Category: Crisis Communications
When A Crisis Goes Viral
by Rebecca Kirkham on September 7, 2010 | no comments
in Crisis Communications, Healthcare, Social Media
It’s no secret healthcare providers are embracing Facebook, Twitter and other forms of social media to connect with patients. According to new research, an estimated 90 percent of hospitals use social media and up to one third have a formal social media plan in place. But embracing social media also means committing to a new level of transparency – something many providers may not fully understand until the chips are down.
While most organizations want to be open and honest in a crisis, many find that’s easier said than done. Too often, the commitment to maintaining transparency gives way to a bunker mentality at the first glare of the media spotlight. That’s why it was refreshing to read about one hospital that not only responded to its critics, but also took the time to really listen to them as well.
Ball Memorial Hospital made national news last month when it issued an apology to a transgender woman who complained she was mistreated during a visit to the hospital’s emergency room. The patient’s Facebook post about her experience went viral, resulting in a full-scale social media assault. To its credit, the hospital addressed the issue head on – acknowledging the incident on its own Facebook page (which had been deluged with negative comments) and issuing a series of statements expressing concern and, ultimately, regret for what had transpired.
But more importantly, Ball Memorial took action. Administrators reached out to the patient to apologize for her experience and involved her in their decision to partner with local advocacy groups to develop lesbian, gay, bisexual and transgender (LGBT) awareness and sensitivity training for employees. By gaining her support, the hospital was able to resolve this crisis and take the first steps on the path of change she sought.
This hospital’s very public gaffe – and their skillful handling of the public outcry that ensued – serves as an important reminder of the role transparency should play in not only social media efforts but crisis communications in general. Too often, an organization’s first instinct is to bury its head in the sand when confronted with an ugly truth. Others chose to handle matters privately – a luxury social media forums simply don’t allow. However, throughout this incident Ball Memorial demonstrated a willingness to listen, acknowledge its own failings and provide detailed information about how it would remedy them. The hospital also resisted the urge to remove negative postings on its own Facebook page and, instead, used the forum to address the situation directly through official statements and news articles.
While it’s easy to focus on what Ball Memorial did wrong, I think it’s equally important to give them credit for what they did right. When the situation first became public, the hospital CEO said the institution had “failed to live up to its brand promise.” By addressing the situation publicly and following through with meaningful action, the hospital reclaimed ownership of that promise and used the very forum the helped fuel outrage to quell it. Another great reminder that while maintaining transparency isn’t always easy – it usually pays off.
When It “Hits the Fan” Is the CEO the Best Spokesperson?
by Paula Lovell on June 10, 2010 | 1 comment
in Crisis Communications, Media Relations, public relations
Over the years, I’ve had some clients take the position that we shouldn’t use their company CEO as a spokesperson during a crisis. “We need to shield him/her from all the negative media coverage,” I’ve frequently heard.
And I remember when first learning the PR business, I took a media training course from a nationally renowned firm where they preached that you should do everything possible to preserve the firewall around the CEO. “Don’t put the CEO out there unless absolutely necessary because that implies the situation has escalated to a level that involves the senior leadership,” was the prevailing mantra. But that was before the proliferation of citizen journalists and subject-expert bloggers created an era of transparency.
Today, the public expects an almost immediate response from corporate America and its CEOs, and when they don’t get it, they go viral with their disappointment and outrage. When a company fails its stakeholders, they expect leadership to own up to it, and they want the message delivered by someone at the top.
By addressing a crisis directly in an open and transparent manner, CEOs have the opportunity to build credibility or perhaps recast events in a different life. That said, there may be times when a CEO is not the most appropriate spokesperson. For example:
- Local issues should stay local – there is no advantage to unnecessarily elevating the attention level
- Sometimes it’s better to defer to a subject matter expert on a complex matter
- If your CEO is a bad communicator or, even worse, a loose cannon – don’t risk it
- While most issues of substance demand a high level response, there may be issues that aren’t fair to attend to your CEO (i.e., politics, unrelated criminal matters, certain legal issues, etc.)
Let’s say it’s a new CEO who’s been brought in to mop up a corporate mess. Should the CEO step out there and take ownership even though she only inherited the problem and is, in no way, culpable? On the one hand, why taint the new leader with the fallout from mistakes made by a former CEO who may have already taken the hit by being asked to resign? On the other hand, if the new CEO brings a renewed ethical approach, improved business practices and a commitment to fix what’s broken, why wouldn’t you want to identify the new person with the company’s promise to make things right?
The question of whether or not to bring in your CEO to either defend or apologize for a company’s actions is sometimes a tough one, and the answer is rife with caveats. As with most things in PR, there is no “one size fits all” answer. The right thing to do depends on the circumstances and the players involved.
Proceed with care.
No, really. They are serious about it.
by Andrea White on May 14, 2010 | no comments
in Crisis Communications, Healthcare, Organizational Behavior
HIPAA Enforcement is Hiring and Gearing Up for More Activity
Alerting all healthcare communications staff: we have fresh confirmation that a new era of diligence has begun at the Office of Civil Rights (OCR) for HIPAA enforcement of privacy and security. And as you know, security breaches lead to public relations nightmares, especially when a regulatory investigation is involved. And, officials are reminding us that they can now impose penalties of up to $1.5 million per violation.
Since the enforcement of HIPAA regulations moved from HHS to OCR in 2009, and actual enforcement began in February of 2010, there have been more than 75 health information security breaches reported that affect 500 or more people. OCR is taking this trend very seriously. In fact, Susan McAndrew, deputy director for privacy for OCR, made some enlightening comments earlier this week at an OCR-sponsored conference held in Washington, D.C.
It turns out OCR has added more investigators to their staff in 10 regional offices with the goal of investigating even more security breaches per year than had been projected when the office first staffed up. Right now they are conducting “compliance reviews” to help the 75 organizations with existing data breach issues to take corrective and preventative actions.
But consultants from Booz Allen Hamilton are in the process of helping OCR launch a new model for security rule audits – one that prioritizes pre-emptive action. Later this year OCR plans to begin these proactive audits of covered entities and business associates. Their goal is to identify and address security weaknesses in advance so that breaches are prevented.
Reports from the conference indicate that the auditors will be checking to see if organizations have completed their risk assessment and implemented appropriate administrative, technical and physical safeguards for protected health information (PHI). They will also be evaluating the organization’s efforts to uphold an individual’s right to access their own medical record and confirming that internal controls have been put into place to control unauthorized access to PHI.
Advice from the Information Security professionals on the front lines?
- Create comprehensive security policies and procedures based on thorough risk assessments;
- Train and re-train staff on steps to keep information secure;
- Consider whether to store sensitive patient data on fewer mobile devices; and
- Be sure to shred paper documents before disposal and destroy hard drives no longer in use.
Most of the security breaches to date have been the result of hardware theft – laptops, hard drives, thumb drives, etc. As a result, most information security officers are starting with enhanced protocols around encryption and making strategic determinations about what data should be stored on these devices, as well as enhancing physical security.
This doesn’t end at the doors of your organization. A new report from New Mexico serves as a warning to healthcare organizations nationwide to check on the security protocols of subcontractors. The New Mexico Medicaid program is currently advising almost 10,000 people that their medical data has been compromised due to a computer theft from the car of a subcontractor.
Some other risk factors have come up that are less obvious. Leased copiers with a hard drive may be a security risk if the hard drive is not wiped before returning it at the end of the lease. Likewise, phones and voice mail, as well as email, are not generally encrypted, leading to another set of risks. And in one case, a security patch download for one software program endangered the security of PHI held in another program on the same system.
But honestly, the most prevalent risks stem from inadvertent actions by employees. One of the most important things that an organization can do to avert breaches is to adequately train employees and provide clear guidelines about protocols, the reasons for those protocols, and the risks associated with breaking those protocols.
As the person charged with communicating the value of the brand, you are in a unique position to assist in this kind of employee communications in a way that will bring it all home to them and people will remember what is at stake when protocols are inconvenient.
The bottom line is that communicators have a key role to play. Let’s face it. For all of their good intentions the CIO, CFO, and legal officers of a healthcare organization may not be able to provide a good calculation of the impact this kind of breach will have on your market reputation and the costs required to repair it after a breach. Patient loyalty, brand reputation, and good relations with other health information business associates are assets with value, and this value needs to be reflected in the organization’s thorough risk assessment.
So is your healthcare organization ready for an OCR audit?
Have you included all of the true risks in the risk assessment?
What are you doing to better protect your data, train your employees, and prevent data breaches?
Any advice for your peers in other organizations?
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Stay tuned for more blog entries on this subject in coming weeks!
Sources:
“Breach List: A Call to Action? With so many incidents, security funding could get a boost,” http://www.healthcareinfosecurity.com/p_print.php?t=a&id=2505
“HIPAA Audits: A Status Report,” http://www.healthcareinfosecurity.com/articles.php?art_id=2517&rf=2010-05-12-eh
“OCR Boosting Security Enforcement,” http://www.healthdatamanagement.com/news/privacy_security-40268-1.html?ET=healthdatamanagement:e1267:25859a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_051210
“N.M. Medicaid Breach Affects 9,600,”
http://www.healthdatamanagement.com/news/breach-theft-laptop-medicaid-40279-1.html?ET=healthdatamanagement:e1269:25859a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_051310
“Civil rights office steps up health privacy enforcement,” http://govhealthit.com/newsitem.aspx?nid=73735
Why Nashville’s Flood Didn’t Make National Headlines
by Jan Morrison on May 5, 2010 | 7 comments
in Crisis Communications
Three days after it started raining and kept raining in Middle Tennessee, the national media finally caught up to this major national disaster by reporting on the devastating floods that ravaged the Nashville Metropolitan area (Metro).
Yes, it was a third in a series of major national disasters (the oil spill in the Gulf and the failed Times Square bombing attempt) that were already filling the airwaves, but I think another major factor in the lack of national media attention was the way the disaster was handled here locally.
It was not a PR nightmare. It was handled with relative calm, an organized response and a lack of sensationalism. I’ve only heard one or two reports of looting and have seen 1,000 times more instances of volunteerism than criminal activity.
Much of the credit for this goes to Nashville Mayor Karl Dean and all of the heads of Nashville’s public agencies for being organized and acting quickly. When the city saw the flood waters start to rise on Sunday, Dean called a press conference with representatives from every possible Metro agency. He addressed the city with facts and real information. He anticipated that the media would have questions about schools, water, sanitation, power, FEMA, road closures and lots of other topics, so he asked individuals representing the following agencies to address media questions at the press conference:
- Metro Nashville Public Schools
- Metro Police Department
- Metro Public Health
- Nashville Electric Service
- Metro Water Services
- Nashville Emergency Management
My inside sources within the media also told me that Mayor Dean asked members of the media to arrive almost two hours before beginning the press conference. That way, they could arrive on time to set up their feeds and prepare to go live at the time of the press conference.
Kudos to Mayor Dean for responding to the crisis early, calmly and with honesty. He has collaborated with Metro agencies to disseminate as much accurate information as possible. He has even worked to prevent further catastrophes. He and Metro Water Services are encouraging residents to cut their water use in half while one water treatment plant is flooded and inoperable. If he and Metro Water Services were not encouraging this activity now, we would be hit by another serious emergency very soon.
Mayor Dean provided proof of what we in PR already know about crisis communication. We know that when a crisis hits:
- Remain calm.
- Be honest.
- Develop a plan.
- Communicate the plan.
- Follow through with your plan for recovery/change or anything else that may change going forward.
Those of us in Middle Tennessee are very proud of the way residents and Metro agencies responded to this tragedy. It’s time to continue in the same spirit that got us where we are now. We must remain calm, be honest, develop a plan and execute the plan that leads to the path of recovery.
To volunteer for flood relief efforts in Middle Tennessee, please register with Hands on Nashville.
The power of “sorry”
by Rebecca Kirkham on April 29, 2010 | 1 comment
in Crisis Communications, Healthcare, Organizational Behavior
Mistakes happen. It’s a sad truth that anyone who works in healthcare – even those of us far removed from the frontlines – knows all too well. However, I recently caught a fascinating new documentary that made me think about patient safety in a new light.
Narrated by actor Dennis Quaid, whose newborn twins almost died as a result of an overdose of a common blood thinner, Chasing Zero: Winning the War on Healthcare Harm, provides insight into why mistakes occur and what can be done to prevent them. For example, I was fascinated to learn that a survey of board members at hospitals with poor quality performance revealed that nearly all of them regarded their quality as “above average.” As you can imagine, this kind of denial factors heavily into a hospital’s willingness to adopt systems, technology and a culture that supports patient safety.
Denial can color how providers handle mistakes as well. Many providers who have erred immediately go on the defensive, avoiding direct communication with the patient or routing all contact through risk managers or attorneys. (While it should be noted that Quaid now praises the hospital that made the mistake with his twins for its willingness to enhance patient safety protocols, it’s jarring to hear him recount how he learned of the error).
Though powerful in its own right, the documentary made me reflect on the Sorry Works movement, which advocates direct communication between hospitals and patients or families who have experienced harm as a result of a preventable medical error. The Sorry Works initiative encourages hospitals to:
- Tell the patient or family what happened in plain language;
- Accept responsibility as appropriate;
- Apologize;
- Describe what will be done to prevent similar events in the future.
It’s a simple, common-sense approach that has helped many hospitals reduce litigation while fostering goodwill with external audiences. Most importantly, it provides immeasurable comfort for patients and families. Though it was developed for use in a healthcare setting, any business can use these same principles to navigate a crisis. I highly recommend reading more about Sorry Works and taking the time to watch this fascinating documentary.
Healthcare Marketers: Get to Know Your CIO
by Andrea White on April 13, 2010 | no comments
in Crisis Communications, Healthcare, Organizational Behavior
The HITECH Act has significant implications for communicators
A whole new area of risk is coming to the fore as the country rapidly moves to digitized personal health information (PHI). Physicians and hospitals will soon receive enhanced reimbursements for using electronic medical records and earn incentives for sending electronic prescriptions. As usage of electronic PHI grows, there are new risks for breach of that very sensitive data, and healthcare communicators need to be ready.
Since new notification regulations went into effect on February 22, fifty-six data breaches have been reported in which the PHI of 500 or more people has been put at risk. I know this because it is posted on the HHS web site mandated by the HITECH ACT. But for even more information on the subject all I have to do is turn to HealthInfoSecurity.com and the Open Security Foundation, both of which search primary and online news sources to gather information on new data breaches and further spread the news. It is easy research to do…for me or for a reporter.
Professional healthcare communicators know that a large PHI breach requires at least a substantive and reassuring press release and similar notification for affected individuals. But did you know that there are now regulations for exactly what that press release and personal notification must include, when they must occur, and what resources must accompany them? If you post an announcement on your web site, utilize a 1-800 number, or make resources available online, there are additional guidelines that must be followed.
As communicators charged with restoring your organization’s reputation once a crisis has occurred, this may be an opportune time to go have lunch with your CIO, become familiar with the security safeguards that are in place for PHI, and learn about the regulatory requirements. Think of it as business continuity or disaster planning.
The potential costs are real. The Poneman Institute conducts an annual study across industries to measure the real costs of data breaches including legal expenses, the cost of investigation and consultants, loss of customers, and other factors. In 2009, the average cost per compromised record was $204 — which adds up very quickly since any breach generally impacts large numbers of records. 2009 incidents studied by Poneman ranged in cost from $750,000 to nearly $31 million. And, predictably, they observed more volatility around healthcare customer churn than in any other industry.
Here are some steps you can take now to prepare for a possible PHI breach in the future:
- Understand the potential cost to the organization’s brand, to patient loyalty, and in actual expended dollars.
- Work with your I.T. department to conduct a technical risk assessment and understand the scope of data that might be affected.
- Learn about the security safeguards already in place in your organization and get a high level understanding of how the data systems are structured. Draft some talking points in advance for quick reference.
- Assist employee training efforts to prevent inadvertent data breaches. As a professional communicator and steward of the organization’s brand, you should be the perfect person to develop the messages regarding what is at stake.
- Get a working knowledge of the regulatory language around data breach notification to individuals and to the media.
- Develop a quick reference plan encompassing practical steps and regulatory requirements for what to do after a breach.
So far, planning for HITECH has stayed in the CIO’s court, but it is time for Communications to get in the game as well. Don’t wait for a breach to happen before learning about your data systems and related regulations. Just think how much easier it will be to translate it all into English now rather than waiting until you are in the crunch.
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Look for more blog entries on this subject in coming weeks!
Lessons from a crisis: how Toyota lost its way
by Rebecca Kirkham on March 25, 2010 | no comments
in Corporate Communications, Crisis Communications, public relations
Like many of you, I’ve been following the Toyota recall with great interest. Aside from the many PR lessons to be learned, I’m fascinated by the role Toyota’s corporate culture seems to have played in shaping not only the company’s response to the crisis but also in shaping the very crisis itself.
Revered for its meticulous attention to quality, many industries – including healthcare – have tried to take a page from Toyota’s playbook, developing ‘lean’ business processes and encouraging employees to take ownership of quality. The famed “Toyota Way” empowers employees to pull the andon line – a cord placed on every assembly line – and stop production when they see a problem. It also advocates going to the root of a problem to solve it and sharing that information across the company.
However, new reports suggest Toyota’s top management may not have been practicing what it preached. A recent Wall Street Journal article examined how the company’s secretive culture likely contributed to its problems. Long known to regulators as being resistant to outside input, Toyota appears to have turned a blind eye to information coming from within its own organization as well.
After the first cases of sudden acceleration were reported in 2004, the company worked with the National Highway Traffic Safety Administration on multiple investigations over the course of three years – each time denying problems. Even as a 2007 probe resulted in the recall of 55,000 vehicles for floor mats that could pin the gas pedal, Toyota insisted no defects existed. It continued to make this claim as new reports of fatal crashes tied to sudden acceleration – including those involving vehicles without the defective floor mats – began trickling in.
At the same time, Toyota was dealing with similar problems across the pond. Incidents of sudden acceleration in Europe were traced to a defective part in the gas pedal – a problem that would later be linked to a second, much larger U.S. recall. However, the company failed to share this information across its own organization. Even as the pedal was being redesigned in Europe, Toyota was insisting a similar problem didn’t exist in the U.S. It later admitted it “failed to connect the dots.”
While it’s easy to play Monday morning quarterback, it certainly appears Toyota’s arrogance factored heavily into its current situation. Had the company pulled its own andon line at the first sign of trouble, perhaps it might have been able to avoid production shut-downs and plummeting sales. More importantly, lives might have been saved.
This story serves as a powerful reminder that a company’s culture – no matter how renowned – must continually be nurtured. And that starts at the top.
PR and Legal Counsel: Uneasy Bedfellows and Strategic Partners
by Rosemary Plorin on March 23, 2010 | no comments
in Corporate Communications, Crisis Communications, public relations
I have been blessed to work with some of the finest corporate attorneys in the country, but it is not always an easy partnership. At times it can seem like legal and PR professionals are formed differently in the womb. But when these experts make a love connection, the work product can be truly magnificent.
Because of my work in corporate crisis communications, I frequently interact with general counsel and corporate litigators in the areas of regulatory compliance and medical liability. These legal professionals are navigating highly sensitive issues that threaten significant consequences to their company or client – consequences like million dollar fines, restrictions on business development, cessation of the company’s operations and even jail time.
In my experience, productive and reciprocal relationships with attorneys correlate to successful business outcomes. Attorneys who understand and appreciate – though sometimes grudgingly – the perspective of public relations professionals prove to have their clients’ best interests at heart … not just their legal interests. Some attorneys will go so far as to acknowledge that PR professionals bring a different and valuable set of tools to the table that can, in some cases, actually help to pre-empt further legal tribulations.
But partnership between practitioners of these arts is not always comfortable, particularly when they are “thrown together” just as their client’s issue has caught fire. Consider how seemingly divergent legal and PR gut instincts can be:
Legal: “Say nothing.”
PR: “Be transparent.”
Legal: “Protect everything from discovery.”
PR: “Protect your stakeholders from surprises.”
Legal: “Preserve attorney-client privilege.”
PR: “Preserve the brand.”
Legal: “Keep your head down.”
PR: “Keep your relationships strong.”
But these natural tendencies can be overcome when the two functions work together to achieve common goals. Consider a few examples from our firm’s experience:
- We developed and helped implement a “Sorry Works” approach to a medical liability situation involving the preventable death of a 30-year old pregnant mother and her child; no civil suit was filed.
- We helped craft the legal response to a survey that was part of a regulatory investigation with the goal of preventing misleading sound bites that could be taken out of context. We also helped the client to educate reporters and explain the circumstances of the investigation. Ultimately, media coverage was minimal and neutral – though coverage of a very similar issue at another company was extensive and inflammatory … and damaging.
- After a crime was alleged to have occurred at a New Orleans business following Hurricane Katrina we worked closely with legal counsel and media to ensure the company was not inappropriately associated with the crime. Media interest has continued for years, but our client’s name historically appears in less than five percent of coverage.
In truth, legal and public relations professionals must work together on heated crisis issues.
Be assured, if PR is not brought to the table at the onset of the issue, they will be needed down the line.
Visit our blog next week when I discuss how the courts of law and public opinion intersect (with sparks) in the arena of social media.