The Ten Most Common Risks Online
A Primer for Health Care Professionals
Frustrated after a difficult encounter with a defiant patient, a nurse blew off some steam when she got home by posting an account of the incident on Facebook. In accordance with the Health Insurance Portability and Accountability Act (HIPAA), the nurse was careful not to include the name of either the patient or the hospital. But it wasn’t long before the hospital received an angry call complaining that the nurse was clearly referring to the caller’s mother, which meant that there had been a HIPAA violation.
Incidents like this are growing increasingly common in our digital age. “Social media misuse is definitely on the front lines now,” notes Karen Holder, an experienced nurse practitioner at North Country Healthcare in Arizona and a member of the PBI faculty. Another faculty member, Jon Porter agrees. Five years ago, he notes, he rarely saw a legal case involving electronic media. Today, the attorney, who defends physicians in licensure cases, says, “Almost every case I’m involved with involves some element of electronic media.”
Online violations of all sorts are fast outstripping the ability of laws and regulations to contain them. As far back as 2010, 92% of state medical board directors reported violations of online professionalism in their jurisdiction. And according to the Federation of State Medical Boards (FSMB), 71% of the boards held formal disciplinary proceedings as a result of those infractions.
The ten most common risks. So the next time you pull out your laptop or reach for your phone to send a text or email, or to visit Facebook or Tumblr, keep in mind the following:
- When you say something online, it’s public: One of the most common dangers people face online is that they tend to lose the inhibitions that normally keep them safe. “People don’t have a filter, because they’re not looking somebody in the eye. People who come across as nice and genteel say things that would make Howard Stern blush,” says Porter. “And what people seem to forget is that once it’s out there in the ether—whether it’s text, emails, or social media—it doesn’t go away; it’s there forever.”
- There’s no chance to edit or retract: Even when people think they are taking the necessary precautions they often fail to account for the ways in which life online differs from everyday life. The nurse cited in the above incident didn’t realize that the patient’s mother might be reading what she wrote. As Holder points out, “De-identifying on paper is very different than on social media.” It’s not just that the audience is much less circumscribed; it’s also that people are in a different frame of mind. “When writing a paper, for example, you can successfully de-identify a patient by tweaking a few details, but on social media, you don’t think about that detail, and once it’s posted you can’t go back and edit it.”
- You don’t really know who you’re reaching: Another common danger was famously captured by a New Yorker cartoon with the caption, “On the Internet, nobody knows you’re a dog.” The implications for professionals is less amusing. Stephen M. Boreman, who like Porter has extensive experience both prosecuting and defending medical practitioners (and teaching for PBI), advises clients not to talk about patients when they can’t be sure who they are talking to. “Even with general emails and texts, you can’t be certain who will see what you’ve written.”
- Out of state patients can lead to unlicensed practice: It’s fine to post generic health information on a website, as so many do, but says Boreman, “You need to be careful that your website doesn’t involve the practice of medicine towards an individual patient.” While such patient-specific advice is fraught with problems, Boreman highlights one danger in particular: “If you offer people advice and you’re not licensed in the state where they are receiving the advice, arguably you might be accused of practicing medicine in that state.”
- What your staff does online is your business: Porter uses the analogy of ship’s captain. “When I ask people in my classes who was to blame for the Titanic sinking, they always say it was the captain, even though it was the the third mate who was on duty when the ocean liner hit the iceberg.” When a staff member posts a photo or comment that violates the law, says Porter, “the board will go after the doctor for improper supervision.”
- Relevant digital communications must be documented: The HIPAA privacy rule gives individuals the right to access and amend protected health information. So if a physician uses texts or emails to make clinical decisions and does not document them in the patient’s medical record, the physician is technically in non-compliance.
- What if you lose your phone? Mobile phones themselves represent a risk according to the American Health Information Management Association (AHIMA): “Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss, or recycling of the device.” To guard against this threat to privacy, a clinician should make sure not only that her phone is password protected but also that any patient information is stored in “a separate secure file,” according to Porter.
- Personal cell phones should be for personal use: Holder notes that when a clinician talks to a patient on a personal cell phone, “It’s usually off hours, and people don’t think professionally when they’re off duty.” Which is why it’s never a good idea to use a personal phone for professional purposes. Not only are practitioners all too likely to mix personal and professional communications, but answering patient questions on a personal phone, especially outside of regular office hours, can raise expectations that the clinician will always be available at that number. Porter estimates that he’s had 20 to 30 cases in which a mental health patient has filed a complaint because a doctor, who had previously gone out of his way to help, was not available when the patient needed help again.
- Friending a patient is not the same as being friendly: When a physician friends a patient on Facebook—or invites contact through any other social networking site—she is inviting that person to see her outside of her professional role, whether on vacation or at a sporting event. Such casual intimacy can start a dangerous slide down the slippery slope to an inappropriate relationship. Boreman cites the 2011 California case of Roy vs. the Superior Count, which established that physicians who share their personal lives with patients are inviting trouble: “Too much personal information can be taken by a patient as sort of an invitation to get closer than would be professional or appropriate,” says Boreman.
- What you say online can and will be used against you in court: Porter tells clients that the “e” in email stands for evidence. While most of the cases he sees involving social media are directly related to what has happened online, most of the texts and emails that show up in court are not the reason for the case but rather evidence supporting the charges that are being brought. Porter estimates that a third of his cases involve evidence related to emails and/or texts.
Establishing clear guidelines and policies is critical.
It can be challenging to come up with long-term policies in the constantly changing world of digital communications, but that doesn’t make it any less essential. More and more hospitals are developing guidelines for their staffs and a few professional groups offer guidelines (see Publications below). Anyone in private practice, says Porter, should have a communication policy that’s given to all new patients, clearly stating how and when patients can reach clinicians and what to do in the case of an emergency. And the policy should also let patients know what kinds of digital communications are ok—scheduling appointments for instance— and what kinds are not.