List
Document Title:

 Source: Fierce Healthcare

Social media and patient privacy lessons ripped from the headlines

October 12, 2012 | By Karen Cheung-Larivee

You can’t make this stuff up. Sometimes, the greatest lessons come straight from the headlines.

FierceHealthcare readers often write in with questions about patient privacy in the evolving world of social media. That includes our Fierce editors, who have questions of their own about the increasingly gray areas of what’s right and legal.

With that in mind, FierceHealthcare examined what hospitals are doing to ensure patient information stays safe, especially as they and their patients use social media even more.

Notorious cases of patient privacy violations via social media

Remember these scandals in recent history?

> A certified nursing assistant at Kindred Transitional Care and Rehabilitation in Indiana took a photo of a paraplegic’s butt after he had a bowel movement and posted it to Facebook in May 2011, telling her coworker, "This is too funny. I need to take a picture of this," RTV6, an ABC affiliate, previously reported. The medical facility fired her, and the nursing assistant faced a voyeurism charge.

> A physician at Westerly Hospital in Rhode Island recounted her emergency room experiences on Facebook in April 2011. Although the doctor didn’t include the patient’s name, she included enough detail about the patient’s injuries that a third party was able to identify the patient. The incident led to a guilty charge of unprofessional conduct and $500 fine by the state medical board.

> Emergency nurses and staff from St. Mary’s Medical Center in California posted a photo on Facebook of a stab victim, who died soon after the photo was taken, the Los Angeles Times reported in April 2010. Coworkers, as required, reported the event. The involved staff members were fired or disciplined, the Associated Press reported.

> Hospital employees at Tri City Medical Center in California in June 2010 allegedly used Facebook to discuss patients. Six registered nurses at the hospital were put on administrative leave, North County Times reported.

> At Providence Holy Cross Medical Center in California, an employee in December 2011 posted a picture of a patient’s medical record on his Facebook account, apparently to make fun of the woman, according to the Daily News of Los Angeles. He wrote, "Funny, but this patient came in to cure her VD and get birth control." When others scolded the employee, he responded, "People, it’s just Facebook. … It’s just a name out of millions and millions of names. If some people can’t appreciate my humor, then tough. And if you don’t like it, too bad because it’s my wall, and I’ll post what I want to."

Read more: Social media and patient privacy lessons ripped from the headlines – FierceHealthcare

Who’s responsible to protect health information under HIPAA and HITECH?

One of the biggest lessons from recent cases is that patient information can be very broad.

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA for short, and Health Information Technology for Economic and Clinical Health (HITECH) Act, are patient privacy rules in which covered entities must secure protected health information (PHI).

What’s PHI? "Basically anything used to identify a patient," Tatiana Melnik, an associate at Dickinson Wright in Ann Arbor, Mich., told FierceHealthcare. PHI can be patient names, photos of their faces or even tattoos, as well as medical conditions or location.

And who’s responsible for protecting that information? "Covered entities," which can be hospitals, physicians, nurses, health plans or business partners that handle PHI.

"People don’t seem to understand that posting that kind of information, is in fact, a breach because they think ‘I’m one of millions. It’s very difficult to find out where I am,’ where in fact, that’s not the case," Melnik noted. "It’s much easier than people than think to find out who someone is."

And there are some rouge employees. "Sometimes, the person knows it’s wrong, and they’re doing it anyway," Melnik noted.

Good intentions can spell trouble

Even well-intentioned providers may inadvertently violate HIPAA and HITECH. For instance, if a care coordinator who is friends with a patient on Facebook notices that her patient lost some weight and congratulates her by commenting, "I hope your diabetes has improved" without the patient mentioning her condition first, that could be a breach.
"That kind of thing, it’s very easy to make because you think you’re being friendly, and there’s no malice intended … but it’s still a breach," Melnik said. She added that a best practice is for providers to avoid "friending" patients, although she acknowledged that’s harder to do in smaller communities.

One of the most common situations of social media fumbles are patients posting about other patients. Although it’s not a breach of HIPAA or HITECH (because patients aren’t considered "covered entities"), the hospital still has a responsibility under state law to protect patients.

For instance, if a patient wants to compliment his nurse by posting a photo, the picture could have the name of another patient’s medication in the background. Remind patients that photography must go through the public relations department. Also consider posting no-cellphone notices in the hospital.


Read more: Social media and patient privacy lessons ripped from the headlines – FierceHealthcare


Document Author: Phyllis Patrick
Firm/Company: Phyllis Patrick & Associates LLC
Document Date: October 1, 2012
Search Tags: twitter facebook email posts social media
File Attachments: