HIMSS: How vulnerable does social media make you?

LAS VEGAS—As providers use social media more and more, there are certain legal liabilities that they need to consider. However, a well-defined policy may help clarify for hospital employees what is permitted facility-wide, according to a Feb. 22 presentation at the 2012 Healthcare Information and Management Systems Society (HIMSS) conference.

Despite some resistance, there are definitely more and more providers utilizing social media networks. As of October 2011, hospitals sharing information accounted for:

• 575 YouTube channels (compared with 398 in August 2010);
• 1,068 Facebook pages (compared with 631 in August 2010);
• 814 Twitter accounts (compared with 634 in August 2010); and
• 149 blogs (compared with 87 in August 2010).

“Social media resources are good for patients because they can stay informed, have more control over their own healthcare and learn from actual experts,” said co-presenter Tatiana Melnik, JD, an attorney at Dickinson Wright in Detroit. As another positive, she added that it’s an efficient, instant and low-cost means of communication. 

However, with social media problems usually arise among healthcare personnel when those participating blur the lines between the professional and the personal, according to Melnik. "Oftentimes, people do not consider the potential impact of their communications,” which she defines as “ignorance not bliss.” She adds that the other problem is “personal opinion versus professional advice. Once you send, you can’t unsend.”

There already have been several state lawsuits due to the exposure of personal health information (PHI) through social media forums. For example, a Rhode Island physician was fired for posting information about a patient on her personal Facebook page—not the patient’s name, but the physician was reprimanded by the Rhode Island Medical Board for “unprofessional conduct.” In Iowa, a nurse was fired for using Facebook to exchange information about a patient with another health professional without consent—not the patient’s name. In California, ER nurses posted a photo of dying patient on Facebook pages. 

To counteract these disaster cases, co-presenter Brian Balow, JD, an attorney at Dickinson Wright, recommended that providers establish a social media policy, in order:

• To protect your patients' rights;

• To instill professionalism throughout your enterprise;
• To protect your organization from liability; and
• To protect your employees from liability.

“If the organization does not know that employees are posting PHI,” said Balow, “but knows of the popularity of social networking websites and that its employees use such websites, it could be characterized as ‘willful neglect’ if no policies and procedures are in place, according to proposed HIPAA changes.” Under the HIPAA proposed rule, the U.S. Department of Health and Human Services is focused more on organizations that lack policies and procedures, he said. 

To use the "rogue employee" defense, providers can protect themselves from “liability to the extent that the conduct occurred in spite of and contrary to reasonable safeguards, including documented training,” said Balow. However, he pointed that this defense will not work if a provider “cannot demonstrate a strict policy or training structure designed to prevent the ‘rogue’ conduct.”

In formulating a social media policy, Balow recommended that providers focus on what employees can do, including:

• Be transparent and authentic.
• Be responsible for what you write.
• Protect PHI and proprietary information.
• Use common sense and common courtesy.
• Think twice before you hit post! 

However, he noted the most important aspect of a policy is that employees must be aware of it, and the ramifications of violations.

In their closing remarks, Melnick and Balow summed that while social media will undoubtedly become more of a part of most healthcare settings, providers will need to establish policies to protect themselves from liabilities.