These days, it's common to connect with others via Facebook and receive news via Twitter. In fact, according to AskAaronLee.com, Twitter has 105,779,710 registered users with 6 million search queries a day. But as the use of social media reaches new heights, so do the risks associated with it – and this is especially true when it comes to patients.
“Information obtained in the public domain, such as social media sites, is there forever and has the potential to be indexed endlessly in many different types of data warehouses,” said Chris Apgar, CEO and president at Apgar & Associates. “The risks are great and can include patient harm, lawsuits, data breaches, regulatory audit and reputational damage to your clinic or patients.”
"It is important to take a close look at what you want to accomplish with social media in the short and long term,” added Christine Arevalo, director of healthcare identity management at ID Experts. “And it’s even more important to make sure your workforce knows what they can and can’t post to social media sites on or off the job.”
Apgar and Arevalo outline five patient-centered social media risks.
1. Both personal and professional social media posting. The fact that Facebook, Twitter and Skype are readily accessible and often left open in work environments makes it very easy to “inadvertently post patient information,” said Apgar. “[It] represents a real and growing risk. Even if you believe you have social media use under control while your workforce is on the job, one of the most significant risks is a member of your workforce posting patient information on his or her personal Facebook page.” It’s not surprising, he said, that, “friends share with friends. But this turns into a more massive sharing of patient information.”
2. Unencrypted patient information transmission or posting. Any sensitive information, including PHI, that is posted to social media websites is unencrypted – and there to stay, said both Apgar and Arevalo. In fact, a recent article on CNN confirmed many fears by pointing out pictures posted on Facebook were still floating around online, three years after they were “deleted.” “Once the information is posted, it is highly likely you will be unable to delete it,” added Arevalo. “All of this can and has led to breaches of patients’ PHI, which is costly to the organization and can cause harm to the patient.”
3. Lack of a social media use plan. According to both Apgar and Arevalo, a number of healthcare organizations have “stepped into the world of social media” because their competitors have – something they warn can be dangerous. “That isn’t a good reason to launch a social media program,” Apgar said. “Lack of planning an result in breaches and, again, significant cost to patients and the organization.”
4. Lack of a social media policy and workforce training. Any organization using social media needs to develop and implement a complete and accurate social media policy and related procedures as part of their social media use plan, agreed both Apgar and Arevalo. And this should include workforce training. “Your workforce is more likely to misuse social media on the job and off,” said Apgar. “And, [they could] inadvertently post patient information if they aren’t fully trained regarding the dos and don’ts of social media.” Documenting the plan, he continued, offering ongoing workforce training, the use of encryption, having a usage policy, and communicating to staff about expectations off the clock are all mitigation strategies for reducing your risk.
5. The patients themselves. “Your patients may not always follow security or privacy practices with their own personal information,” said Arevalo. “Whether self-disclosed, or disclosed by a third party, the information can cause you harm.” She added you most likely don’t have control over how patients treat their own data, and you don’t have a regulatory responsibility when it comes to patients posting their own heath information to social media sites. “But there are risks that you should prepare for,” she said. For example, the posting of patient information that results in a breach doesn’t necessarily need to include the patient’s name. “If you post enough information where a ‘reasonable person’ can identify the individual you’re posting about, you have just breached a patient’s PHI,” said Apgar.
Follow Michelle McNickle on Twitter, @Michelle_writes