Facebook Folly: Don’t Get Caught Without a Policy

The explosion of social media outlets (Facebook, Twitter, Myspace, YouTube, etc.) presents the health care industry with unique security and regulatory compliance issues, in addition to the more mundane employment and First Amendment issues.

In a case pending before the National Labor Relations Board, a nurse who had treated a fatally wounded police officer and the alleged gunman was terminated after posting on her private Facebook account that she came “face to face” with a “cop killer” and hoped he “rotted in hell.” The ostensible reason for termination was violations of HIPAA and the hospital’s rules on patient privacy.

The Internet is rife with examples of possible HIPAA violations, privacy concerns and violations of company social media policies. In one instance, a nurse in a rural community observed posts in which a coworker stated the age of a patient, the name of the injury he suffered and the X-rays that were ordered.

In both these instances, it is debatable whether the information provided would constitute a HIPAA violation or whether it was sufficiently “deidentified” information. However, where events have been well-publicized, or in rural communities, information that may otherwise appear deidentified may constitute enough information to connect the dots and identify patients. With the new patient-notification requirements included in the Health Information Technology for Economic and Clinical Health Act, such breaches may now require timely action by the provider at the risk of penalties.

Social media can certainly be a two-edged sword. The same tool that can be used for savvy marketing campaigns can also become liability. The risk with social media posts is not simply HIPAA or patient confidentiality; posts can also become the basis for complaints of harassment or hostile work environment claims. Social media policies are a must have for any health care provider. A good social networking policy should coordinate with existing IT and personnel policies and should identify explicitly prohibited activities, as well as general guidelines on use of media in the context of the workplace. As with any policy, social media policies will only be effective to the extent that employees are trained and the policy is enforced. Given the high stakes of possible HIPAA violations or employment claims, an ounce of prevention is worth a pound of cure.

MD News January 2011, Greater Kansas



Sign up to receive industry news and events from MD News.

* indicates required