Walking the Social Media Tightrope: Understanding the Risks That Surround Social Media

BY BARRY S. HERRIN, FACHE, ESQ., AND PATRICIA A. MARKUS, ESQ., SMITH MOORE LEATHERWOOD, LLP

Walking a Fine Line

Over the past few years, widespread use of numerous forms of social media for both personal and professional reasons has exploded. No industry, including health care, has been left out of this radical change in the way people communicate. Due to concerns about maintaining patient privacy, however, learning how to practice “safe social media” is particularly important for health care providers. Although providers don’t want to be known for having poor bedside manners, certain social pleasantries with patients and their families that are appropriate when conducted in person should not be extended into the online world of social media if providers wish to avoid inappropriate disclosure of their patients’ protected health information (“PHI”).

The “Big Idea” Behind Facebook and Other Social Media Sites

Facebook now has over five hundred million users and the number increases daily. It is the most visited site on the Internet, and the average Facebook user has 130 “friends.” Each month, the site accumulates more than twenty billion bits of information and three billion photos.

The reason Facebook and other social media sites work without creating constant invasions of personal privacy is because of the “gifting” theory. That is, participants consensually contribute their social and personal data to a social media electronic storage system, and the sites thereby avoid claims of a breach of privacy. The recent clamor over automatic “tagging” photos - an explicit breach of the “gifting” theory - proves that even the most avid Facebookers want to control when their names and images are linked in cyberspace by others. However, despite such technological speed bumps, social networking provides a radically transparent Internet experience where nothing appears to be confidential. But to health care providers, such appearances are deceiving and can be dangerous.

PHI and HIPAA

Health care providers have a continuing obligation to protect PHI both during and following treatment of a patient (and, according to recent regulations, for 50 years after a patient’s death). Providers must understand that this obligation is not negated by a patient’s own disclosure of her condition to an online audience through any media available, even if details about and photos of the condition—or a health care provider—are included in the disclosure.

The HIPAA Privacy Rule provides a variety of protections for PHI that is held by covered entities and gives patients an array of rights with respect to their PHI. At the same time, the Privacy Rule is balanced so that it permits the disclosure of PHI needed to provide patient care, to obtain payment for that care, and for other important purposes. However, releases to social media sites are not among these permitted purposes; no information about a patient’s treatment that can be used to identify the patient may be disclosed through social media without the patient’s written authorization permitting the disclosure.

Business Use of Social Media Sites—Caution Still Needed

Health care providers, like other businesses, are increasingly establishing online presences by setting up websites, Facebook pages, Twitter and LinkedIn accounts, and the like. However, when a health care provider with a social media profile and a patient “friend” or “connect” with one another, there are special privacy concerns to consider. Depending on the social media platform used and the security of the application, the public at large may be able to determine the identity of the provider’s online friends or contacts and reasonably could infer that a friend or contact is in fact a patient of the provider. This assumption may create a violation of a person’s privacy rights, and this risk is heightened if the provider offers treatment for “sensitive” medical conditions. This is because the mere existence of a physician-patient relationship can be considered PHI, and as a result of a voluntary post by either the provider or the patient regarding the other, inferences about whether the patient is receiving or has received such sensitive treatments (such as for abortion, impotence, or cancer, substance abuse or mental health issues) may be made.

Patient Blogs

Voluntary blogging by patients often includes details of medical conditions and treatments. Examples of commonly used blogs include www.caringbridge.com and www.carepages.com. A naïve health care provider may assume that by posting on these blogs, a patient is waiving her right to have her provider safeguard the privacy of her PHI, since the patient is freely discussing details about her health condition and sometimes about her interaction with her providers. However, if a provider comments on a blog post and discusses a particular condition or procedure of which he has knowledge or in which he has been involved, unless the provider has obtained the patient’s written authorization to reveal this information, the provider’s online response violates the patient’s privacy rights under HIPAA, and it may also violate the patient’s rights under other state laws that address confidential health information.

In addition, health care providers sometimes determine that it may be beneficial for their patients to be involved in the “extended care communities” that these blogs facilitate. However, patients who use these sites or engage in other online blogging where they freely discuss their medical condition and treatment may not understand or appreciate the potential for unauthorized disclosure to which their posts on such blogs are subject. Accordingly, a provider who offers links to any such blogs from its website should notify patients about the potential for any information patients share on such blogs to be further used and disclosed. The provider also should include a clear message on its website that it does not endorse the blogs.

Finally, a practice or provider may feel the desire to respond to certain negative comments or patient allegations on a blog with the “rest of the story.” Doing so typically would involve the provider’s disclosure of PHI. If a patient is truly involved in making defamatory statements over the Internet, a provider should not compound the problem by disclosing the patient’s PHI in response, even if the provider is legitimately defending himself or herself. Instead, the provider should consider terminating the patient relationship in an appropriate fashion and evaluate other legal options by which he or she may address the negative or defamatory comments or allegations.

Avoid Violations

Providers should avoid violating a patient’s privacy rights when participating in social media by, at a minimum, requiring potential online patient/friends to agree to a written statement indicating that they have read an online disclosure BEFORE an online “friendship” can be started. In addition, a provider must not comment online without a patient’s express written authorization to do so.

HIPAA and other privacy violations arising from social networking with patients is inevitable unless health care providers manage patients’ privacy expectations, implement and enforce detailed social networking policies, and clearly integrate those policies with their human resources disciplinary policies.

Implement Appropriate Policies Regarding Social Networking

The Human Resources staff of health care providers must create and follow policies regarding the use of e-mail, laptops, and handheld devices to transmit or store patients’ PHI. Company policies should address topics including the definition of “social networking.” It should be clear to employees that absent specific approved workplace uses, “social networking” will be seen as “social notworking” and that the company will not tolerate the adverse effect of such unapproved networking on productivity.

Employees also must be clearly advised that computer activity may be viewed and monitored without their consent, and that employees have no right to privacy in their online activities conducted on their work computers, cell phones, or other company-owned devices. Employees also should be warned that when they engage in social networking outside of work, they may not disclose information they learned about patients on the job, and that violations of any company policies relating to social media will result in appropriate disciplinary action.

Today we are using our grandchildren’s technology but living with our grandparents’ legal system. Online social media have created a host of new legal issues, which the judiciary has not addressed, and legal complaints relating to the use or misuse of social media are being resolved through laws that predate the networked world. To avoid becoming a legal test-case, health care providers must understand the consequences of their—and their employees’—online interactions and take appropriate precautions to ensure that they and their staff do not violate the privacy rights of their patients.

To learn more about the dos and don’ts of social media for health care providers, please attend one of Medical Mutual’s upcoming webinars on this topic.

Barry Herrin is a partner in the firm's Atlanta office. His practice is devoted primarily to health care and hospital law and policy, privacy law, and representation of tax-exempt organizations, with a particular emphasis in operational and governance issues, transactional matters, mergers and acquisitions, health information management issues, and compliance matters.

Barry is a frequent lecturer on medical records confidentiality matters and counsels clients regularly on HIPAA compliance. He has particularized knowledge in several unusual health care legal matters, such as involuntary sterilization, court-ordered medical procedures, "right to die" issues, physician-assisted suicide, and restrictive covenants, among others. He also edits the firm's e-newsletter, Legal HIMformation®.

Barry is a Fellow of the American College of Healthcare Executives, a Candidate for Fellowship in the American Health Information Management Association, and a certified wilderness first responder.
Trish Markus is a partner with Smith Moore Leatherwood, LLP, where she handles health care regulatory and patient care matters for physicians, hospitals, and other health care providers. She has advised North Carolina's oldest regional health information organization on HIPAA privacy and security issues and regularly consults with health care providers about adoption of electronic health records and participation in community health information exchange initiatives. She served as the co-chair of the Legal Work Group for the North Carolina Health Information Security and Privacy Collaboration Project, which from 2006 through 2009 recommended legislative and policy solutions designed to increase the exchange of electronic health information among North Carolina and other states' health care industry stakeholders while maintaining appropriate privacy and security protections for such information.

Trish advises clients and speaks frequently on a broad array of regulatory and operational issues, including HIPAA privacy and security compliance, HITECH Act breach notification and identity theft issues, meaningful use of health information technology, health information exchange issues, Stark and the Anti-Kickback Statute, recovery audit contractors and revenue integrity issues, false claims, medical staff issues, physician recruitment, joint ventures, and restrictive covenants and other employment-related issues.

View All Stories |  Print This Page |  Share This Article |  Submit a Question/Comment