A Delicate Balance Between Patient Privacy and Healthcare Education
An important part of becoming a physician is to understand healthcare ethics and to espouse a high standard of professionalism. In fact, the American Association of Naturopathic Medical Colleges (AANMC) describes naturopathic doctors “as professionals who demonstrate a commitment to competence, integrity, ethics and the promotion of public good” in its description of naturopathic professional competencies. While medical professionalism is difficult to define objectively, there are certain aspects of healthcare law and ethics that have been clearly stated; namely the importance of upholding patient confidentiality as described in the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a set of standards for the use and disclosure of an individual’s protected health information (PHI), enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR).
With the rise in the use of smart phones and social media platforms and the increase of online searches for healthcare information, naturopathic physicians who are committed to the promotion of naturopathic healthcare education should be careful to uphold patient privacy in accordance with HIPAA regulations when utilizing social media.
Physicians, in embracing the Hippocratic Oath, attest to the importance of patient privacy when they pledge “whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not…I will keep secret, as considering all such things to be private.” Failure to comply with HIPAA standards can result in criminal prosecution and/or civil penalties with fines up to $250,000 per violation. The HIPAA Privacy Rule outlines who is covered, what information is protected and how protected information can be disclosed; while the HIPAA Security Rule details what physical, administrative, and technical safeguards must be present to ensure electronic personal health information is protected. With the rise in the use of smart phones and social media platforms and the increase of online searches for healthcare information, naturopathic physicians who are committed to the promotion of naturopathic healthcare education should be careful to uphold patient privacy in accordance with HIPAA regulations when utilizing social media. This does not mean we should shy away from using social media to disseminate educational material and to promote our practices, but this should serve as a reminder that there is a right way and a wrong way to use the Internet for health care education.
Seattle-based healthcare attorney, Kristi O’Brien advises, “To avoid HIPAA privacy violations, healthcare providers should only write about general healthcare information and should refrain from discussing any particular patient’s circumstances, even anonymously.” Exceptions to the rules of confidentiality are described in statute laws that explain instances when patient privacy may be breached by a physician bound to a duty to report homicidal or suicidal threats, infectious diseases, suspected child abuse and gunshot wounds.
So in this era of tweeting and updating one’s “online status,” where does medicine and healthcare education thoughtfully coalesce and where do they clash? There have been numerous cases of healthcare promotion and medical voyeurism on various social media platforms, as was the case on February 22nd, 2012 when an open-heart surgery was broadcasted live over Twitter by a cardiologist at Memorial Hermann Northwest Hospital in Houston, Texas. The case of Congresswoman Gabrielle Giffords is another example of medical voyeurism when in 2011 she was a victim of a mass shooting; her doctors at the University Medical Center in Tuscon, Arizona were quick to announce, with permission from her husband, frequent updates on her health status to an engaged and concerned public. In contrast, Steve Jobs (former CEO of Apple Inc) gave permission for his medical team to release limited information on his health status. His transplant team at the University of Tennessee Health Science Center had issued a statement in 2009 confirming that Mr. Jobs had a liver transplant but that “the hospital respect[s] and protect[s] every patient’s private health information and cannot reveal any further information.”
Ms. O’Brien further addresses patient privacy breaches in social media, explaining, “providers can violate HIPAA privacy rules if, in the course of communicating via social media (such as blogging, tweeting, and posting on Facebook) they disclose any patient’s PHI. Even refraining from identifying the patient by name may not be sufficient if enough specific facts are disclosed to allow someone to deduce the identity of the patient or if the patient’s circumstances are sufficiently unique as to cause the patient to discern the provider is writing about him. Further risks occur if others have the ability to post to the healthcare provider’s website or social media channels, such as staff, patients, and the public.”
While the AANMC stresses the importance of “consistently [practicing] in a compassionate, ethical and legal manner,” it also encourages the promotion of education to patients, other healthcare providers and the public. As our profession is maturing and becoming more mainstream, we should be cognizant of professionalism and credibility when using a public broadcasting forum such as the internet since anything published on the internet, can be copied and widely redistributed. This does not mean we should be leery of publicly expressing educational material; but instead we should encourage the review of publishing standards and HIPAA laws so that we can present our unique and valuable perspective on health and wellness, without any breach of professional ethics.
10 Tips For Avoiding HIPAA Violations on Social Media
1. Don’t use names, demographics or other identifying information.
2. Check your privacy settings at least once per month.
3. If you reference a particular case, be as general as possible.
4. Consider having a separate account for healthcare information and “friending” patients
5. Understand how various social media platforms work so you don’t confuse private and public messages
6. Don’t store PHI on the hard drive of your mobile device
7. Mobile devices and laptop computers should be password secured, encrypted and have the capability to be remotely wiped.
8. Your staff and mid-level providers should be properly trained on complying with HIPAA privacy rules.
9. If patients can post comments on your website, review and approve comments before they are published.
10. Contact a healthcare attorney well versed in HIPAA if you have any questions or concerns.
Acknowledgements: I would like to thank Dr. Priscilla Natanson, a WANP member, for encouraging more discussions on the importance of patient confidentiality. I would also like to thank Kristi O’Brien, Esq. for sharing her expertise on HIPAA compliance and contributing to “Tips For Avoiding HIPAA Violations”; if you would like legal advice on ensuring your clinic is HIPAA-compliant, you may contact her for a consultation through her website (http://www.mpba.com/attorney_farris_obrien.php). For more information about HIPAA, please visit the U.S Department of Health and Human Services website at http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html.
The American Association of Naturopathic Medical Colleges. Professional Competency Profile. August 2007. http://www.naturopathic.org/Files/About_Naturopathic_Medicine/AANMC%20Competency%20Profile%203-31-08.pdf Accessed on June 2, 2012.
National Institute of Health, National Library of Medicine, History of Medicine Division. Greek Medicine: The Hippocratic Oath. NIH Website. http://www.nlm.nih.gov/hmd/greek/greek_oath.html. Accessed on June 2, 2012.
Moskop JC, Marco CA, Larkin GL, Geiderman JM, Derse AR. From Hippocrates to HIPAA: privacy and confidentiality in emergency medicine; part I: conceptual, moral, and legal foundations. Ann Emerg Med. 2005; 45(1):53-59.
Pender K. Giffords’ detailed updates, Jobs’ nondisclosure. San Francisco Chronicle. Thursday, January 20, 2011. http://www.sfgate.com/cgi-bin/article.cgi?f+/c/a/2011/01/19/BUH41HATCA.DTL&ao=all. Accessed on June 2, 2012.
O’Brien, Kristiana. [Healthcare Attorney.] Email Interview. June 12-13, 2012.