MEDICAL

CONFIDENTIALITY IN
THE AGE OF SOCIAL
MEDIA

Aamir Hasan

1
Overview
■ Social media can be useful to
providers: What is it? How is it
being used?
■ Providers have legal obligations.
■ Providers should be proactive
with maintaining control over
content and establishing
institutional policies on
appropriate use.

2
What is Social Networking?
■ Broad range of Internet activities
– Texting
– Chat rooms
– Emails
– Blogging
– Videos
■ Easily accessible
– Work computers
– Home computers
– Mobile smartphones and other devices
■ Inherent risks
– Immediacy
– Global reach
– Searchable
– “Email is Forever”
– Expectation of a dialogue

3
Online Social Networking
Exploding
■ Facebook
– >400 million users worldwide
– 2009 revenue: >$550 million
– 8 billion minutes spent on Facebook each day
– Increasing corporate marketing use

■ Twitter
– “Tweets” – max. of 140 characters
– Celebrity usage – Lance Armstrong, Brittany Spears
– Corporate use growing exponentially
– Over 55 million users / month and growing
– Largest user demographic: 35-49

4
Online Social Networking
Exploding
■ LinkedIn
– Facebook for professionals
– Over 50 million registered users

■ MySpace
– Similar to Facebook
– Less than half the users at over 100 million

■ YouTube
– Online videos

■ Blogs
– The original social networking tool

■ Non-provider hosted sites (external sites)

– Different legal obligations may arise when a provider hosts blogs and
other media on its own servers

5
What’s in it for Health Care
Providers?
■ April 2010: Hospitals have established:
– 250 YouTube channels
– 300 Facebook pages
– 400 Twitter accounts

■ Social Media is useful to Providers:

– Launch innovative advertising/marketing campaigns
– Provide patients & families with information
– Remain competitive with other providers that have
established social media presences.
– Use in hiring and firing staff?
■ Possible discrimination claims?

6
Legal Obligations:
Confidentiality
■ Providers are ‘covered entities’ under
HIPAA & state law

■ Affirmative legal obligation to safeguard

protected patient information
– Patient names, addresses, email addresses

■ Creating social media content does not

implicate privacy laws as long as
providers do not post patient information
without authorization

7
Legal Obligations: Practice of
Medicine
■ Interactions with patients
– Malpractice risk
– Disclaimers (character limits with some media)
– Licensure issues
– Privacy
– Boundary issues

8
Legal Obligations:
Disclaimers
■ Given informal nature of social media,
providers can remind online visitors that
posts are public:
– “This is a public site. Please do not post
personal information about yourself or
others, including medical information.”
■ Note: outside scope of this presentation,
but with institution-hosted media (e.g.,
blogs), a more complete terms &
conditions notice may be appropriate.

9
Administrative Controls
■ Wide range of administrative controls
available to providers that establish
social media presence
■ Facebook:
– Content posting restricted to page
administrators only (public cannot post
content)
– Closed group – persons must formally request
to “join” group before having posting access

10
Employee (Mis-)Use of Social
Networks
■ For personal purposes, at work
■ For personal purposes, impacting your business
– Bad-mouthing the company
– Trade secrets theft
– Harassment

■ At work, for business purposes

– Monitoring comments on hospital services
– Answering consumer questions
– Promoting services / education
– Research

11
Why Health Care Providers
Should Care
■ 61% of employees say that even if employers are
monitoring their social networking activities, they won’t
alter behavior

■ 74% of employees believe it is easy to damage a

brand’s reputation via social networking sites

■ 53% of employees say “social networking pages are

none of an employer’s business.”

12
Why Health Care Providers
Should Care
■ Only 17% of companies have programs in place to
monitor and mitigate reputational risks

■ Only 22% of employers have formal social networking

policies

13
Employer Injury
■ Injury to corporate reputation
– Employee "venting" transmitted instantly to ever-
growing audience

■ Possible liability for employee postings

– Defamation
– Copyright infringement
– False advertising claims
– Discrimination/harassment
– Medical information (HIPAA/GINA)

14
 Employer Liability
■ Electronic discovery issues
– A new kind of “electronically stored information” (ESI)
– Social media data is typically not stored on employer’s
network or system
■ National Labor Relations Act issues
– Can be “protected, concerted activity”
– Blogging about unfair employer policies
– Applies to all employees, not just unionized workers

15
What Should Employers
■ Develop a policy now – don’t wait for the crisis
Do?
■ Convene working group to draft:
– HR
– Legal
– IT
– Marketing
– PR/Corporate Communications
– Employee users

16
Social Media Policy
Considerations
■ What is your culture?
– Separate or integrated policy?
– Allow or block access to social media websites?
– Distinguish between professional use and personal use?
– Extent to which provider equipment and networks can
be used for social media?
■ What are your needs?
– Use of social networking to generate business?
– Use of social networking in hiring / firing process?

17
Social Media Policy
Considerations
■ Duty to bargain with unions regarding policy?
■ Cross-reference in other policies?
– Anti-harassment and nondiscrimination
– HIPAA/GINA confidentiality
– Codes of ethics
■ Legal review of proposed employee terminations
for social networking activity

18
Social Media Policy
■ Providers should:
– Adopt a Social Media Policy for
employees and staff
– Educate staff about the contents of
the Policy
– Enforce policy through imposing
consequences for violations

19
Social Media Policy:
Adopt
■ Policy should:
– Set rules for what information staff can post
and say online
– Remind and educate staff about obligations –
patient privacy, protecting proprietary
institutional information
– Clarify appropriate relationships between
staff, patients and the public

20
Social Media Policy: Educate &
Enforce
■ Educate:
– Any policy is only as good as the
institutional awareness of it
– Know the policy; educate staff at hire and
push periodic updates

■ Enforce:
– Follow through with penalties for
violations

21
Social Media Policy: Provisions &
Examples
■ Policy statement: “Employees can
use social media for business-
related purposes subject to
restrictions in this Policy to ensure
compliance with legal requirements
and institutional policies.”

■ Scope of policy – separate

provisions for institution-hosted
and externally hosted sites.

22
Social Media Policy: Provisions &
Examples
■ Rules for use:
– Maintain patient privacy
– Respect patients and other staff – no libelous
or defamatory speech
– Safeguard proprietary institutional information
– Comply with copyright, trademark and other
law
– Do not communicate on “behalf” of institution
– No patient-specific medical advice

23
Questions?

24