Using Social Media Platforms, such as Twitter, Facebook,
MySpace and LinkedIn
PDF Version of DQA 11-026
(PDF, 50 KB)
Using Social Media Platforms, such as Twitter, Facebook,
MySpace and LinkedIn
This memorandum provides guidance to providers on the fast-changing
landscape of the internet and the impact of using social networking and
social media as a communications tool. Internet communications that contain
resident/patient-specific information, such as medical appointments,
medication changes or changes in medical status may result in a breach of
the privacy for the resident or patient. The release of confidential and
sensitive information may have untoward legal consequences for the facility
for its failure to protect an individual's privacy.
Background
"Social media" includes Facebook and Twitter; free and
unencrypted web-based email services (e.g., Yahoo, Gmail, etc.), and free
web-based calendars (e.g., Yahoo, Hotmail, Google, etc.) that enable people
to communicate easily via the internet to share information and resources.
Social media enables people to easily and instantly share information
with friends and co-workers. Problems arise because social media content,
including personal or private information, can be easily shared, rapidly
disseminated, and readily accessed by others including unintended
recipients. Social media also is now a major target of the hacker
underground.
Resident and Patient Rights
Wisconsin state statutes and administrative rules for regulated
healthcare providers repeatedly address resident and patient rights to
privacy concerning healthcare and treatment. All entities have an obligation
to protect the rights of their clients, patients or residents. In addition
to Department sanctions, the failure to protect a resident or patient's
privacy and confidential information could also form the basis for civil or
criminal liability.
HIPAA Protections
If an entity is a "covered entity" under the Health Insurance
Portability and Accountability Act (HIPAA) of 1996, the entity has a duty to
protect Individually Identifiable Health Information. Covered entities that
violate HIPAA can face significant penalties, including fines and/or
imprisonment for knowingly misusing Individually Identifiable Health
Information. Please note that the Division of Quality Assurance (DQA) does
not enforce HIPAA; HIPAA is under the jurisdiction of the federal Office of
Civil Rights (OCR). However, Wisconsin statutes and administrative rules
include privacy protection requirements that must be followed by licensed
providers.
If a covered entity chooses to utilize a social media tool, the entity
should ensure that the information they disclose is considered de-identified
under HIPAA. Omitting a resident or tenant's name does not guarantee that
the person cannot be identified. The uniqueness of a situation alone may
allow people to reasonably identify a resident or tenant. If there is a
reasonable basis to believe that the person could still be identified from
that information, then the information is not de-identified. Its use or
disclosure could constitute a violation. If staff posts any information that
can be used to re-identify an individual, the information would also no
longer be de-identified.
In addition a covered entity should consider the need for a business
associate agreement with a social media site, if the entity is uploading
protected health information to the site. HIPAA makes it mandatory for all
covered entities along with their business associates to ensure complete
protection of patient health information, which they store, process and
exchange between themselves.
Conclusion
The use of social networking platforms and related communication
technologies to exchange PHI poses significant risks to the personal privacy
of residents/patients and the confidentiality of health care information.
Facilities need to conduct a risk assessment on whether entity and staff
social networking practices could potentially violate patient/resident
privacy rights.
It is recommended that entities develop a social media policy to provide
guidance to employees about the appropriate use of social media in a health
or residential care facility.
Facility policies should prohibit staff from discussing resident/patient
information on blogs, social media, or other internet platforms. In
addition, health or residential care facilities should provide staff with
ongoing training on resident rights, privacy and security.
Below is some suggested guidance for staff when using social media:
- Refrain from discussing patients, even in general terms.
- Assume anything put online could be seen by anyone. If you wouldn't
say it in a public elevator, don't put it online.
- Take particular care when replying to people in real-time venues like
Twitter. You don't have to respond right away, and if you have any doubt
at all, don't respond.
- Don't mix personal and professional lives. Don't friend patients on
Facebook, and
- Check privacy settings monthly (They could change from time to time).
These are only helpful guidelines to protect against inadvertently
sharing confidential information about residents or tenants in your care.
Please direct any questions you may have to Dinh Tran, Social Services
Consultant at (608) 266-6646 or email him at dinh.tran@wi.gov
PDF: The free Acrobat Reader®
software is needed to view and print portable document format (PDF) files. Learn
more.
Last Updated: October 27, 2011
|
