HIPAA - those are five letters that keep healthcare compliance and risk officers awake at night.
As we've explored before, a business of any size is going to be challenged to stay on top of its social footprint. When we've run social presence audits for hospital networks, we usually find a multitude of social media "points of presence" including those for the corporate brand, individual hospitals, specialty centers, departments, programs, campaigns, doctors, nurses and even the gift shop!
Now add to that the "place" pages where people can check-in and leave comments and it's no wonder a compliance officer can feel like Captain James T. Kirk battling tribbles on the Enterprise. The social footprint of any hospital system is a large and ever-growing universe with each account a potential doorway to a HIPAA violation.
Businesses are Already Behind
By 2011 the utilization of social media by physicians was already quite high according to the QuantiaMD study:
Nearly 90% of physicians use at least one site for personal use, and over 65% for professional purposes. Overall, clinicians express significant interest in the potential applications of social media to their professions – whether via online physician communities, online patient communities or sites that could facilitate physician-patient interactions.
Even though HIPAA violations can result in fines up to $250,000 and a possible prison sentence, it hasn't kept them at bay. The law firm, Green and Associates, which has a specialization in healthcare, has highlighted a few:
- A nurse who posted a patient's picture and chart on his Facebook page because he thought it was "funny" and since it was "only Facebook," there was no real harm in it.
- A doctor who treated a patient over Twitter.
- Emergency room personnel who posted pictures on the Internet of a man being treated for fatal knife wounds.
- A doctor who asked a patient on a date after seeing her profile on a dating website.
- A Rhode Island doctor was fired from the hospital and reprimanded by the Medical Board after she posted on her Facebook page about a long day at work. She never referred to the patient's name but gave out enough details about the injuries to allow others to guess who it was.
Employers are Liable
As attorneys Nancy L. Perkins and Adriane R. Theis, of the Washington, D.C., law firm Arnold & Porter LLP write the risk can extend to the employer:
Because an employer is liable for the conduct of its employees when the employees are acting within the scope of their employment, the employer could be held liable for an employee’s disclosure of another person’s health information on a social networking site.
So what is a healthcare business to do in such a leaky and noisy world where anyone can create a presence and post problematic content?
A Prescription for Prevention
The good news is that the problem is manageable. Here are five (5) steps which will go a long ways to reducing your risk:
Step 1: Create a social media policy
Your first line of defense is having a reasonable and practicable social media policy. There are plenty of law firms and consultancy firms who can help craft a policy. I will offer that a "no social media" policy is neither realistic nor likely to be effective in the long run. The horses are already out of the barn and the best solution is to figure out how to manage them on the range, not get them back in the barn and then keep them there.
Step 2: Distribute and have employees acknowledge receipt of your policy
Having a policy is only good if your employees, consultants, agents, etc. know about it, have read it and have incorporated it into their professional and personal behavior. We recommend utilizing a system which will notify your employees of the new policy and have them acknowledge that they have not only received but read the policy. Remember this: a policy sitting on a shelf that nobody reads isn't much of a policy.
Note that I said "and personal behavior." If it hasn't become clear by now, social media is blurring the lines between personal and professional life like never before. As evidenced from the items listed above, accounts and actions that one may consider personal can easily lead to HIPAA violations. When an employee has an account and says on his or her profile "I work for XYZ" or uses that account to log-in to a service for work (e.g. think Google Accounts, Google+, YouTube, etc.), then you can see how blurry the boundaries can be.
Step 3: Train your employees
Whether you like it or not, we are living in a social world. When a social network has more members than all but two of the world's countries, we've already passed a tipping point. Your employees are on social media and in many cases they are either directly or indirectly associated with your business. Managing social media is more than deploying some tools and assigning a team of interns to keep your content fresh. It means adapting your business to the cultural shift that social media requires and training is a fundamental part of that transformation.
Read Only the Paranoid Survive – Social Business Inflection Point and consider engaging companies like W20 Group and WCG, both which specialize in healthcare, to help counsel you through this transition.
Step 4: Audit your footprint
Next, it's vital your business knows where its vulnerabilities are. As I said above, every point of social media presence is a potential doorway to a HIPAA violation. Before you can lock or alarm those doorways, you have to know where they are. You can try to keep track of it with paper forms, email and spreadsheets but we have yet to find such a system that wasn't incomplete and prone to errors. To properly protect your enterprise, you need an automated system that can help you discover, manage, and monitor your footprint and continue to patrol for new "intrusions."
Step 5: Listen and Respond
Finally, consider augmenting your presence monitoring with a content-listening platform. An audit can identify the accounts you need to watch but a good listening system can help you focus your attention on those "points of presence" which need your attention before they turn into real problems. There are both general-purpose and specialized systems which your enterprise can deploy but a good system will enable you to look for language specific to your industry. I've mentioned Salesforce's Radian6 before and another listening system worth considering is from Sysomos.
In the classic "belts and suspenders" protection analogy, the belts are your policy and accompanying training and the listening systems are your suspenders. Its your social media auditing and inventory system that helps you tie it all together.
