For a PDF version of the article click here
M.D. Update November 2010
By Lisa English Hinkle
With Contributions by Molly Nicol Lewis and Gina M. Rawlins
Facebook reports that over 500 million individuals are users, and half of them log onto Facebook on any given day. 1 Twitter reports 145 million users worldwide 2 and has become such a part of modern culture that the Library of Congress, "the 210-year-old guardian of modern knowledge and cultural history," that "tweets" now constitutes part of "the universal body of human knowledge." 3
The prevalence and growth in social networking sites is phenomenal. Any employer that uses the Internet in its day-to-day business should expect that its employees are accessing social networking sites, probably on a daily basis, if not more often. For health care providers and physicians, employees who link up on social media outlets have the potential to create disaster.
Without clear guidelines for employee use of the internet, physician practices may leave themselves exposed to abuse, public embarrassment, and potential liability. In addition, internet blogging and posting permits consumers as well as disgruntled employees to publish personal opinions about their physicians that are often uneducated, misinformed, and untrustworthy. And, physicians have no real way to respond to derogatory comments as a result of HIPPA prohibitions. 4
What is social media?
According to the Federal Trade Commission, social media is information that is disseminated through highly accessible publishing techniques that transform people from content consumers into content producers. 5 Examples of social media include Facebook, MySpace, Topix, Twitter, YouTube, blogs, and emails. In addition to internet media, smart phones with texting or emailing capability, and cell-based cameras are tools that make accessing social media easy.
What are the risks of employees' social networking?
While all employers should be concerned about breaches in confidentiality by employees on the internet, health care providers face far more liability when their physicians, nurses, aides, or administrative employees divulge confidential information. HIPAA restricts a covered entity from disclosing protected health information that is individually identifiable health information is so broadly cast that almost any information about a patient that relates to a health condition or to payment for health care is considered protected. Social networking seems to have blurred the lines of privacy by adding an element of perceived anonymity. Individuals seem to believe that if names are not disclosed, then the information as well as who has posted it, is anonymous. For example, two nurses in Wisconsin took cellphone photos of an x-ray that revealed a sex device lodged in a patient's rectum and then posted the x-rays on Facebook. 6 While the patient's name was not disclosed on the x-ray, this information was considered protected an identifiable. In another example, a nursing student was expelled from the University of Louisville after posting statements about her patients on her person MySpace blog. In one post, the student discussed a patient who attempted suicide, saying the patient was "sucking on some valuable nurse's aide time around the clock, so they can sit there and listen to some more of her 'boohoo poor me'." 7 A recent study among medical and nursing students further demonstrates this worrisome trend among pre-professionals who will have special duties of confidentiality. Sixty percent of medical and nursing students were found to have made unprofessional postings online that violate patient confidentiality, contain discriminatory language, and present inappropriate sexual references, as published in the Journal of American Medical Association. 8
Writing about patients or posting health information like X-rays on the Internet, even if done anonymously, constitutes violations of patient privacy. Because cellphones and cameras are so easy to use with their own interface applications for Facebook and other social sites, employees can transmit patient information with a click of the mouse or a push of button without reflection on whether it is proper.
The penalties for privacy breaches have been strengthened by HITECH, 9 as recent regulations have implemented new notification requirements and enhanced civil and criminal penalties. In addition, most states also have identity theft and other data security laws that should be considered when confidential health information is disclosed. Patients have sued providers under state law privacy torts including public disclosure of private facts. Healthcare employers face several avenues of liability for their employees' disclosure of confidential patient information.
What should a physician practice do?
Whether large of small, physician practices and other health care providers should develop a clear and concise social media policy. While an employer's first thought may be to prohibit social media use in the office, a total ban has been suggested to limit the use of innovative new technologies, hamstring employers into making personnel decisions that would not otherwise be made, and create liability for employers who violate labor and employment regulations based on internet usage policies and monitoring activities.
Social media communication can be an effective marketing tool and an inexpensive way to disseminate important information quickly. Employees who use social media properly can be ambassadors for a practice. Importantly, a social media policy, if followed, will help protect both a physician practice and its employees from criminal actions, investigations, public relations issues, and lawsuits for HIPPA violations, defamation, slander, libel, privacy torts, and harassment.
GUIDELINES FOR A WORKPLACE SOCIAL MEDIA POLICY
- Educate employees about practice culture and values.
- Set reasonable expectations about employee privacy:
- Confirm that computers are provided for work purposes only and that the practice has the right to review any information created or transmitted through company computers including emails, information downloaded, and websites visited.
- If personal use is allowed, specify the type of use such as checking personal email or handling personal business.
- Confirm that employees are responsible for the content of texting and internet postings made outside the workplace. Employee postings should not violate HIPPA Privacy Policies, Code of Ethics, anti-harassment policies, or other practice policies. Also, the employee should be cautioned about making postings that could harm the reputation of the employer.
- Prohibit the use of cellphones and cameras in the workplace or in patient areas, or in areas where patient information is stored.
- Reinforce the special importance of confidentiality for health care providers.
Lisa English Hinkle is a partner of McBrayer, McGinnis, Leslie & Kirkland PLLC. Ms. Hinkle concentrates her practice area in the healthcare law and is located in the firm's Lexington office. She can be reached at firstname.lastname@example.org or 859-231-8780. This article is intended as a summary of newly enacted federal law and does not constitute legal advice.
- Facebook Press Room Facebook Factsheet, http://www.facebook.com/press/info.php/statistics (last visited November 5, 2010).
- Twitter now has 1145 million users after growth spurt, The Tech Chronicles, http://www.sfgate.com (last visited November 5, 2010).
- Steve Lohr, Library of Congress will save tweets, The New York Times, Apr. 14, 2010, http://nytimes.com/2010/04/15/technology/15twitter.html
- The Health Insurance Portability and Accountability Act of 1996 ("HIPPA") (December 28, 2006 codified in 45 CFR Parts 160 and 164).
- The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer right to disclosure are included in the FACTA. (Pub. L. 108-159, 111 Stat. 1952).
- Nurses Fired Over Cell Phone Photos of Patient, WISN 12 News, Feb. 25, 2009, http://www.wisn.com/news/18796315/detail.html (last visited November 5, 2010)
- Judge Orders U. of Louisville Nursing student Reinstated, The Chronicle of Higher Education, August 3, 2009.
- Katherine C. Chretien, MD; S. Ryan Greysen, MD, MA; Jean-Paul Chretien, MD, PhD; Terry Kind, MD, MPH, Online Posting of Unprofessional Content by Medical Students, JAMA 2009; 302 (12): 1309-1315.
- The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information and technology.