This post explores the use of social media and mobile devices in the healthcare industry and the legal risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows them to differentiate their offerings in an increasingly more competitive marketplace.

The real question is how to allow for such use in a manner the complies with the HIPAA Privacy Rule, the HIPAA Security Rule and at the same times does not expose the CE (or BA) to potentially huge PHI data breach liability. There are instances where nurses have been fired for posting cell phone pics of patients on the Internet (clearly a HIPAA violation). These social media nurse firings are not nearly as isolated as one might think (see here and here). Obviously, we are not trying to single our nurses, they simply have had the misfortune of being caught.

Apparently it's either feast or famine with respect to IT usage in healthcare. Prior to the HITECH Act an objective observer would have questioned whether healthcare information technology had made it into 21st century. Now Twitter, Facebook, the Cloud, the iPhone, the iPad (name your phone and tablet of choice) and EHRs have forever changed all of that. It's game on! However, the patient (i.e. CEs) needs an intervention before unintended consequences force a timeout early in the first quarter.

You can't rely on a staff member

making the leap of what shouldn't

be said on an hospital elevator to

posting a pic on Facebook.

It's a question of training. Simply telling staff that "if you wouldn't say it on an elevator then don't say it using social media" is NOT enough. Why? Because the context and the use cases are radically different. For example, now almost everyone with a phone is accustomed to taking pics with it. It feels like a "natural" thing to do, but it is obviously a HIPAA violation if the person you are taking a pic of is a patient and did not consent. Even if the patient consents to the pic, he/she clearly didn't consent to you posting it on your Facebook page.

Notice that there may not be any bad intent here at all. The staff member perhaps simply wanted to share an interaction that they had with a patient. The bottom line is that these use cases should be expressly discussed during training. You shouldn't rely on the staff member making the connection between the hospital elevator and a pic on Facebook.

 Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?