Thursday, October 14, 2010

Containing the Patient Privacy Breach

John Commins, for HealthLeaders Media , October 13, 2010

Social media creates new challenges for patient privacy.

Patient confidentially used to be a simple concept, simply enforced. Healthcare workers, for the most part, knew not to poke their nose in the records room or gossip about patients' medical issues. Privacy breaches, when they occurred, could be contained. 

Along came electronic medical records, Internet social sites like Twitter and Facebook, and hackers. These newfangled online outlets provide—literally and in an instant—global access to patients' medical records, which makes breaches a lot more serious and enforcement a lot tougher.

"Patient information is like radioactive material," says Arthur R. Derse, MD, director of the Center for Bioethics and Medical Humanities at the Medical College of Wisconsin in Milwaukee. "It must be protected. It must be contained. It cannot be taken out of the building, sent out of the building, or looked at inappropriately if the employee is not permitted to access it.

"The problem is students and employees and younger folks coming into work think of Facebook and Twitter as something you do. Just as you shouldn't be saying anything about patients on the telephone, you shouldn't be Twittering or Facebooking about work," Derse says.

Fortunately, the concept of patient confidentiality has remained as simple now as it was in the time of Hippocrates. Rather than devising detailed, multilayered responses to every new social networking outlet that pops up every few months, effective patient confidentiality guidelines should identify the new threats but focus on instilling that simple and ancient principle with trustworthy employees.

Pamela Paulk, vice president of human resources at Johns Hopkins Hospital and Johns Hopkins Health System, says the Baltimore-based health system's confidentiality guidelines are based upon trust. "We really do believe that our employees are going to do the right thing," Paulk says. "Our guidelines say that everybody has gone through HIPAA training and signed their confidentiality agreements. We say that extends to social media, anything that would apply at work applies on social media. That is basically the guidelines."

The popular notion of breaking patient confidentiality usually involves simple curiosity about celebrity patients or patients with unusual—perhaps embarrassing—medical issues. That's a black-and-white issue. Good employees know better than to breach that confidence.

There are gray areas, however: healthcare workers with good intentions, raising legitimate concerns about patient safety, care quality, or the competence of colleagues; physicians consulting with colleagues over the Internet. Everyone must be aware of the privacy pitfalls inherent in social media.

Derse says healthcare workers don't have to post concerns about safety or competence on the Internet, because there are plenty of legitimate outlets.

"Having the ability to complain about somebody's performance if they feel it is dangerous or substandard is something that is very important, but you don't have the right to complain to the general public," he says. "You have the right to complain to people who can actually address the problem."

Derse says hospitals should have in place policies that encourage and facilitate reporting bad behavior, and that protect whistleblowers from retaliation. If not, he says, employees can take their complaints to their local medical professions boards.

Paulk says Johns Hopkins has an "absolute rule that anybody can stop the 'assembly line' if they think something is wrong. They are able and encouraged to speak up." That culture of safety encourages staff to report issues to supervisors on an in-house database, or to an anonymous hotline. "We have all different avenues," she says.

And what about healthcare workers who use an Internet site to complain about the workplace? When does an employee's freedom of speech run up against a healthcare institution's need to defend its good name?

"One solution is to have a policy that says, 'We don't want you to discuss anything about the business on the Internet,'" Derse says. "If they said, 'We don't want you to discuss politics,' that would be a difficult and legally problematic stand. But employers do have a certain amount of control over employees if someone is negatively commenting on the institution where they work."

Paulk says she is not aware of Johns Hopkins Health employees using social network sites to kvetch about work, and said the health system has no plans to regulate it, even if it could. "If they did, we couldn't discipline them for that unless it were a patient privacy violation. But if it came to our attention that they are talking about a colleague or someone by name, from an HR perspective, we would handle it just like in the workplace. If it were two workers who were causing tension in the workplace, we would try to address their concerns," she says.

For Paulk, it all comes back to common sense and trust. "This is a tough new world that we are living in," she says. "I just hope people don't get in the business of hiring social media police. But if you don't trust your people, you've got a whole other problem."

John Commins is an editor with HealthLeaders Media. He can be reached at

No comments:

Post a Comment