“Discoverability” of Social Media Content Highlights Security Risks

Healthcare Risk Management Perspective on Social Media

by Doug Pollack, ID Experts

I attended a session at this week’s ASHRM titled Social Media in Hospitals: a Lawyer’s Perspective. It was a terrific overview of what a nightmare social media is becoming for privacy and risk managers in the hospital setting. It was a great discussion that highlighted the evolving nature of data breaches and how they are created.

Each of the three attorneys took on litigation, privacy and employment issues that are exacerbated by social media. While all were very interesting, I’ll focus this post primarily on the privacy issues.

To start off, it was clarified that “any communication via social media that includes PHI may be without consent, probably is not secure, and almost always a breach.” The challenge is that an increasing portion of the hospital workforce, including doctors and nurses, maintain Facebook pages, use Twitter and participate in other social media outlets.

They described a situation where a doctor posted information “about” a patient on their Facebook page. The post did not include the name of the patient, but because of the content of the post, it was possible for others to “determine” the patient’s identity. In this circumstance, the doctor was fired by the hospital, and reprimanded by licensure board for unprofessional conduct.

They also noted that social media posts, whether public or private, are “discoverable” as part of the legal process. Courts consider social media as just another means of communication and determined that “there is no social networking privilege in discovery.”

Examples such as this doctor’s Facebook post combined with the “discoverability” of social media content highlight the extreme risks that are posed by the use of social media within the context of healthcare. As noted, Facebook and other social media posts by any member of a hospital’s workforce about patients, no matter how circumspect, have the potential to be a HIPAA violation. And disciplinary actions can be rapid and severe.

One somewhat obvious conclusion by this panel was that hospitals should minimally have a social media policy that they characterized as “Thou Shalt Not Use Facebook at Work”. It certainly doesn’t address all of the risks and issues, but it is a start.

Doug Pollack, CIPP, is chief strategy officer at ID Experts, responsible for strategy and innovation including prevention analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets.  Prior to ID Experts, he held senior management roles at Digimarc, several successful software startups, 3Com Corporation and Apple, Inc. Doug holds a BSEE from Cornell University and an MBA from the Stanford Graduate School of Business.