Photo courtesy of Kiwanja
by Jenn Riggle
Let’s just acknowledge the 800-pound gorilla in the room. Social media gives legal departments heartburn. While this is a problem for all industries, it’s an even bigger issue for health care because of a little something called the Health Insurance Portability and Accountability Act, more commonly known as HIPAA.
The irony is that HIPAA standards were created to help hospitals and healthcare providers electronically share patient information. These regulations are so complicated that the Dept. of Health and Human Services needed 25 pages to summarize them on its website. Virtually no one, including privacy experts, understands the rules, which is why hospitals are hesitant to adopt new technology or find new ways to share information. This impacts everything from doctors using e-mail to contact their patients to establishing a hospital Facebook page or tweeting during surgery.
Historically, hospitals like to control the message and limit the number of people who can speak on behalf of the organization. However, this is no longer the case. Hospitals can inadvertently violate HIPAA regulations, even for something as simple as a staff member posting a video or photo taken at the hospital that has a patient in the background who has not given written consent.
The penalties for breaking HIPAA regulations are hefty, so like an 800-pound gorilla, hospitals need to take HIPAA seriously. Civil fines can be as high as $1,500,000 for violating the same standard multiple times in one calendar year. And if someone knowingly misuses patient health information, criminal penalties can range from a $250,000 fine to 10 years in prison.
To help address some of these concerns, the Massachusetts Medical Law Report recently published a set of guidelines for physicians who choose to engage in social media.
It’s only natural that lawyers and risk management people get nervous about social media. But the good news is that hospitals already understand the importance of patient confidentiality, requiring written permission from patients before using or sharing their heath information. So in many ways, they just need to take what they’ve been doing all along and apply it to social networking platforms.
Harvard Business Review recently looked at why organizations need “less lawyering and more encouraging” when it comes to social media policies. There’s something to this. Organizations can’t be afraid of using social media, but they need to know the rules and understand how to use it responsibly.
Educate employees so they know what is expected of them if they engage in social media in an official or unofficial capacity. This is particularly important since most hospital employees do not have Internet access during work hours and have to access hospital social networking sites from home.
However, the government recently passed some new HIPAA privacy and security rules. So get ready, things are only going to get more complicated.
love the point about education – goes a long way to help mitigate the risks. Will we also see some changes in the future as our thirst for information and connections changes our views on privacy?
I used to work as an admin at a pediatric office and that’s when I first learned about HIPAA. Their regulations, although definitely needed, can be crazy! It’s great to know that the Mass. Medical Law Report published those SM guidelines for doctors. Thanks for the info!
Jen,
This is only the beginning. Human resources departments are beginning to advise a don’t monitor policy on personal prospect and employee communication for the same reason. I imagine it will become especially complicated for employers dreaming of all their employees becoming mini-promotors. Good stuff.
Best,
Rich
We’re running through the paperwork required to help a young person navigate the rules for keeping parents as advisors – what a maze! Great post – had no idea the fines were so steep…