Keeping a Pulse on the Rules of Patient Engagement...
In today’s electronic world, social media plays a large role in changing the face of medicine!! Patients are acutely aware of the impact of social media and have become increasing more social!! Additionally, healthcare professionals are using different online tools to reach and educate them!!
Early on, regulations and privacy concerns limited how patients and providers used social media, but adoption has grown exponentially in spite of these challenges. Today, 30% of adults are likely to share information about their health on social media with other patients, 47% with doctors, 43% with hospitals, 38% with health insurance companies and 32% with a drug company!!
With so much potentially sensitive information hitting the web, there are several regulations and guidelines that both marketers and professionals need to understand. Let’s take a look at some of them, starting with the most important—HIPAA.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law stating that the patient has control of his or her protected health information (PHI). A patient’s PHI includes demographic data that relates to:
- His or her past, present or future physical or mental health or condition
- The provision of healthcare to the individual
- The past, present or future payment for the provision of healthcare to the individual
While patients are free to publicize their medical condition or experience with a provider, none of this information can be released by the provider without consent of the patient—and even then, healthcare providers are strongly urged to educate patients about the associated risks.
There is, however, an exception to that rule: The patient’s PHI can be used for healthcare operations. For example, it can be shared internally from a hospital to a physician, from a physician to a hospital and to payment companies for insurance-related matters. The PHI cannot go outside of that circle without the consent of the patient.
In order to use or disclose patients’ PHI without obtaining consent, the information must be de-identified. HIPAA lists 18 categories of identifying information that must be removed from a record or patient story in order for it to be considered de-identified. They include:
- Basic information: names, addresses, phone numbers and social security numbers
- Dates: birth dates, admission dates, discharge dates and dates of death
- Administrative details: medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers (license plates) and serial numbers, URLs and IP addresses
Other identifiable information: finger and voice prints, full-face photography and any other unique identifying number, characteristic or code. The latter is often the most difficult to comply with, now that significant amounts of personal information is available online. It’s not as simple as checking identifiers off the list, and information can still be considered identifiable if there’s a way to figure out who the patient is—even if all 18 have been removed.
Health plans, healthcare clearinghouses and any healthcare provider that transmits health information in electronic form—including claims, benefit eligibility inquiries and referral authorization requests—are required to comply with HIPAA guidelines.
If you’re not sure if social media is placing your healthcare organization at risk of HIPAA violation #weshouldtalk