Posted 1/03/11 on HealthBlawg
I have been asked recently to write up some of the core takeaways from the health care social media presentations I have been giving recently, so I am sharing a version of this narrative in two parts. Check back soon for Part II.
“Why do you rob banks?”
“That’s where the money is.”
The legendary bank robber Willie Sutton, when asked, gave this straightforward response explaining his motivation. A similar motivation may be ascribed to the early adopters among health care providers who have established beachheads on various social media properties on line. Why be active in on line social networks? That’s where the people are: patients, caregivers, potential collaborators and referral sources, like many, many other people, are using social media more and more. Facebook has become nearly ubiquitous, and its user base is growing not only among the younger set, but also among the older set, who are signing up so they can see pictures of their grandkids. In today’s wired society, on line social networking is the new word of mouth. Word-of-mouth referrals, personal recommendations, have always been prized; we have simply moved many of those conversations on line.
Over half of Americans rely on the internet when looking for health care information. Many on line searches are conducted on behalf of another person. Most people expect their health care providers to be on line, providing trustworthy information – and the day of the static website has passed. In addition, a growing subset of the population is comprised of “e-patients” – the “e” stands for educated, engaged and empowered – who seek out health care providers prepared to engage with them both in person and on line.
Only about twenty percent of U.S. hospitals have a social media presence, and likely a similar proportion of other health care providers. Thus, while some health care providers have been using social media for years, there is still an opportunity to reap the benefits of being an early adopter. Whether or not a provider is on line, others are likely discussing that provider – on review sites, on Facebook, even on Twitter – so whether or not one establishes a social media presence, it is imperative to establish a listening post to keep abreast of what is already being posted on line – complaints, recommendations and other information will come to light, and steps may be taken in the real world to ameliorate situations giving rise to complaints and to capitalize on praise and referrals.
Finally, health care reform is pushing health care providers into social media. The Meaningful Use regulations will soon require that providers seeking incentive payments for adoption of electronic health records must make greater use of personal health record portals, and programs like the Medicare Shared Savings Program, or Accountable Care Organization program, require patient-centeredness and patient engagement, which in this day and age require the use of online social tools.
With all of these motivating factors, why are health care providers reticent, and slow to adopt the use of social media tools? There are numerous legal and regulatory issues triggered by the use of social media and some health care providers are put off by the perception of the risk involved. However, there are legal and regulatory risks (and attendant market and business risks) to the decision to remain uninvolved.
The key issues for consideration include the following:
- Privacy and security rules, under HIPAA as well as other federal and state laws, and the ever-diminishing ability to fully de-identify protected health information
- Professional responsibility codes, including both professional society codes of ethics and state regulations promulgated by boards of registration in medicine
- Malpractice liability for professional advice rendered via social media
- Issues raised by daily deal sites such as Groupon and Living Social, including anti-kickback, fee-splitting, insurance contracts, state insurance laws and gift certificate laws
- Liability under Federal Trade Commission rules for failure to disclose a financial relationship in conjunction with an online rating, review or other commentary
- Trouble with the National Labor Relations Board if employee discussion of working conditions in unreasonably limited (even in non-union shops)
If not managed appropriately, it is clear that these issues may lead to significant liabilities, ranging from civil and administrative fines, to negative publicity, to private lawsuits predicated on HIPAA or state law violations. (Even though HIPAA does not provide for third-party liability some state laws do, and creative lawsuits may seek to bootstrap private liability on a HIPAA violation as well.)
However, it is possible to manage all of these issues through the development of comprehensive social media policies – both outward-facing (i.e., to patients and the general public) and inward-facing (i.e., to physicians, other clinicians, and other staff) that are tailored to a specific medical practice or other health care organization. The policies themselves must be tailored to local conditions, because each practice, each health care organization is at a slightly different point on its own health care social media journey, its comfort level with social media tools, and its thoughts about how to use these tools, and to what end.
Here is further detail about several of the key categories of legal issues identified above:
HIPAA and other privacy concerns
Privacy concerns arising from HIPAA and state privacy laws start from the proposition that only a patient has the right to authorize the release of his or her own private health information. Thus, while an individual patient is free to blog about her medical condition or experience with the health care system without implicating HIPAA or other privacy rules, provider-generated social media content with identifiable patient information used without consent would raise red flags. Provider discussions of cases on social media should follow the “elevator rule” or the “coffee shop rule” – If you wouldn’t say it in a crowded elevator or coffee shop, don’t post it online.
As one emergency room physician recently learned the hard way (she was dismissed by her employer and sanctioned by her state medical board), even a de-identified Facebook post about a patient may easily be re-identified using information from third-party sources. The HIPAA rules list eighteen categories of identifying information that must be stripped from a record or patient story in order for it to be considered de-identified. Number eighteen is, essentially, anything else that may be used to re-identify the de-identified information. Since we are, collectively, doubling the amount of information posted online on a regular basis, that which is de-identified today may well be easily re-dentified tomorrow.
Thus, the best practice would be to write about composite/fictionalized patients, or simply get patient consent. Providers may wish to rewrite their HIPAA NPPs (notice of privacy practices) to include some level of consent to communication with or about a patient on Facebook, for example, if that is something that would make sense, and that might happen on a regular basis.
Other disclosures made inadvertently may lead to difficulties as well. For example:
- A cell phone photo taken in a hospital emergency room of a friend proudly displaying a newly-stitched wound may inadvertently capture the image of another patient in the background. That post may be a HIPAA violation attributable to the hospital, even if it did not post the photo.
- An employee of a public hospital tweets her displeasure in seeing a clinic staffed up for the convenience of a political figure seeking service off-hours. Her public sharing of identifiable health information led to her being fired.
- Positive test results posted by a patient on Facebook might invite response on a human level, but the response must be more measured. For example, if a patient posts on a hospital Facebook wall after getting some good test results, “I’m cancer free one year later,” hospital staff can’t post much more than “Congrats; everyone should check out our cancer center’s web page.” Even in a situation like this, where the patient self-identifies first, there is no consent to unlimited public discussion of his condition.