Facebook and HIPAA

This forum made possible through the generous support of SDN members, donors, and sponsors. Thank you.
dpmd

dpmd

Relaxing
Lifetime Donor
Verified Member
Physician
15+ Year Member
Platinum Member
Joined
Sep 14, 2006
Messages
24,064
Reaction score
49,924
Members don't see this ad.
Got an email recently from the PD to all residents saying that we couldn't post things on facebook about work even if there wasn't any identifying info. I got a gentle reminder about this from an attending from another specialty who I happen to be friends with (in life and on facebook). This was in response to a post I made about my first day as a chief resident (our chiefs don't work in June so we get promoted early). As part of it I mentioned that I had to do a liver resection that I didn't know about prior to coming to work that morning. I am trying to understand how that would be a violation at all (my posts are visible to friends only). She said that someone who saw this could be able to figure out who the patient was since they know the date and location. But, how could they do that unless they knew the patient who had surgery (in which case the fact that I was involved in the case would be the only new info they learn-who cares), or had access to the OR schedule (in which case they would already have access to the patient). Help me understand if I am missing something legitimate, or just running into one of those things where needlessly strict policies get put in place just in case.
 
dpmd said:
Got an email recently from the PD to all residents saying that we couldn't post things on facebook about work even if there wasn't any identifying info. I got a gentle reminder about this from an attending from another specialty who I happen to be friends with (in life and on facebook). This was in response to a post I made about my first day as a chief resident (our chiefs don't work in June so we get promoted early). As part of it I mentioned that I had to do a liver resection that I didn't know about prior to coming to work that morning. I am trying to understand how that would be a violation at all (my posts are visible to friends only). She said that someone who saw this could be able to figure out who the patient was since they know the date and location. But, how could they do that unless they knew the patient who had surgery (in which case the fact that I was involved in the case would be the only new info they learn-who cares), or had access to the OR schedule (in which case they would already have access to the patient). Help me understand if I am missing something legitimate, or just running into one of those things where needlessly strict policies get put in place just in case.
Click to expand...

People get fired over inappropriate social networking on a not infrequent basis. Much like the "HIPAA what happened" thread, the hospital is going to be very proactive about monitoring and cracking down on any perceived violation. I know there have been cases that have been filed based on FB posts that didn't include the name or obvious demographic info. So while your case may not have been a true HIPAA violation, leaving a subpeonable data trail is not a wise move in general. And it's a bad habit to get into, since your expectation of privacy and the actual privacy afforded by FB are quite different.
 
Arcan57 said:
People get fired over inappropriate social networking on a not infrequent basis. Much like the "HIPAA what happened" thread, the hospital is going to be very proactive about monitoring and cracking down on any perceived violation. I know there have been cases that have been filed based on FB posts that didn't include the name or obvious demographic info. So while your case may not have been a true HIPAA violation, leaving a subpeonable data trail is not a wise move in general. And it's a bad habit to get into, since your expectation of privacy and the actual privacy afforded by FB are quite different.
Click to expand...

That sums it up nicely. I'd also like to add that while your post didn't necessarily violate hipaa IMHO, it's good to nip that stuff in the bud early. Once you get more comfortable posting like statements on Facebook, it's only a matter of time before you or one of your colleagues posts "ugh why can't 80 year old women just stinkin die already". The line gets pushed further and further until hipaa and/or decency are violated.
 
I attended a break-out session on residents and the use of e-communication at an educational conference last year. I'm sharing my notes from that session as they seem pertinent to the topic:

Each institution should have (and probably does have) a policy regarding e-communication

As part of the terms of service for participation, Facebook has unrestricted access to everything that’s posted on their site—they have proprietary rights to it and all data is perpetual, irrevocable and world wide. Google also claims proprietary rights to content in your gmail. Even items that you delete are still cached somewhere on the web.

Regardless of privacy settings, websites are insecure—they can be hacked, info can be leaked, and people that have been “friended” can copy/share the info (defeating the purpose of the privacy settings).

Suggestions:

Everyone has the right to free speech, so the use of personal e-communication can’t be banned. However, if you don’t want it on a billboard, don’t post it on a blog. Think of messages posted as part of a public conversation.

Make sure opinions expressed can’t be interpreted to speak for the institution’s policy. Best to include some auto disclaimer to that effect

HIPAA must be followed at all times. Do not post even unidentified patient information or describe events to an extent that someone tangentially involved in a scenario would be able to identify the people involved. Do not use personal phones to take photos of a patient, even if it’s for an educational conference and identifying features are omitted (phones are easy to hack). Get patient permission before taking any kind of photo (and understand that the permission can be withdrawn at any point). Even if a patient has indicated that a work email address can be used to discuss their care, make sure he/she realizes that the employer may have access to the information (patients don’t always think about this).

Include e-communication policies and proper netiquette instructions during orientation

70% of job recruiters have rejected a candidate because of information they have found on line. (I think this includes any kind of job—not just residents trying to find employment after graduating).
 
You must log in or register to reply here.

Similar threads

R
  • Locked
Possible HIPAA violation and consequences?
Replies
19
Views
4K
RangerBob
RangerBob
southwestpremed06
Accidental mistake that led to HIPAA breach
Replies
23
Views
6K
Crayola227
Crayola227
F
Seeking support and advice
Replies
1
Views
1K
DrMetal
DrMetal
Mr.Smile12
Understanding the Ranking and Matching Behaviors During the 2023 and 2024 General Surgery Match Cycles: A Program Signaling Approach
Replies
0
Views
146
Mr.Smile12
Mr.Smile12
NIHvirtualStudy
Paid, IRB approved research for IM and FM Residents - online sessions
Replies
0
Views
169
NIHvirtualStudy
NIHvirtualStudy
Top