Many healthcare
organizations are looking for innovative ways to use social media to improve patient
care and communications. But first, they must take some essential steps to
address the risks involved.
Here are three steps to take
to minimize social media risks - and avoid the publicity that comes with
missteps.
1. Define types of
information never be posted to social media sites.
One problem that I've heard
over and over is that those who inappropriately posted information, images,
comments, etc., to social media sites did not think the information was patient
information, or that it was not protected by HIPAA.
Take the case from the first
example above. The doctor posting the images and unflattering remarks to
Facebook and Instagram was a physician from that hospital who was asked to be
present but was not the attending physician. He was also an acquaintance of the
patient. There was speculation that he felt the images were not protected health
information since he was taking them as a friend and not as the primary
physician.
All personnel must clearly
understand the types of information that is considered to be PHI. They must
understand that PHI remains PHI even if the employees think they can use it in
other ways as friends or family. They must also realize that protections for
PHI are still required even if the patients or insureds have posted similar
information or images online themselves.
Suggested Actions:
- Clearly define and document the PHI
collected, stored, processed or otherwise accessed within your
organization;
- Explain to employees that the PHI must
never be posted to social media sites without the clear and documented
consent of the associated individuals, following the policies and procedures
that you create;
- Provide real-life examples to reinforce
understanding.
2. Establish clear and
comprehensive policies
Given the exponential growth
in social media use, and the increasing numbers of breaches resulting from
inappropriate posts to social media sites, every covered entity and business
associate needs to have a documented social media policy, with supporting
procedures. The policies and procedures need to include clear direction on what
is appropriate and inappropriate to post to social media sites.
Suggested Actions:
- Meet with key stakeholders to determine
the actions that are acceptable and not acceptable, based upon associated
risks, with regard to posting information and images to social media
sites;
- Be sure to clearly indicate that even
when employees are away from work or using their own personally owned
computing devices, PHI must never be inappropriately posted online;
- Give an individual or team
responsibility for monitoring social media policy compliance.
3. Provide training and
ongoing awareness communications.
In many, perhaps most, of
the incidents involving inappropriate posting of patient information on social
media sites, those doing the posting stated they didn't think they had done
anything against their organization's policies - or that they didn't have any
social media policies. Most organizations do not provide regular training on
their policies, or the training they provide is ineffective. And they don't
send regular reminders to keep employees aware. Providing effective social
media training and ongoing awareness reminders is an essential step toward
preventing social media breaches.
Suggested Actions:
- Create social media training to support
your policies and procedures. Or, use existing training that aligns with
your policies. I've found classroom training or online live webinar
training works best because these approaches allow for interaction and
questions.
- Create and use case studies for
interactive discussion to see how learners would react to different types
of situations involving social media.
- Send ongoing awareness communications to
remind personnel of appropriate uses of social media and policies on
posting PHI or other types of personal information.
No comments:
Post a Comment