No matter how good a practitioner you are and how perfectly you handled a particular patient/client health problem, you could certainly end up with a disgruntled consumer. And in today’s social media intensive society, you may end up being slammed on Facebook, YouTube, Instagram, Twitter, Pinterest—well, you get the picture. You may even get slammed on an online rating service for your type of practice, such as HealthGrades.com or RateMDs.com.
In rules of evidence and medical ethics, when someone makes a formal complaint about your professional services, you may disclose individually identifiable health information as necessary to defend yourself. The Privacy Rule permits use of such information in litigation in several provisions. The most common authority for such is 45 C.F.R. § 164.512(e), which authorizes uses and disclosures for litigation, which could be either judicial, such as a malpractice case, or administrative, such as licensure and credentialing proceedings. 45 C.F.R. § 164.506(a) permits use and disclosure for a covered entity’s health care operations, which include reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, accreditation, certification, licensing, or credentialing activities. Covered entities may also disclose in litigation in response to a court order, subpoena, discovery request, or other lawful process, provided that the applicable requirements of 45 C.F.R. § 164.512(e) for disclosures for judicial and administrative proceedings are met.
Note that these authorized disclosures are applicable only after some type of complaint to the relevant entity, such as the covered entity itself, the Office for Civil Rights (“OCR”) of DHHS, a state licensure or disciplinary authority, a criminal investigation or a civil lawsuit, and the like, not just made to the public on social media or otherwise. Thus, if a reporter asks you how you respond to a patient’s allegation that you inappropriately touched the patient, you cannot, under HIPAA, disclose any PHI in response. Or if someone posts what a quack you are on social media, you cannot disclose any PHI in a response without the individual’s authorization, which, of course, you are unlikely to get when the individual has slammed you.
Note that, for substance abuse treatment information, 42 C.F.R. Part 2 does not allow you even to admit that the complainant is a client if the reporter asks you or if social media posts question whether you inappropriately did or didn’t do something. In that event, about all that you can say to the reporter is, “No comment.” And simply don’t answer the social media allegation.
In other types of cases, you might be able to say a little more, but you should be very, very careful.
This post focuses on responding to complaints about you on social media, but be aware that you can violate HIPAA’s privacy rule (and state confidentiality laws) in other ways, too. Dr. Alexandra Thran, for example, was frustrated with a trauma patient whom she had treated in the Westerly Hospital Emergency Department in Rhode Island. She posted her frustration with him on Facebook. She did not include the patient’s name but had given enough information that others in the community could identify him. This venting on social media resulted in her being fired from the hospital, losing her emergency room privileges, being reprimanded by the state medical board, and a $500 fine. And she could have been criminally prosecuted or suffered a civil money penalty from the feds. Chelsea Conaboy, “For doctors, social media a tricky case,” The Boston Globe, April 2, 2011, at http://archive.boston.com/lifestyle/health/articles/2011/04/20/for_doctors_social_media_a_tricky_case/?page=full.
Similarly, a nursing assistant in Oregon was convicted by a state court jury for invasion of privacy for having posted graphic photos of patients using bed pans. Not only did she spend several days in jail for her conduct, but also she was forced to surrender her nursing certificate and fired by her employer, Regency Pacific Nursing and Rehab Center in Portland, Oregon. Duara Nigel, “Nurse Aide Posted Facebook Photos of Patients,” March 7, 2012 at http://abcnews.go.com/US/wireStory/oregon-nursing-assistant-convicted-photos-15869323.
Turning back to the subset of HIPAA social media breaches involving criticism posted thereon, you must think before responding, and usually get professional advice, such as from legal counsel, a compliance officer, a privacy officer, or another with HIPAA knowledge and experience. If you didn’t do anything wrong, don’t give them a HIPAA violation to hang on you that they can prove.
In substance abuse treatment complaints, merely responding confirms that a substance abuse client is your client, which violates 42 C.F.R. Part 2 unless you get a consent or fall into one of the exceptions permitting disclosure. A substance abuse treatment provider may disclose substance abuse treatment information without consent only if one of the following conditions is met:
- The provider or entity obtains a valid court order. 42 C.F.R. 2.61-.66. Section 2.65 contains the procedure and criteria for an order authorizing disclosure and use in criminal cases.
- Disclosure is to law enforcement if an immediate threat to the health or safety of an individual exists due to a crime on the premises or against program personnel. 42 C.F.R. 2.12(c)(5).
- Report is to health care personnel (not law enforcement) under the medical emergency exception for purposes of “treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” 42 C.F.R. 2.51.
- Such disclosure is made anonymously without divulging patient identifying information (that you work at an addiction treatment facility or that the person who made the threat is an alcohol or drug abuser). See 42 C.F.R. §§ 2.11 and 2.13.
As you can see, only the last bullet’s authority to disclose substance abuse treatment information would be involved in responding to a social media post that trashes the practitioner or the practice. Note that the HIPAA de-identification standards are quite strict. See my post, “DHHS Issues New Guidance on De-identification,” on December 12, 2012. A de-identified post without divulging patient identifying information under the substance abuse treatment rules would almost certainly be sufficiently de-identified to be made anonymously if it met the HIPAA standard at 45 C.F.R. §164.514(a)-(b). Merely not using the patient/client’s name won’t begin to do it. Anonymity here doesn’t mean that the reader can’t tell who sent the post but rather that whom the post refers to cannot be identified directly or indirectly. Dr. Thran’s patient wasn’t identified directly—by name—but rather, indirectly—by details of his condition and treatment. If you respond to the slam anonymously by using some non-identifiable pseudonym or otherwise, it is still a HIPAA violation. One truism is that there is no anonymity on social media.
One HIPAA Risk Management Consultant, Kelly Everitt, “HIPAA Violations Resulting From Social Media Responses, March 9, 2017, at https://www.psicinsurance.com/posts-articles/physicians/marketing/hipaa-violations-resulting-from-social-media-responses.aspx, has suggested that, if a social media rant should appear, you should take the rant seriously. You will have some time-sensitive choices to make, such as these:
- You can ignore the rant.
- You can contact the patient offline to try to resolve the situation and ask the patient to remove the rant.
- You can contact the social media website and ask the website to remove the rant if it violates the website’s policy. Of course, you will have to prove that the rant is incorrect (without violating local, state, and federal regulations).
- You can solicit positive reviews from patients to balance out any negative comments.
- You can reply to the situation generically online, without acknowledging that the writer is a patient, by expressing your interest in the writer’s concerns if the writer is a patient and offering the opportunity to address the concerns by having the writer contact your office.
Whatever you decide to do, you should have your choice reviewed by qualified legal counsel, a compliance officer, the HIPAA Privacy Officer, or other qualified individual. And if you or any of your workforce members are on social media, especially students, you should implement a written social media policy and enforce it in writing.
Alice here: As always, thanks for reading Jon’s blog, including this one about HIPAA and getting slammed on social media, and remember to contact us if you need HIPAA compliance help. If you need help with drafting/updating/implementing your policies on this and other issues, you can find the help you need in the book by Jonathan P. Tomes, The Complete HIPAA Policies and Procedures Guide, with its accompanying CD of sample policies that you can easily make your own, available at http://www.veteranspress.com/product/hipaa-policies-and-procedures.