I’m attending the mHIMSS Virtual Briefing: Securing Protected Health Information held today from 12PM ET-3:15PM ET online at HIMSSVirtual.org. The event features several sessions on the best practices for mobile device use, BYOD (Bring Your Own Device) policy and practice; secure use of social media; and secure provider-patient communication.
The virtual event focuses on the challenge of maintaining mobile security while taking advantage of new technology to more efficiently and cost-effectively track patient health, convert to EHRs, share patient information and more.
The second session is (view the first, Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD):
Secure Use of Social Media: Ensuring the Privacy of Protected Health
12:45 PM-1:00 PM ET
Speaker: Lisa A. Gallagher, BSEE, CISM, CPHIMS
Senior Director, Privacy and Security, HIMSS
Description: Hospitals have recognized the benefits of social media and are increasingly using it within their organizations for a variety of purposes – from professional collaboration and patient engagement to marketing and workforce recruitment. However social media presents several challenges within the organization, among these are the security and privacy risks associated with its use related to personal health information. In this session, these risks will be defined and effective, practical strategies to address them will be discussed.
- Understand the importance of managing the privacy and security dimensions of social media.
- Identify the major risks for information breaches in social media
- Using best practices, design and adopt policies to address those risks and minimize exposure while taking full advantage of social media in communicating with patients.
Social media offers an engaging way to interact with a population. Which social networks are U.S. hospitals using? See below:
What is healthcare using social media for?
- Managing conversation/interaction
- Marketing/brand management
- Manage Google rankings, web hits – more technical way to measure how your brand comes up in a Google search
- Engage e-patients – patients are increasingly more tech-savvy and already on social networks.
- Promote wellness – having awareness programs and using social media to promote them.
- Care management/care coordination – specific healthcare-related social media platforms allow clinicians to share information securely and even collaborate securely with patients
- Professional collaboration
- Consumer, patient, professional education – easy to deliver educational content.
- Clinical trial recruitment
- Workforce recruitment
- Ethical – employees may conduct themselves in a way not aligned with company’s policies; personal use may be unrestricted
- Security – an increasing number of security risks by hackers – online scams, password guessing, viruses and infected applications are examples. With data leakage, an employee can disclose patient identifiable information that shouldn’t be on social media channels.
- Ability to be responsive/bandwidth – patient interaction and response time are important within a dynamic environment.
- Control/monitoring employee behavior
- Invites negative comments/feedback – whenever an open forum is involved, you are inviting negative comments, and it should be expected. A plan should be in place to deal with negativity to protect the brand.
- Dominance of the loud and opinionated – certain users can be negative or dominate the conversation, so there should be ways to monitor, deal with and remove content.
- Ownership of data – this issue is quite complicated. There is no hard and fast rule about who owns the data. Within the legal community, the consensus is that it is difficult to apply copyright and trademark policies to online data (sidenote: DMCAs may be helpful).
Policy: Professionalism in the Use of Social Media (Example from the AMA, American Medical Association)
Especially relevant to the professional individual:
- Be cognizant of standards of patient privacy and confidentiality
- Use privacy settings to safeguard personal information and content to the extent possible
- Monitor their own Internet presence to ensure that the personal and professional information on their own sites and, to the extent possible, content posted about them by others, is accurate and appropriate
- Maintain appropriate boundaries of the patient-physician relationship in accordance with professional ethical guidelines
- Consider separating personal and professional content online
- If you see content posted by colleagues that appears unprofessional, he or she can be removed. If significantly violates professional norms and is not removed, report the matter to appropriate authorities
- Recognize that actions online and content posted may negatively affect their reputations among patients and colleagues, may have consequences for their medical careers (particularly for physicians-in-training and medical students), and can undermine public trust in the medical profession
Do’s & Don’ts
DO: “Engage and Educate”
- Have policies and procedures for your organization
- Train your staff, monitor employee behavior
- Know where social media is being used – Depts. and people. Do an inventory of current social media and what topics are being discussed.
- Use social media to share information that promote quality health care and up-to-date medical information
- Recognize that you represent your profession and/or organization
DON’T: “Diagnose or Treat”
- Discuss individual patient’s illnesses, medical conditions, or personal information online – can be a liability
- Share confidential information about patients or the organization
- Give clinical advice or diagnosis
- Let questions, inquires, posts go unanswered – this can be very frustrating to users.
- Let just anyone speak for your organization – designate certain users that can represent your organization.
Elements of a Social Media Policy – Employees
- Allowable Activities
- Creating/registering accounts – professional, personal
- Creating/registering organizational social media activities
- Appropriate behavior, other parameters
- Non-allowable Activities
- Organizational Confidential Information
- Patient information
- Legal Information
- Materials that belong to someone else
- Consequences for Violations
Social Media Considerations
- Is your organization using social media?
- For what purpose?
- Are all uses sanctioned?
- Does your organization have a formal policy?
- What challenges is your organization having?
- Does your organization monitor employees’ social media activities?
- What resources would you like to see?
Social Media Resources
- AMA: Professionalism in the Use of Social Media: http://www.ama-assn.org/ama/pub/meeting/professionalism-social-media.shtml
- Mayo Clinic for Social Media: http://socialmedia.mayoclinic.org/
- CSC: Should Healthcare Organizations Use Social Media?: http://assets1.csc.com/health_services/downloads/CSC_Should_Healthcare_Organizations_Use_Social_Media.pdf
- HCCA: Social Media Survey: http://hcca-info.org/staticcontent/2011SocialMediaSurvey_report.pdf
- Online Database of Social Media Policies: http://socialmediagovernance.com/policies.php#axzz1je5ucH7k
- Ed Bennett List of Social Media Use: http://ebennett.org/hsnl/
- Online Database of Healthcare Social Media Policies http://socialmediagovernance.com/policies.php?f=4