Health Care Entities Using Social Media: Guidance from the Division of Quality Assurance

Many articles have been written about the legal and business risks associated with the use of social media and web-based email services. However, the risk of using social media is heightened in the health care industry in light of a health care entity's legal and regulatory obligations to protect the privacy and security of health care information. Health care entities need to be particularly familiar with the risks of using social media in the health care industry and methods for reducing those risks.

The DQA October 24, 2011 Memorandum
On October 24, 2011, the Wisconsin Division of Quality Assurance ("DQA") issued numbered memorandum 11-026 entitled, "Using Social Media Platforms, such as Twitter, Facebook, MySpace and LinkedIn". 

The DQA definition of "Social Media" includes what one would normally consider social media, as well as "free and unencrypted web-based email services" such as Yahoo and Gmail, and web-based calendars. The purpose of the Memo is to "provide guidance to providers on the fast-changing landscape of the internet and the impact of using social networking and social media as a communications tool".

DQA released the Memo to address concerns raised about (1) health care entities and their staff using web-based email accounts (e.g., Gmail) or web-based calendars (e.g., Yahoo Calendars) to convey patient or resident care information; and (2) health care entity staff members sharing protected health information on FaceBook.

The DQA notes that inappropriate use of Social Media or use of Social Media without adequate security protections may violate a patient's or resident's privacy rights. Moreover, DQA emphasizes that Social Media sites are now major targets of the hacker underground, creating further risk of a network security breach. DQA also warns health care entities of the potential for criminal and civil risks of using Social Media, (including criminal prosecution or civil actions under HIPAA) because it is the United States Department of Health and Human Services Office of Civil Rights—and not the Division of Quality Assurance—which has jurisdiction over such violations.

Risk Management Considerations With Regard to Entity Use of Social Media
DQA includes a number of recommendations for reducing the risks associated with the use of social media by health care entities.

First, the DQA recommends that each health care entity conduct a risk assessment to determine whether the entity or its staff members are utilizing Social Media in a manner that may violate patient or resident rights.

DQA also recommends that providers and staff members should be fully aware of the broad definition of "protected health information." If a health care entity chooses to utilize a Social Media tool, it should insure that the information it discloses is "de-identified under HIPAA." DQA points out that no health care provider should ever post any protected health information on-line without the appropriate written patient authorization. Merely omitting a patient's name from a post does not make it a permissible disclosure. Posts that discuss the patient's condition—even without disclosing the patient's name—contain protected health information.

DQA emphasizes that "a covered entity should consider the need for a business associate agreement with a social media site, if the entity is uploading protected health information to the site. HIPAA makes it mandatory for all covered entities along with their business associates to ensure complete protection of patient health information, which they store, process and exchange between themselves."

Finally, DQA recommends that health care entities should develop a social media policy that guides employees on the appropriate use of social media, and includes specific guidance (e.g., "Refrain from discussing patients, even in general terms."). The organization should also provide staff with ongoing training on resident rights, privacy and security.

Marketing Uses of Social Media
DQA does not directly address the use by healthcare entities of social networking sites like FaceBook, Twitter or YouTube, or even the providers' own websites, to promote their services or discuss advances they have made in healthcare. Many health care entities use videos, photos, and patient interviews to promote their services. If a health care entity posts a video, photograph, or patient interview of actual patients, that provider would be disclosing protected health information.

Any health care provider using protected health information in this manner should only do so with the express written authorization of the patient. Even with such authorization, the provider must be sure that the patient understands that when posting information online, the provider and the patient lose much control of the information. Although the provider could remove the materials if a patient withdraws authorization, the patient and the provider cannot get back any material that may have been downloaded by others.

Although not referenced in the Memo, health care providers should institute a social media policy which identifies who is permitted to use social media for the business purposes of the organization and what information may be posted on the company's website or a social media web page.

Considerations for Staff Member's Personal Use
One of the greatest risks of social media sites is that a health entity staff member may post protected information on the staff member's social media page. The internet is filled with stories of hospital employees being fired for providing their opinions about a patient on a Facebook account, albeit without identifying the patient's name. Given that any information disclosed about a patient or resident would likely constitute a breach of protected health information, it is imperative that providers inform staff that they are not to share any confidential information whether at work, or outside of work—including on their FaceBook pages or through Twitter (or in actual conversation with their family or friends). Staff should understand that they are not to share any patient information online—even if they are not naming the individual patient.

von Briesen & Roper Legal Update is a periodic publication of von Briesen & Roper, s.c. It is intended for general information purposes for the community and highlights recent changes and developments in the legal area. This publication does not constitute legal advice, and the reader should consult legal counsel to determine how this information applies to any specific situation.