Online postings may reveal more than they should
Online postings may reveal more than they should
New research is revealing that blogs written by medical professionals may pose a threat to patient privacy when the authors of the blogs inadvertently reveal patient information. The practice poses a serious risk to health care providers, and risk managers should act quickly to curtail the privacy violations, say several experts.
The heads-up on this issue comes from Tara Lagu, MD, PhD, a clinical scholar with the Robert Wood Johnson Foundation in Princeton, NJ. Along with colleagues at the University of Pennsylvania in Philadelphia, Lagu analyzed the contents of 271 medical blogs and found that 56.8% contained enough information to reveal the author's identity. Identifying the author is the first step toward identifying the patient, she says. The study was published online in the Journal of General Internal Medicine.
Blogs are a growing part of the public face of the health professions, Lagu notes, offering physicians and nurses an easy way to share their experiences. But she adds that they also risk revealing confidential information or, in their tone or content, risk reflecting poorly on the blog authors and their professions. Lagu says risk managers should help authors and readers negotiate those challenges.
Just like everyone else, health care physicians sometimes will say things in an Internet posting that they would never say face to face, notes B. Scott McBride, JD, a partner with the law firm of Baker Hostetler in Houston. The supposed anonymity of the Internet, or just the remoteness of posting online even when you use your name, can cause people to let their guard down and say more than they should, he says.
"It's an informal way for people to exchange information and they don't apply the same standards they might otherwise," he says. "They post things that they would never put in a letter and mail to someone, or they say things that they would never say to a newspaper reporter. Yet they put it out there on the web for the whole world to see."
The highest risk with Internet postings will come from cases that involve celebrities, unusual or rare conditions, or highly politicized situations such as disputes over discontinuing life support, McBride says. Posting on those cases can easily be traced to the people involved, even without names and other identifiers.
He says it can be useful simply to remind physicians that they can discuss patient matters among themselves without using the Internet.
"I always ask them why they're posting it on the Internet in the first place," McBride says. "If they want to discuss the case in a professional manner with their colleagues, there are venues for that. But when you post it on the Internet, you're discussing it with the public, too, and there usually isn't a very good reason for doing that."
HIPAA violations possible
Privacy breaches in blogs could have significant ramifications for the health care provider, says Mary Jean Geroulo, JD, an attorney with the health care law firm of Steward Stimmel LLP in Dallas, who previously was a hospital administrator for 10 years. Violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are a real possibility, she says. As with many risk management issues, the extent of the liability rests largely on whether the physician is employed by the hospital.
"Blogging by physicians can certainly raise privacy concerns, and if patient information is disclosed in a blog, the physician would be subject to fines, and possibly criminal penalties for a HIPAA violation," Geroulo says. "In general, however, a hospital should not be cited for a HIPAA violation, even if a physician discloses protected health information about a patient he/she cared for in that hospital unless the physician is an employee of a hospital."
Physicians are covered entities, and not "business associates" of a hospital, as the terms are defined by HIPAA, she explains.
"So a physician's noncompliance of HIPAA rules should not be imputed to the hospital," she says. "However, physician employees of hospitals who violate HIPAA do create liability for a hospital, and such physician employees should be dealt with in accordance with hospital policies and procedures."
Blogs can prompt investigation
However, even nonemployees can put the hospital at risk, notes A. Kevin Troutman, JD, an attorney with the law firm of Fisher & Phillips LLP in Houston, who assists hospitals with risk management projects. He says risk managers have an important role to play in preventing privacy breaches through blogs even if the blogger is not an employee.
"Even if the end result is that the physician was not an employee and so you're not actually responsible for his or actions, a privacy breach can still result in you being involved in the investigation. I don't think anyone wants an Office of Civil Rights investigation because you'd just as soon not deal with all that scrutiny," he says. "They may let you off the hook on the privacy breach that started it all, but what else are they going to find while they've got you under the microscope?"
Troutman notes that there is plenty of guidance available on HIPAA compliance, both from the government and legions of consultants, so risk managers shouldn't find it hard to provide physicians with the proper training. Getting them to accept that training and follow through could be a different story.
"You'll probably get physicians telling you they don't need your guidance because it's their patient and their information being posted, not the hospital's," Troutman says. "In some cases that might be true, but the doctor is still committing a HIPAA violation by disclosing protected information. Also, the line may actually be pretty blurry about where that information came from, especially if the doctor is caring for the patient in the hospital."
The hospital has an affirmative obligation to make sure its protected information is used properly, he says. Troutman recommends providing education in medical staff meetings or other forums.
Can harm hospital reputation
Even if a blogging physician's actions do not create liability for the hospital under HIPAA, such blogs can create negative publicity for the hospital, Geroulo says. If it gets out in the community that doctors from your hospital post information about patients on the Internet, especially if that information is negative or critical, your reputation can suffer a black eye that will take a long time to heal.
"So it may be wise to provide physicians with some guidelines for blogs," she says. "Hospitals cannot prohibit physicians from engaging in this type of activity, but they can be a valuable source of information to help physicians understand the potential consequences of inappropriate use of identifiable patient information."
Troutman says a key part of educating health care professionals on this topic is showing them that they and their patients can be identified even when the blog does not contain their names or other obvious identifiers. Many physicians will be surprised to see how people can identify patients through their diagnosis or circumstances, particularly when they are unusual enough to warrant a discussion on the Internet.
"Show them some examples and walk them through how the identity can be determined without names. Make it helpful by using real examples if you can and make it a friendly reminder, a caution about something they probably just didn't realize they were doing," Troutman says. "If the blogs continue to reveal too much information, then you might have to take a punitive approach and follow the medical staff bylaws."
Sources
For more information on patient privacy and medical blogs, contact:
- Mary Jean Geroulo, JD, Stewart & Stimmel LLP, Dallas. Telephone: (214) 615-2012. E-mail: [email protected].
- Tara Lagu, MD, PhD, Robert Wood Johnson Clinical Scholars Program, Philadelphia. E-mail: [email protected].
- B. Scott McBride, JD, Baker Hostetler, Houston. Telephone: (713) 646-1390. E-mail: [email protected].
- A. Kevin Troutman, JD, Fisher & Phillips LLP, Houston. Telephone: (713) 292-5602. E-mail: [email protected].
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.