Social Media and Nurses

Infographic on how Social Media are being used...
Image via Wikipedia

Facebook, Twitter, blogging, and all the other social media tools, oh my! I have been wading through the realm of social media and health care, specifically as it relates to nurses. Who owns you? Who controls what you can say?  I am interested in this topic for many reasons. I am currently writing a book based on my work as a nurse practitioner providing health care to homeless people. Most of my chapters use a specific patient to illustrate larger issues related to homelessness. I have changed patient names, ages and other demographic data—but is that enough to protect identities? In narrative non-fiction, the use of ‘composite’ patients (blending aspects of more that one person in order to hide identities) is frowned upon—at least by purists with a journalistic bent. As a nursing professor, I assign classroom writing assignments relating to narrative medicine/nursing, encouraging students to use a specific health care experience (as patient, provider or family member) and to use that experience to illustrate and examine health care policy issues. I encourage other nurses who are already in practice to speak out about workplace issues as a way of advocating for policy changes. I maintain my own Facebook page, I Twitter and I blog on nursing and health policy, while I maintain my own practice as a family nurse practitioner and as a university professor. What can I say and not say both legally and ethically? What can any nurse say both legally and ethically?

Obviously I am not a lawyer, nor am I an expert on the nuanced legalities of social media, which seem to be amorphous. What I share here is what I have been able to cobble together from a myriad of sources.

Theresa Brown, RN who is a regular contributor to the NYT Well Blog states that HIPAA (Health Insurance Portability and Accountability Act of 1996) rules are easy once you know them: a patient can identify him or herself in whatever you write, but no one else can. (But how can you know that when you are writing it?) Theresa Brown writes about specific patients she works with as a staff nurse on a hospital oncology ward. She also writes about specific interactions she has with other hospital staff, including physicians. For her book Critical Care (harperstudio: 2010) she mixes up the patients by changing race or gender as a way of protecting identity. She can’t do that for her NYT essays for journalistic “truth” reasons, but then she doesn’t disclose a patient’s race, exact age, or physical appearance as a way to protect patient privacy. She states that the hospital she works for tried to get her to have all of her NYT Well Blog essays ‘approved’ by them before publication and she refused, stating that this requirement would not hold up in a court of law. I think that worked in her case because of who she is (for instance, she survived getting tenure at Tufts before becoming a nurse—plus she is writing for the NYT Well Blog). The hospital administration backed down, but they agreed that she would not name the hospital she works for. However, when she was invited to the White House to meet with President Obama during Health Care Reform debates, her hospital was eager to have her identify them as her employer. (see her article, “Nurse as Writer, Writer as Nurse” Clinical Journal of Oncology Nursing, 15(2) April 2011).

Hospitals are risk adverse and tend towards paranoid status. They like tapping into the power of social media for their own benefit, as a way of attracting potential (paying) patients. A rapidly growing number of US hospitals currently have some social media/Web 2.0 presence. Hospital social media staff members also scan other social media sites for any possible negative news items about their hospital, or any infractions of patient privacy by hospital staff that could lead to HIPAA violations and/or lawsuits. Hospital managers and other staff are encouraged to report possible infractions—effectively to rat on their co-workers over their social media use. The recently released 2011 AMA Policy: “Professionalism in the Use of Social Media encourages physicians to self-police other physicians for unprofessional conduct on social media before resorting to ratting to “appropriate authorities.” The ANA has no policy or guidelines on professional use of social media for nurses.

Many hospitals now have policies restricting use of social media by staff, including residents and physicians. These restrictions range from the concrete/understandable, such as “don’t Tweet from the OR, or add a patient photo on Facebook, or friend a patient on Facebook” to the fuzzy “don’t say anything on social media that you wouldn’t say in a faculty meeting or to a member of the media.” From personal experience, I can say that the latter is highly subjective and not very helpful as a guide. Equally fuzzy is the “elevator rule:” don’t say anything you wouldn’t say on an elevator. That would depend upon the elevator location and whether or not you are on the elevator by yourself… Not a helpful rule.

HIPAA strikes fear into many a health care provider’s heart. The US Department of Health and Human Services (HHS) Office for Civil Rights can levy steep fines on hospitals and individual health care providers for knowingly or unknowingly breeching any of the myriad rules of HIPAA. The University of California at Los Angeles Health System has just agreed to pay a $865,500 fine and add corrective actions in a case where employees viewed electronic medical records of two celebrity patients (for non-patient care reasons). Individual health care providers can be assessed a $50,000 fine and up to a year in jail for knowingly disclosing individually identifiable patient information. Health care providers (mostly nurses and ‘below’) can and have been fired from hospitals and clinics for HIPAA violations.

Just what is individually identifiable patient information? Having read the fine print of HIPAA (available on the HHS website), this includes the obvious date of birth/death, address, Social Security number, fingerprints/other biometric identifiers, and medical record number—to the less obvious age (OK to use an age of a patient up to age 89—after that you need to use ‘age 90 or older’). These unique identifiers have to be removed for individual patients, as well as for “relatives, employers, or household members of the individual.” The HIPAA privacy rule protects all individually identifiable health information “or information for which there is a reasonable basis to believe can be used to identify the individual.” This last stipulation of the privacy rule is where it gets fuzzy and where paranoia can set in.

In 2007 a group of medical bloggers got together to form the Healthcare Blogger Code of Ethics. It acknowledged that bloggers in the medical field have unique legal, ethical and professional challenges to blogging. The code was also developed in response to many medical bloggers being pressured by employers or academic institutions to stop blogging or face consequences, including termination. The code included issues of transparency (limiting anonymous blogging), commercial disclosure, civil discourse/courtesy, reliability of information/citing sources, and patient confidentiality. They developed a system for medical bloggers to apply for membership, be screened for ‘certification’ and then if they passed they could place the Healthcare Blogger Code of Ethics seal on their website to reassure readers (and employers).

I applaud HIPAA and its emphasis on increased patient privacy and security of health care information. I value the privacy of my own health care information. As a health care provider, I honor the trust patients need to have within the health care encounter. Egregious breaches of patient privacy by nurses and others on the health care team are rare, but need to be dealt with quickly and severely. But what concerns me is how HIPAA—as it is broadly interpreted by risk-averse hospital administrators—is further silencing nurses, and hindering their involvement in constructive health policy discourse. We need a more uniform, sane, and concrete guideline on patient privacy and health care providers’ use of social media.

Some resources:

The Healthcare Blogger Code of Ethics seems to be migrating from Blogspot to WordPress, so their website information isn’t currently available or I’d link to it here.

AMA Policy: Professionalism in the use of social media

“When Facebook goes to the hospital, patients may suffer: Social networking sites can bolster the image of medical facilities, but privacy standards can easily be violated.” By Molly Hennesey-Fiske. The LA Times, August 8, 2010.


HIPAA at 30,000 feet/ October 22, 2010

At 30,000 feet cruising altitude on a four-hour direct flight between Seattle and NYC, my seatmate pulled out a two-inch sheath of papers, put them on her seat tray table and started writing on them. I was knitting and had my headphones on, trying to relax. I glanced down to see what she was working on and saw that they were patient charts. Individual progress notes complete with full names, dates of birth, addresses, insurance carriers, presenting complaints, physical exam findings, medications, diagnoses and treatments. I discovered all of that by small furtive glances past my knitting project. I tried not to look, but it is like trying not to look at an attractive person starting to undress in public. You know you shouldn’t be looking but it impossible not to.

My seatmate’s progress notes (along with the familiar blue and white billing/encounter forms) also had her name on them and the name and address of the clinic where she worked. From the range of patients she had seen, she must be a family physician. The clinic is outside of Seattle—sort of in the country. But still, I am fairly sure that she is aware of HIPAA and that it is rather odd (and I’d say unethical) behavior to be charting on an airplane. She worked on these charts for three hours, after which she laid her head back to rest, thought better of it and turned the top page over to cover the information. As if that took care of the patient confidentiality part of having just waived patient information under my nose for the past three hours? Oh yes. The other thing that I found fascinating is that all of the patient progress notes she worked on were from over a month ago. And it wasn’t like she had even made short notes already on the progress notes from (presumably) the day she had seen these patients. They were all blank except for the patient’s information and presenting complaint. Perhaps she has a good memory. Perhaps she was making it all up. Maybe she had had some sort of family emergency and hadn’t been able to chart on these people closer to the time she had seen them. But really, on an airplane?

I thought about saying something. I wondered if it’s possible to make a HIPAA citizen’s arrest at 30,000 feet. I did neither of course, and instead kept knitting and composing this blog post in my head. I kept wondering what all of those patients would think/say/do if they knew their personal health information—psoriasis, acne, domestic violence injuries among others—was being displayed on an airplane. I also thought about how it was likely her patients were from a low-income community clinic of some sort, since many of them had no insurance. Would a family doctor from a more upscale clinic be charting on paper progress notes on an airplane? I doubt it. So this leads me to wonder about the inequity even in the application of HIPAA and patient privacy in the US. HIPAA seems to be more about protecting the health care system than protecting individual patients—at least how it has been interpreted and applied. For instance, at a community clinic I recently worked at, the clinic administration decreed that we as providers could not provide patients or parents of children copies of their immunization record. At least we couldn’t give it to them the day they asked for it. Instead, they had to fill out/sign a record request form that went to medical records and presumably several weeks later they could come back to clinic and get their immunization record. When we questioned this, the clinic administration said it was “HIPAA rules.” As if.