The legendary bank robber Willie Sutton, when asked, “Why do you rob banks?” answered “That's where the money is.”  For the same reason, we cannot ignore social media – that's where the people are, and that's the world in which health care decisions are made – decisions about courses of treatment and choices of providers.  Three-quarters of the U.S. adult population is online, and most of them use the internet to find health information.  (See Pew Research Center on the Internet and American Life report on The Social Life of Health Information, 2011.)  Most people expect to find health care providers online dispensing information (See Edelman Health Engagement Barometer), and a recent survey found that a whopping 81% of consumers believe that if a hospital has a strong social media presence it is more likely to be cutting edge.  Marc Monseau (aka @MDMonseau on Twitter), speaking on a recent HealthWorks Collective webinar, highlighted some similar statistics on the readiness of the general population to use social media channels to consume – and share – health information, and emphasized the need for providers and other businesses to jump into social media, but not before establishing guidelines for the use for these tools.

 

Other reasons to dip a toe into the social media pool include the patient-centeredness and patient engagement requirements included in the much-debated ACO regulations; keep in mind that these requirements will ultimately be applicable to broader ranges of patient-provider encounters.  This angle was explored more fully by Mark Ryan (aka @RichmondDoc on Twitter), another speaker on the recent HealthWorks Collective webinar (and my fellow Advisory Board member at the Mayo Clinic Center for Social Media), when he explored the realm of the e-patient – the engaged, empowered, educated patient.  (I invite you to get a further taste by checking out the e-patients.net blog, published by the Society for Participatory Medicine.  Disclosure: I serve as Public Policy Chair.)   One further prod to improved online patient engagement is the promise of additional economic stimulus dollars through the meaningful use of electronic health records program; Stages 2 and 3 of Meaningful Use will include standards for patient engagement through an electronic personal health record (PHR) or patient portal. 

 

Nevertheless, only 20% of U.S. hospitals have a social media presence, distributed across networks including Facebook, Twitter, YouTube, blogs, Linked In and Foursquare.  Why is this so? And what steps should hospitals – and other health care providers – take to engage with their patients, potential patients, referral sources, and potential referral sources?

 

Health care executives are concerned about a number of issues which keep their organizations out of the social media conversation, principally privacy, security and liability grounded in HIPAA, state privacy law and professional responsibility requirements.  Other issues may include fraud and abuse concerns under the Stark law and the Anti-Kickback Statute, as well as potential violations of state insurance laws, fee-splitting rules and payor contract provisions, for use of social platforms designed to bring patients in more directly (e.g. through daily deal sites such as Groupon).

 

The privacy concerns arise from HIPAA and state privacy laws.  They provide that only a patient has the right to authorize the release of his or her own private health information.  Thus, patient blogs don't create HIPAA concerns but identifiable patient information used in provider social media without consent most certainly do.  As a Rhode Island doc recently learned the hard way, a de-identified Facebook post about a patient may easily be re-identified using information from third-party sources.  Best practice: write about composite/fictionalized patients, or simply get consent.  Providers may wish to rewrite their HIPAA NPPs (notice of privacy practices) to include some level of consent to communication with or about a patient on Facebook, for example.) 

 

Other unthinking or inadvertent disclosures have proven to be problematic, too.  Consider these scenarios:

 

  • A friend posts a cell phone photo of a newly-casted broken arm, with a recognizable person in a hospital ED waiting area visible in the background.  Posting her image in an emergency room at an identifiable time (and possibly place) may be a HIPAA violation attributable to the hospital, even if it did not post the photo. 

 

  • A public hospital employee tweets her displeasure in seeing a clinic staffed up for the convenience of a political figure coming in for services on a weekend.  She lost her job as a result of publicly sharing identifiable health information.

 

  • A patient posts on a hospital Facebook wall after getting some good test results, “I'm cancer free one year later.”  Hospital staff can't post much more than “Congrats; everyone should check out our cancer center's web page.”  Even if the patient self-identifies first, that action does not constitute full consent to unlimited public conversation about his condition.

 

Despite privacy restrictions grounded in HIPAA, it is possible for a health care provider to develop a robust social media program.  The critical first step is developing a social media policy that respects the legal and regulatory limits, and that is consistent with the organization's level of readiness to engage through social media.  Establishing guardrails will allow staff to participate in the online conversation without the need to continually check back with legal and regulatory. You may wish to start with a policy adopted by another organization, but local customization is key.  The policy needs to set limits and expectations for visitors to the organization's web properties, (so that, for example, a poster who violates the terms of service will be on notice that a hospital whose staff should be monitoring social media accounts at least daily may decide to take down a post if it does not comply with the policy).

 

An internal set of policies and procedures is also needed to address internal operational and policy issues for official channels and also for unofficial channels.  For example, staff need to be sensitive to the fact that they are, in effect, brand ambassadors on a 24/7 basis, and that if they mention their employer in their posts, they should do so consistent with company policy – noting that “tweets are my own” or, for some organizations, insisting on all employees' “radio silence” except for designated employees.

 

Finally, the best policies and procedures do no one any good unless staff are trained to understand them, and are retrained as policies are updated on at least an annual basis.

 

David Harlow is a health care attorney, consultant and blogger.  He is a charter member of the external advisory board of the Mayo Clinic Center for Social Media, and the Public Policy Chair of the Society for Participatory Medicine.  You should follow him on Twitter.