Facebook vs. Your Medical Privacy: What You Need to Know
If your medical records were online and held privately by a hospital or doctor, would you trust that situation? If your doctor or nurse used Facebook, YouTube, Twitter or other social networking tools, would you trust the safety of your confidentiality in that situation? While social networks and medical records may seem like different environments, you might realize that the safety of your confidentiality is dependent solely upon the trust you have in your doctor and whether or not your doctor is worthy of that trust.
You and your medical records are protected by HIPAA, or the Health Insurance Portability and Accountability Act of 1996. Title II of HIPAA, known as Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
Administration Simplification provisions also address health data security and privacy within HIPAA. These standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.
While your doctor might seem trustworthy, part of that trust might be engendered by the amount of time you have spent with that doctor and his or her age. Younger doctors, especially those who still are students or who are serving as interns or who are just building their businesses might need more scrutiny — especially after a new survey that discovered unprofessional conduct on blogs and social-networking sites among medical students.
The Survey
The survey, published in September 2009 by the Journal of the American Medical Association (JAMA), stated that 60 percent of US medical schools surveyed responded (78/130). Of these schools, 60 percent (47/78) reported incidents of students posting unprofessional online content. Violations of patient confidentiality were reported by 13 percent (6/46), and consisted of:
- Student use of profanity (52 percent; 22/42): Nine open-ended text examples detailed negative comments pertaining to specific medical school experiences. Examples included using profanity or other disparaging language in reference to specific faculty, courses or rotations, classmates, or medical school. Some examples were reported as discriminatory in nature.
- Frankly discriminatory language (48 percent; 19/40): Four open-ended text examples detailed references to patients in which patient privacy was at risk. The majority of examples involved blogs that described clinical experiences with enough detail that patients could potentially be identified. One example was related to posting patient details on Facebook.
- Depiction of intoxication (39 percent; 17/44): Seven open-ended text examples detailed content suggesting intoxication or illicit substance use. Examples involved photographs (illicit substance paraphernalia, depiction of intoxication, students holding alcoholic beverages), video, and comments.
- Sexually suggestive material (38 percent; 16/42): Ten open-ended text examples detailed sexually suggestive or explicit content or inappropriate relationships. Examples in this category included sexually provocative photographs of students, requesting inappropriate friendships with patients on Facebook, and sexually suggestive comments.
Of 45 schools that reported an incident and responded to the question about disciplinary actions, 30 gave informal warning (67 percent) and 3 reported student dismissal (7 percent).
Policies that cover student-posted online content were reported by 38 percent (28/73) of deans. Of schools without such policies, 11 percent (5/46) were actively developing new policies to cover online content. Deans reporting incidents were significantly more likely to report having such a policy (51 percent vs 18 percent, believing these issues could be effectively addressed (91 percent vs 63 percent), and having higher levels of concern.
Viral Issues
While students are notorious for antics during college, the use of social networks can make the usual college prank into viral material that can damage patient confidentiality and the future of the medical student. Although some of the incidents identified in this survey, such as patient privacy and photos involving illicit drug use, appear to be clear-cut lapses in professionalism, others fall into more ambiguous categories. While certain examples, such as negative comments about a student’s institution or profession, might not be considered unprofessional, students have been long known to disparage their institution and profession when under stress.
According to the study, the line separating protected First Amendment rights and inappropriate postings may be unclear. The categories of unprofessional incidents used in this survey were based on prior studies on Internet professionalism, yet are subject to disagreement. Some behaviors, such as socially inappropriate medical student shows (in which medical students write and perform satirical comedy skits), may serve important coping and stress-release functions during difficult training and are documented well before the advent of the Internet; however, “when disseminated on media-sharing sites such as YouTube or Google Video, they carry the potential for significant public impact and viral spread of content.”
And, in some cases, it appears that medical students may not be aware of how online posting can reflect negatively on medical professionalism or jeopardize their careers. At one institution, teaching about how to elect privacy settings on Facebook resulted in an 80 percent decrease in publicly accessible accounts.
Resolution
Unlike using HIPAA to regulate patient confidentiality, the social networking world is unregulated for medical students except through the Dean’s office…and in some cases, those policies are not in place. Also, it appears that relevant laws, such as HIPAA, are not incorporated into regular instruction for medical students. In a later study, it was shown that most deans were not familiar with Web 2.0 technology, and that “this unfamiliarity may contribute to the lack of recognition of not only potential misuse but also the value of these applications.”
In many cases, the medical world is using Web 2.0 for collaboration and for communication with patients. With the onset of online medical records, however, the patient has every right to be concerned — not only with the safety of the software and hardware that houses those records, but also with the demeanor of the medical personnel who might handle those records.
Research should examine existing policies, identify superior models, and determine the effects of having specific policies and curricular programs on students’ online behaviors and professional development. Discussions among students, residents, and faculty should occur to help define medical professionalism in the era of Web 2.0. In addition, patients could begin to become more inquisitive about the conduct of their doctors online by asking their medical professionals about their online activities.
While “friending” your physician or following them on social networks is not appropriate in most cases, you can learn about what your doctor feels is appropriate for online behavior. If you ever have any doubts about your personal confidentiality as a patient, you can fall back on the HIPAA Privacy Rule, which establishes regulations for the use and disclosure of Protected Health Information (PHI).
Any individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR). Despite this resolution opportunity, OCR has a long backlog and often ignores many complaints. According to one article published in 2006, between April 2003 and Nov. 30 that year, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency said three-quarters of the complaints were closed, typically because it found no violation or after it provided informal guidance to the parties involved.