IAPP-GDPR Web Banners-300x250-FINAL

Unfortunately, Indiana University Health (IUH) has had to terminate employees due to their social media efforts. Valita Fredland, CIPP/US, associate general counsel and chief privacy officer at IUH, told the crowd here at the IAPP Canada Privacy Symposium that one clinician posted racially insensitive remarks as a comment to a local newspaper article.

“That was not the kind of individual we wanted caring for patients,” Fredland said.

Valita Fredland, CIPP/US, associate general counsel and CPO at Indiana University Health, addresses the IAPP Canada Privacy Symposium.

Another employee posted a revealing photo of a patient, alongside a disparaging remark, to Facebook. Another decided to take a group of doctors to task for not understanding electronic medical records. Then there was the time a provider engaged in what amounted to treatment of a patient via a comment thread on a Facebook page.

In these cases, the first instance was clearly a breach of patient privacy, but what might you do about the latter two examples?

Such is the gray area being created for privacy professionals grappling with rapidly changing technology and social mores.

“There aren’t a lot of good published guidelines out there for how you should deal with employees’ use of social media,” Fredland said. “Instead, you need to work on your own to create a good clear policy that sets out expectations, and you need to educate your workforce about what social media is.”

However, “healthcare providers tend to approach social media like the contents of Pandora’s box,” she said, trying to lock it down and keep everyone off of it. This is a mistake, she counseled, as blocking social media sites will just lead employees to use mobile devices for their social networking, and if you’re not on the social media platforms, you’re less likely to notice potential breaches and it’s less likely employees will realize they’re posting something that could affect their professional lives.

Further, social media can lead to better healthcare and can be a competitive differentiator. There’s evidence, for example, that the number of “likes” a healthcare provider has on Facebook is correlated with the actual quality of that provider’s care. One provider is monitoring Twitter to identify and respond to lengthy ER wait times. Perhaps discovering a group of posts from a single geographic area all complaining about the lack of a certain kind of provider could present a market opportunity.

One woman with a rare heart disease even went so far as to collect more than 100 other folks via social media with the same condition, leading to a research study at the Mayo Clinic that was significantly larger than the 40-person study that was largest previously undertaken.

Clearly, there are benefits to social media use and monitoring. (Looking for more ideas? Check out Phil Baumann’s 140 health care uses for Twitter.) The dangers are significant, too, though.

One young doctor, for example, took to Facebook to lament her first pediatric code, Fredland explained. Due to the information she provided, and the information provided by other clinicians who sympathized with her online, it was Fredland’s opinion the post represented a breach. In this case, they were providers unlikely to misuse the information, and thus she decided not to report it, “but if there were friends outside of the covered entity who could tell what patient they were talking about because a friend of the family was in the network and saw the post, maybe we would have had to report it.”

There has even been a documented instance of a nurse who gained employment at a certain provider solely in order to obtain STD information about a rival for the affections of a professional football player and then post that information on her Facebook wall.

Clearly, “Healthcare providers need to move beyond their PR departments to develop their social media business strategies,” Fredland said.

Education and training should be part of the privacy team’s operations, she said, both to avoid those breaches outlined above and things like social engineering scams that could lead employees to voluntarily give information to nefarious actors without realizing it, potentially causing a serious breach.

“Anticipate that this will happen to you,” she said. “It is each entity’s obligation to understand the technology and be aware of its information flow.”

She recommends, too, dedicated staff tasked with monitoring social media, even the use of social media monitoring tools that search the web for terms likely to be associated with a breach.

As part of the training, as well, “we encourage people to let us know if they see it happen,” she said. “With the automated filtering tools, if there are significant privacy settings, the filtering won’t get it, so have to rely on ‘friends’.” Often, these monitors are in the PR department, but Fredland believes providers need to bring this function into a clinical and compliance social media strategy as well.

“The data is there to learn from,” she said.

Written By

Sam Pfeifle


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»