HIPAA is a common term in hospitals. If your hospital or health system is like ours, you spend a lot of time training, reminding and testing all employees on what is covered by HIPAA laws. For the most part, I believe employees understand the law and what they need to do to protect our patients and their privacy. Hospital employees sign agreements and promise to uphold their end of the deal, realizing there will be consequences if there are violations.
But for some strange reason, when it comes to social networks, employees seem to forget they are bound by those same regulations. There have been numerous reports of breaches of patient privacy through social media outlets lately. Just this week, the LA Times story reported that staff members were fired from St. Mary Medical Center in California, and another three were disciplined after posting photos of a dying man on Facebook rather than treating him.
In June, Tri-City Medical Center, also in California, terminated five employees and disciplined another after discovering they used "social media to post their personal discussions concerning hospital patients." The hospital issued a statement on their website apologizing for the breach and how they were addressing it. (Applause for the transparency!)
As disturbing as they are, stories like these and others are popping up in the national news and it's unsettling for everyone. There is something to learn from this though, and it is not that we need to ban social media from our hospitals. Social media is a powerful, evolving medium that allows us to communicate vital information and to hear from, and engage with, members of our communities. It should not be ignored. In fact, I strongly believe it should be embraced by hospitals as another way to reach out to their communities.
The stories of these breaches simply underscore the vital need for having strong policies in place that address the use of social media within and outside of the hospital. Employees need to know and understand that they are accountable for upholding the HIPAA laws even when they leave the hospital. That includes when they enter chat rooms, social networking sites or even their own blogs. In addition, human resources departments must be on board in recognizing that HIPAA laws extend to the use of social networks and any breaches of patient confidentiality through these means will result in disciplinary action.
Ed Bennett is the director of Web strategy for the University of Maryland Medical System. He also manages a blog which provides a wealth of information on hospitals and social media. The site provides a nice list of publicly published policies. It's a great resource for hospitals, and can help in developing a new policy or tweaking an existing one to address social media specifically.
I am still confused as to why hospital staff members would ever think it was okay to reveal privileged patient information through any means, especially one as public as social media. Perhaps these changes in the way we communicate call for not only new and revised policies but also for additional training and signed agreements for staff to further understand the ramifications of violating HIPAA through social networks. What are your thoughts?
Nancy Cawley Jean is a senior media relations officer for Lifespan in Providence, RI, where she oversees social media for Lifespan's five partner hospitals and also manages the national media relations for research at Rhode Island Hospital and its Hasbro Children's Hospital. Find her at @NancyCawleyJean on Twitter.