Featured Health Business Daily Story, Dec. 11, 2013
Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1 source of timely news and business strategies for safeguarding patient privacy and data security.
Do patients who post online about risky health behaviors need to be told that their providers might be reading about their exploits and ogling the photos they share? Should doctors and nurses ever deliberately search for information on a patient, even if the intent is to provide better care? Or does HIPAA prevent such actions?
Art Caplan, director of the division of medical ethics at New York University’s Langone Medical Center, recently brought these issues to light in a column for NBC News, which described a liver transplant team’s quandary over its discovery of a Twitter photograph of a patient drinking alcohol — an obvious no-no that could disqualify him from the life-saving surgery.
This real-life scenario was shared with Caplan via email — with identifying details removed — to get Caplan’s take on the situation, given that little exists today in the way of laws or regulations to guide the team on what it should do with this information.
More and more doctors and HIPAA covered entities (CEs) are going online, and the venues for information-sharing are multiplying by the hour, it seems. Medical associations and similar groups have developed guidelines about the appropriate use of social media, and many CEs have adopted them.
Yet, Caplan and other experts tell RPP these policies need to be expanded to address emerging issues centering on the use of information that patients are posting. Caplan goes so far as to state that “we need a revision in codes of ethics” to properly balance the privacy and other risks and benefits to both patients and providers posed by the ever-expanding free flow of medical information.
Among the thorny issues that CEs should address in their policies include just what personal data are really “private” versus truly public, the nature and use of PHI that CEs pick up online from their patients, and what patients have a right to know about this. At a minimum, the experts also warn that such policies need to be frequently reviewed and updated.
While officials at the Office for Civil Rights (OCR) have been silent on the use of social media itself, they will prosecute inappropriate use of protected health information (PHI). State insurance and health agencies are also alert to violations of local laws governing personal data. Physicians and other medical providers may also run afoul of regulations governing the practice of their professions.
But Adam Greene, a former OCR regulator and now a partner in private practice in the Washington, D.C., office of Davis Wright Tremaine LLP, doesn’t expect to see regulation anytime soon that spells out just what is allowed via social media.
To date, he says, HIPAA “doesn’t really address this sort of issue,” nor do typical state privacy laws. “This is an issue of collection [of PHI],” he notes, “to what extent CEs can collect information. It’s a privacy issue we really haven’t seen [addressed], at least not in HIPAA.”
Typically HIPAA, as well as state laws and regulations, address uses and disclosures of PHI, Greene says. The one regulation that addresses PHI in a somewhat similar manner implements the Genetic Implementation Non-discrimination Act, commonly known as GINA, that prohibits insurers from collecting genetic data for use in underwriting.
But because of the complexities, Greene cautions, “this is dangerous territory to try and regulate” because communications may be considered for treatment purposes, and regulators do not want to interfere in the practice of medicine.
That leaves CEs to be guided by recommendations issued by health care organizations themselves, in most cases, or developed by medical privacy experts. Hospitals should also have social media policies that address what physicians and other employees can post online, and policies written for physicians can form the basis for those.
Many policies already share common elements that focus mostly on warning physicians and other providers against posting PHI online and offer suggestions for ethical and legal use of social media to market the practice.
The most recent social media policy for physicians, which has broad application to other providers also covered by HIPAA, comes from the Rhode Island Board of Medical Licensure and Discipline, which issued its own guidelines (see box, p. 5).
These closely track the 2012 “Model Guidelines for the Appropriate Use of Social Media,” issued by the Federation of State Medical Boards, and both of these echo guidelines on “Professionalism in the Use of Social Media” issued in 2010 by the American Medical Association (AMA). All of the policies generally recommend that physicians act as professionals online and take care not to reveal anything identifiable about patients and nothing incriminating about themselves.
Broadly speaking, the AMA also says physicians shouldn’t be social network “friends” with patients, but it cautions that, “if they interact with patients on the Internet, physicians must maintain appropriate boundaries of the patient-physician relationship in accordance with professional ethical guidelines just as they would in any other context.”
The AMA’s report by its Council on Ethical and Judicial Affairs, which developed the AMA policy, briefly mentions the possibility a physician may glean sensitive information but then the issue isn’t mentioned further.
“Physicians who use online social networking sites and who interact with patients may uncover content not intended for them that might have implications for patient care (e.g., seeing a photo of a patient smoking a cigarette when the individual has denied being a smoker),” the report states. But what to do next? The AMA doesn’t say.
That’s where Caplan’s “revised code of ethics” or a framework can come in.
He says three basic principles should be part of any framework:
(1) Notification to patients;
(2) The right of patients to “rebut, explain or challenge” the information; and
(3) A ban on what he calls “systematic snooping or surveillance.” If this occurs, “even with notice,” the activity “undermines trust,” Caplan says.
“If social media info is used in patient care, my view is that it ought to be disclosed to [the] patient,” he says. Patients should be told in advance that this could happen, not just after it has already happened, he says.
“Public information is public,” Caplan tells RPP. “If you post it, you should presume your doctor, lawyer, ex-spouse, may find it.” But he draws a line at providers trolling for information from non-public sources.
“Snooping for private data on social media is a gross violation of the doctor-patient relationship, but finding a tweet or public Facebook post is not,” he says. And Caplan advises against doctors and patients being “friends” on Facebook.
“I don’t see an advantage and see lots of potential for confusion and misunderstanding,” he says.
Caplan says the reaction to his column was both “loud and mixed.”
“People don’t like the idea of their doc spying on them, but accidental discovery seemed okay,” he says. “Most think ‘buyer beware’ when it comes to social media posting.”
But “once I pointed out the need to let a person respond to or challenge a posting in this case, that got broad agreement,” Caplan says.
From what Caplan could glean, the transplant team didn’t seem to have been in the “trolling” category. The photo, he says, “seemed to be a purely accidental discovery,” with the image shared by a non-clinical person who “happened to know someone who knew the patient.”
It isn’t clear that the man tweeted his way out of a new liver, but that photo alone should never be the deciding factor in determining treatment, medical privacy and social media expert David Harlow tells RPP.
Providers shouldn’t be governed by information that might have been revealed or disclosed online, says Harlow, principal of The Harlow Group LLC and author of www.healthblawg.com. “But I don’t think it should be ignored.”
He agrees with Caplan that patients should be given the opportunity to respond to any information that might have been obtained online about themselves, and adds that providers need to “make further inquiries” to explore the situation in more detail.
Harlow concurs that whatever patients are posting online that is public is fair game for use by medical providers.
“It is not unreasonable to use that as part of the social history,” Harlow points out. Such information might be particularly useful if someone is brought unconscious or incapacitated to the emergency department; information found online could, and has, saved lives, he says.
He recalls an instance where a physician learned that a patient was taking his medication improperly and was able to correct the patient’s administration.
But Harlow does have concerns that “for many people there may be a lack of understanding about privacy settings,” which may cause them to publicly post perhaps more than they realize.
Facebook and LinkedIn, for example, often change their settings without good explanations or instructions to users. Another complication is some posts are visible because of other users’ settings. Some Facebook posts can be seen by friends of friends.
Two years ago Harlow told RPP that two-thirds of hospitals didn’t have a social media policy (RPP 11/11, p. 3). While more undoubtedly do today, Harlow says that these may not be current. He calls the Rhode Island policy “a good first step that tends toward the conservative” in its suggested uses of social media by providers.
But he cautions that such policies should be “reviewed and updated on a regular basis,” not only to ensure they are current with advances in technology and new platforms but also to accommodate changing views “as people get more comfortable [with social media].”
Policies that aren’t revised will become “stuck” in an outdated “landscape,” causing a “constraining effect” on the use of social media, he says.
© 2013 by Atlantic Information Services, Inc. All Rights Reserved.
The AIS E-Savings Club offers regular opportunities to buy AIS products and services at substantial savings. Click here to see the current specials — including a $50 discount on How to Comply With New HIPAA/HITECH Rules, a new report in AIS’s Management Insight Series
Check out all of the benefits, sample issues & more!