This week I attended the HIMSS Michigan Chapter conference, Wiring Michigan for Health Information Exchange. This was a more intimate affair, by far, than the annual HIMSS Conference, but no less productive - and in some ways more so as it was much easier to chat with vendors and colleagues during the breaks.
Among other breakouts, I attended the “Social Media, Healthcare and the Law” presentation conducted by attorneys from Dickinson Wright (Brian Balow, chair of their IT Law Group and Tatiana Melnik, an associate).
One observation they made was: Use email to document your decisions – not for internal deliberations! The reason is that email is discoverable. Using email for decision deliberations commits to “paper” topics and ideas that may not have had a significant bearing upon the final decisions – but can be used in court to paint a picture that doesn’t reflect what took place. So, don’t use email to conduct your deliberations.
They also provided a nice justification for “Why to have a Social Media Policy:”
- To provide a structured framework within which employees can use social media safely
- To protect patients’ rights
- To instill professionalism
- To protect employees and the organization from liability
The core issue with healthcare professionals using social media tools is that of patient privacy. We are obligated to keep protected health information secure and to specifically prevent disclosure.
Furthermore, the HITECH act requires that healthcare organizations (known as covered entities), business associates, and subcontractors address breaches: investigate, give notice to the affected patient(s), reprimand staff, and notify the Secretary of HHS. I found two points surprising: first that the HITECH act does NOT preempt state law (so you can face legal action under both Federal and State laws) and second, that State Attorneys General have the “…power to enforce HITECH breach provisions” And some have, resulting in significant settlements.
Their recommendations for creating a social media policy include:
- Be transparent and authentic
- Be responsible for what you write
- Protect PHI as well as proprietary information
- Use common sense and common courtesy
- Think twice before you post!
Additionally, there was a February 24, 2011 settlement in which Mass General agreed to pay a $1M fine as well as implement a monitored, multi-year corrective action plan. While this particular breach did not involve social media, it does illustrate the costs of breaches.