« Return to List
Posted on 10.27.2010
A Brave New World for Covered Entities and Business Associates: HIPAA and Web 2.0
Important questions come up – from marketing, legal counsel and C-suite executives – when healthcare providers and their vendors approach the intersection of HIPAA and social media. Who is liable for employee postings made on a hospital’s Facebook page? What about provider comments made on a personal blog or Twitter account? And where does liability fall when patients or families take their own photos at a medical facility and post them on the Internet?
It’s an interactive world out there and anyone bound by HIPAA needs to have a firm grasp on the subject. The good news is that there are answers to these questions as well as systematic ways to address these legitimate concerns and avoid HIPAA violations.
The first step is to identify the issues and the boundaries. I discuss these concerns in greater detail in my recent blog post, Five Guidelines for HIPAA Compliance in Social Media
, but here are a few key topline considerations:
• Remember who is bound by HIPAA: covered entities
and their business associates
(e.g. outside marketing firms, graphic designers, web developers, PR consultants, etc.).
• Equally important, remember who is not bound by HIPAA: patients and their families.
• Understand what information is protected under HIPAA: individually identifiable protected health information (PHI).
With these basics established, your organization can tackle the tougher questions, policies and protocols that impact day-to-day decision making required to maintain a social media site. (To read more about protocols check out another Lovell blog posting.)
I’m certainly not a lawyer and we are not offering legal advice…but here are some pointers that can help you begin the conversation with legal counsel with information in hand that will help lead to “Yes, that is reasonable” instead of “No way!”
• Clarify the responsibilities of covered entities/business associates as the sponsor of an online forum.
• Develop and implement
a clear social media policy
for personal and professional references to the organization and to patients. Extend your existing code of conduct one step beyond an Internet usage policy to cover Web 2.0 technologies.
• Conduct frequent employee training about HIPAA privacy and security in the context of new technologies.
• Post a Comment Policy
on your Facebook Page – written in lay language – to explain the reason for the forum and your policy for removing posts.
• Develop standard approved responses to use when an online conversation veers into protected health information.
• Establish safeguards to discourage patients and visitors from taking photos of other patients or otherwise revealing someone’s PHI.
• Require business associates to participate in training or require some other form of extra accountability.
And, to see more information about the innovative ways healthcare organizations are using social media check out this red hot update
from Rosemary Plorin!
What protections has your organization put in place to address HIPAA concerns in a Web 2.0 world?
*Rosemary Plorin and Andrea White recently presented on the Intersection of HIPAA and Social Media at the annual conference of the Tennessee Society for Healthcare Marketing and Public Relations