Unfortunately, Indiana University Health (IUH) has had to terminate employees due to their social media efforts. Valita Fredland, CIPP/US, associate general counsel and chief privacy officer at IUH, told the crowd here at the IAPP Canada Privacy Symposium that one clinician posted racially insensitive remarks as a comment to a local newspaper article.
“That was not the kind of individual we wanted caring for patients,” Fredland said.
Another employee posted a revealing photo of a patient, alongside a disparaging remark, to Facebook. Another decided to take a group of doctors to task for not understanding electronic medical records. Then there was the time a provider engaged in what amounted to treatment of a patient via a comment thread on a Facebook page.
In these cases, the first instance was clearly a breach of patient privacy, but what might you do about the latter two examples?
Such is the gray area being created for privacy professionals grappling with rapidly changing technology and social mores.
“There aren’t a lot of good published guidelines out there for how you should deal with employees’ use of social media,” Fredland said. “Instead, you need to work on your own to create a good clear policy that sets out expectations, and you need to educate your workforce about what social media is.”
However, “healthcare providers tend to approach social media like the contents of Pandora’s box,” she said, trying to lock it down and keep everyone off of it. This is a mistake, she counseled, as blocking social media sites will just lead employees to use mobile devices for their social networking, and if you’re not on the social media platforms, you’re less likely to notice potential breaches and it’s less likely employees will realize they’re posting something that could affect their professional lives.
Further, social media can lead to better healthcare and can be a competitive differentiator. There’s evidence, for example, that the number of “likes” a healthcare provider has on Facebook is correlated with the actual quality of that provider’s care. One provider is monitoring Twitter to identify and respond to lengthy ER wait times. Perhaps discovering a group of posts from a single geographic area all complaining about the lack of a certain kind of provider could present a market opportunity.
One woman with a rare heart disease even went so far as to collect more than 100 other folks via social media with the same condition, leading to a research study at the Mayo Clinic that was significantly larger than the 40-person study that was largest previously undertaken.
Clearly, there are benefits to social media use and monitoring. (Looking for more ideas? Check out Phil Baumann’s 140 health care uses for Twitter.) The dangers are significant, too, though.
One young doctor, for example, took to Facebook to lament her first pediatric code, Fredland explained. Due to the information she provided, and the information provided by other clinicians who sympathized with her online, it was Fredland’s opinion the post represented a breach. In this case, they were providers unlikely to misuse the information, and thus she decided not to report it, “but if there were friends outside of the covered entity who could tell what patient they were talking about because a friend of the family was in the network and saw the post, maybe we would have had to report it.”
There has even been a documented instance of a nurse who gained employment at a certain provider solely in order to obtain STD information about a rival for the affections of a professional football player and then post that information on her Facebook wall.
Clearly, “Healthcare providers need to move beyond their PR departments to develop their social media business strategies,” Fredland said.
Education and training should be part of the privacy team’s operations, she said, both to avoid those breaches outlined above and things like social engineering scams that could lead employees to voluntarily give information to nefarious actors without realizing it, potentially causing a serious breach.
“Anticipate that this will happen to you,” she said. “It is each entity’s obligation to understand the technology and be aware of its information flow.”
She recommends, too, dedicated staff tasked with monitoring social media, even the use of social media monitoring tools that search the web for terms likely to be associated with a breach.
As part of the training, as well, “we encourage people to let us know if they see it happen,” she said. “With the automated filtering tools, if there are significant privacy settings, the filtering won’t get it, so have to rely on ‘friends’.” Often, these monitors are in the PR department, but Fredland believes providers need to bring this function into a clinical and compliance social media strategy as well.
“The data is there to learn from,” she said.