Department of Health Services Logo

 

Wisconsin Department of Health Services

If You Have Complaints about Wisconsin Health Care

Information about Division of Quality Assurance (DQA)

DQA Web Pages Information

Provider Types Regulated by DQA

DQA Listservs

Consumer Information

Provider Search

DQA Facility Directories

DQA Provider Training

DQA Numbered Memos

DHS Forms

Construction/
Remodeling of Health Care Facilities

WI Nurse Aide Training and Registry Info

Caregiver Program/ Background Checks

WI Adult Programs Caregiver Misconduct Registry

Using Social Media Platforms, such as Twitter, Facebook, MySpace and LinkedIn

PDF Version of DQA 11-026  (PDF, 50 KB)

Date: October 24, 2011 -- DQA Memo 11-026
To: Adult Family Homes AFH 09
Community Based Residential Facilities CBRF 13
Certified Mental Health and AODA Programs CMHA 07
Facilities Serving People with Developmentally Disabled FDD 11
Home Health Agency HHA 06
Hospices HSPC 11
Hospitals HOSP 12
Nursing Homes NH 18
Residential Care Apartment Complexes RCAC 10
From: Alfred Johnson, Director
Bureau of Technology, Licensing and Education

Kevin Coughlin, Director
Bureau of Assisted Living

Juan Flores, Interim Director
Bureau of Nursing Home Resident Care

Cremear Mims, Director
Bureau of Health Services

Via:

Otis Woods, Administrator
Division of Quality Assurance

Using Social Media Platforms, such as Twitter, Facebook, MySpace and LinkedIn 

This memorandum provides guidance to providers on the fast-changing landscape of the internet and the impact of using social networking and social media as a communications tool. Internet communications that contain resident/patient-specific information, such as medical appointments, medication changes or changes in medical status may result in a breach of the privacy for the resident or patient. The release of confidential and sensitive information may have untoward legal consequences for the facility for its failure to protect an individual's privacy.

Background

"Social media" includes Facebook and Twitter; free and unencrypted web-based email services (e.g., Yahoo, Gmail, etc.), and free web-based calendars (e.g., Yahoo, Hotmail, Google, etc.) that enable people to communicate easily via the internet to share information and resources.

Social media enables people to easily and instantly share information with friends and co-workers. Problems arise because social media content, including personal or private information, can be easily shared, rapidly disseminated, and readily accessed by others including unintended recipients. Social media also is now a major target of the hacker underground.

Resident and Patient Rights

Wisconsin state statutes and administrative rules for regulated healthcare providers repeatedly address resident and patient rights to privacy concerning healthcare and treatment. All entities have an obligation to protect the rights of their clients, patients or residents. In addition to Department sanctions, the failure to protect a resident or patient's privacy and confidential information could also form the basis for civil or criminal liability.

HIPAA Protections

If an entity is a "covered entity" under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the entity has a duty to protect Individually Identifiable Health Information. Covered entities that violate HIPAA can face significant penalties, including fines and/or imprisonment for knowingly misusing Individually Identifiable Health Information. Please note that the Division of Quality Assurance (DQA) does not enforce HIPAA; HIPAA is under the jurisdiction of the federal Office of Civil Rights (OCR). However, Wisconsin statutes and administrative rules include privacy protection requirements that must be followed by licensed providers.

If a covered entity chooses to utilize a social media tool, the entity should ensure that the information they disclose is considered de-identified under HIPAA. Omitting a resident or tenant's name does not guarantee that the person cannot be identified. The uniqueness of a situation alone may allow people to reasonably identify a resident or tenant. If there is a reasonable basis to believe that the person could still be identified from that information, then the information is not de-identified. Its use or disclosure could constitute a violation. If staff posts any information that can be used to re-identify an individual, the information would also no longer be de-identified.

In addition a covered entity should consider the need for a business associate agreement with a social media site, if the entity is uploading protected health information to the site. HIPAA makes it mandatory for all covered entities along with their business associates to ensure complete protection of patient health information, which they store, process and exchange between themselves.

Conclusion

The use of social networking platforms and related communication technologies to exchange PHI poses significant risks to the personal privacy of residents/patients and the confidentiality of health care information. Facilities need to conduct a risk assessment on whether entity and staff social networking practices could potentially violate patient/resident privacy rights.

It is recommended that entities develop a social media policy to provide guidance to employees about the appropriate use of social media in a health or residential care facility.

Facility policies should prohibit staff from discussing resident/patient information on blogs, social media, or other internet platforms. In addition, health or residential care facilities should provide staff with ongoing training on resident rights, privacy and security.

Below is some suggested guidance for staff when using social media:

  • Refrain from discussing patients, even in general terms.
  • Assume anything put online could be seen by anyone. If you wouldn't say it in a public elevator, don't put it online.
  • Take particular care when replying to people in real-time venues like Twitter. You don't have to respond right away, and if you have any doubt at all, don't respond.
  • Don't mix personal and professional lives. Don't friend patients on Facebook, and
  • Check privacy settings monthly (They could change from time to time).

These are only helpful guidelines to protect against inadvertently sharing confidential information about residents or tenants in your care.

Please direct any questions you may have to Dinh Tran, Social Services Consultant at (608) 266-6646 or email him at dinh.tran@wi.gov

 

PDF: The free Acrobat Reader software is needed to view and print portable document format (PDF) files. Learn more.

Last Updated: October 27, 2011