Facebook, Twitter, blogging, and all the other social media tools, oh my! I have been wading through the realm of social media and health care, specifically as it relates to nurses. Who owns you? Who controls what you can say? I am interested in this topic for many reasons. I am currently writing a book based on my work as a nurse practitioner providing health care to homeless people. Most of my chapters use a specific patient to illustrate larger issues related to homelessness. I have changed patient names, ages and other demographic data—but is that enough to protect identities? In narrative non-fiction, the use of ‘composite’ patients (blending aspects of more that one person in order to hide identities) is frowned upon—at least by purists with a journalistic bent. As a nursing professor, I assign classroom writing assignments relating to narrative medicine/nursing, encouraging students to use a specific health care experience (as patient, provider or family member) and to use that experience to illustrate and examine health care policy issues. I encourage other nurses who are already in practice to speak out about workplace issues as a way of advocating for policy changes. I maintain my own Facebook page, I Twitter and I blog on nursing and health policy, while I maintain my own practice as a family nurse practitioner and as a university professor. What can I say and not say both legally and ethically? What can any nurse say both legally and ethically?
Obviously I am not a lawyer, nor am I an expert on the nuanced legalities of social media, which seem to be amorphous. What I share here is what I have been able to cobble together from a myriad of sources.
Theresa Brown, RN who is a regular contributor to the NYT Well Blog states that HIPAA (Health Insurance Portability and Accountability Act of 1996) rules are easy once you know them: a patient can identify him or herself in whatever you write, but no one else can. (But how can you know that when you are writing it?) Theresa Brown writes about specific patients she works with as a staff nurse on a hospital oncology ward. She also writes about specific interactions she has with other hospital staff, including physicians. For her book
Critical Care (harperstudio: 2010) she mixes up the patients by changing race or gender as a way of protecting identity. She can’t do that for her NYT essays for journalistic “truth” reasons, but then she doesn’t disclose a patient’s race, exact age, or physical appearance as a way to protect patient privacy. She states that the hospital she works for tried to get her to have all of her NYT Well Blog essays ‘approved’ by them before publication and she refused, stating that this requirement would not hold up in a court of law. I think that worked in her case because of who she is (for instance, she survived getting tenure at Tufts before becoming a nurse—plus she is writing for the NYT Well Blog). The hospital administration backed down, but they agreed that she would not name the hospital she works for. However, when she was invited to the White House to meet with President Obama during Health Care Reform debates, her hospital was eager to have her identify them as her employer. (see her article, “Nurse as Writer, Writer as Nurse” Clinical Journal of Oncology Nursing, 15(2) April 2011).
Hospitals are risk adverse and tend towards paranoid status. They like tapping into the power of social media for their own benefit, as a way of attracting potential (paying) patients. A rapidly growing number of US hospitals currently have some social media/Web 2.0 presence. Hospital social media staff members also scan other social media sites for any possible negative news items about their hospital, or any infractions of patient privacy by hospital staff that could lead to HIPAA violations and/or lawsuits. Hospital managers and other staff are encouraged to report possible infractions—effectively to rat on their co-workers over their social media use. The recently released 2011 AMA Policy: “Professionalism in the Use of encourages physicians to self-police other physicians for unprofessional conduct on social media before resorting to ratting to “appropriate authorities.” The ANA has no policy or guidelines on professional use of social media for nurses. ”
Many hospitals now have policies restricting use of social media by staff, including residents and physicians. These restrictions range from the concrete/understandable, such as “don’t Tweet from the OR, or add a patient photo on Facebook, or friend a patient on Facebook” to the fuzzy “don’t say anything on social media that you wouldn’t say in a faculty meeting or to a member of the media.” From personal experience, I can say that the latter is highly subjective and not very helpful as a guide. Equally fuzzy is the “elevator rule:” don’t say anything you wouldn’t say on an elevator. That would depend upon the elevator location and whether or not you are on the elevator by yourself… Not a helpful rule.
HIPAA strikes fear into many a health care provider’s heart. The US Department of Health and Human Services (HHS) Office for Civil Rights can levy steep fines on hospitals and individual health care providers for knowingly or unknowingly breeching any of the myriad rules of HIPAA. The University of California at Los Angeles Health System has just agreed to pay a $865,500 fine and add corrective actions in a case where employees viewed electronic medical records of two celebrity patients (for non-patient care reasons). Individual health care providers can be assessed a $50,000 fine and up to a year in jail for knowingly disclosing individually identifiable patient information. Health care providers (mostly nurses and ‘below’) can and have been fired from hospitals and clinics for HIPAA violations.
Just what is individually identifiable patient information? Having read the fine print of HIPAA (available on the HHS website), this includes the obvious date of birth/death, address, Social Security number, fingerprints/other biometric identifiers, and medical record number—to the less obvious age (OK to use an age of a patient up to age 89—after that you need to use ‘age 90 or older’). These unique identifiers have to be removed for individual patients, as well as for “relatives, employers, or household members of the individual.” The HIPAA privacy rule protects all individually identifiable health information “or information for which there is a reasonable basis to believe can be used to identify the individual.” This last stipulation of the privacy rule is where it gets fuzzy and where paranoia can set in.
In 2007 a group of medical bloggers got together to form the Healthcare Blogger Code of Ethics. It acknowledged that bloggers in the medical field have unique legal, ethical and professional challenges to blogging. The code was also developed in response to many medical bloggers being pressured by employers or academic institutions to stop blogging or face consequences, including termination. The code included issues of transparency (limiting anonymous blogging), commercial disclosure, civil discourse/courtesy, reliability of information/citing sources, and patient confidentiality. They developed a system for medical bloggers to apply for membership, be screened for ‘certification’ and then if they passed they could place the Healthcare Blogger Code of Ethics seal on their website to reassure readers (and employers).
I applaud HIPAA and its emphasis on increased patient privacy and security of health care information. I value the privacy of my own health care information. As a health care provider, I honor the trust patients need to have within the health care encounter. Egregious breaches of patient privacy by nurses and others on the health care team are rare, but need to be dealt with quickly and severely. But what concerns me is how HIPAA—as it is broadly interpreted by risk-averse hospital administrators—is further silencing nurses, and hindering their involvement in constructive health policy discourse. We need a more uniform, sane, and concrete guideline on patient privacy and health care providers’ use of social media.
The Healthcare Blogger Code of Ethics seems to be migrating from Blogspot to WordPress, so their website information isn’t currently available or I’d link to it here.
“When Facebook goes to the hospital, patients may suffer: Social networking sites can bolster the image of medical facilities, but privacy standards can easily be violated.” By Molly Hennesey-Fiske. The LA Times, August 8, 2010.