Privacy – Who cares? You better.
By Christopher Burgess
Privacy, why do we care? What if we ignored the whole topic and simply focused on the operational tasks at hand? Who would notice? What’s the downside? What level of resource investment should be made? Do I need a guide? These are all legitimate questions worthy of addressing as you strategize and put together your tactical plan for social media/network engagement.
In the United States, the healthcare arena has two sets of regulations sitting front and center that warrant understanding and consideration when setting up your social media engagement: the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Heath Act (HITECH). These two acts require businesses to meet a minimum level of compliance relative to handling the Personal Health Information (PHI) of patients. Giving short shrift to these puts your brand at risk. Patients who don’t trust you to protect their privacy will find a provider who does protect their PHI.
Privacy discussions must be embedded at the point of ideation and design whether you’re designing a patient support entity where you control the entire technological ecosystem or using a third-party infrastructure (e.g., Facebook). In either case, you should provide a guide for anyone who will be engaging with you via social media. Your guide should include basic rules of engagement ranging from what type of information is permitted, caution about resisting a desire to overshare PHI, and way to ensure they won’t put their PHI at risk inadvertently
And don’t forget your employees, who also need a guidebook that provides the specifics about how you expect them to protect PHI for patients as well as colleagues (see: Social Media Governance for a policy database of 170+ exemplars). Count on your employees doing not only what is most efficient, but what achieves the goals and objectives. A guide helps them know exactly what you expect. You want to avoid these common pitfalls:
- Using third-party environments to collaborate on patient follow-up and care that aren’t designed to protect PHI. (i.e., private groups within Facebook)
- Setting up a closed patient support group that ties patient membership to their PHI. (i.e., as part of the registration system, requiring the linkage to their patient electronic health record)
- Commenting on patient specific illness or PHI within one’s social networking platforms (see: Doctor busted for patient info spill on Facebook).
My bottom line caution: do not assume that compliance with various regulations and requirements automatically ensures security when it comes to PHI, nor is privacy automatically guaranteed.