The HIPAA implication of Facebook friends with patients

Social networking is becoming a mainstay of modern life. Facebook alone, which has grown to 100,000,000 users in just 9 months, is the 4th largest “country” in the world. Many businesses use Facebook pages to build their marketing and visibility – in fact, a whole generation of new college graduates are emerging with “new media” as a specific skill-set.

Of course this will touch healthcare. There is no avoiding it. The issue is not how to keep social media out of healthcare; it is how to appropriately engage it. The question has been raised frequently on the appropriateness of “friending” requests between doctors and their patients. It has even been the subject of commentary in the New England Journal of Medicine.

How does HIPAA play out in the realm of social networking? Does Facebook “friending” expose a clinician to HIPAA security risk? To address this question, it is helpful to take a step back and understand the basis of HIPAA.

HIPAA (the Health Insurance Portability and Accountability Act) is both about portability – standardizing the communication in the industry so that insurance claims can be billed and paid electronically – as well as privacy and security. Much of the focus of discussion (and fear) are on the privacy and security aspects of this law.

The basic premise is that Personal Health Information (PHI) belongs to the patient – though it was created by doctors. The patient has ultimate say-so with regards to where that information is shared. Doctors are custodians of PHI, and have a protected and privileged relationship with their patients – PHI that is created from the interactions between them is confidential. Health care is not delivered by single points of care – a whole system is involved (hospitals, primary care physicians, specialists, laboratories, and so on), and the sharing of information (in a private and secure way) is critical. Protecting the privacy and security of PHI exchange is the focus of federal policy, so that only those parties that are given permission to share in the confidential information can access it.

Electronic communication between doctors and patients has emerged, and secure technology to allow this has been in the marketplace for some years. Secure messaging can take place as a stand-alone tool (for example, Relay Health), or can be a part of linked EHR-PHR products (like Practice Fusion and Patient Fusion, which is still an emerging product).

But, outside of these secure communication channels that are one-on-one, what about more public forums? The best way to look at Facebook is as a pubic message board – the public kiosk in the center of town. Anyone can be assumed to see it. If a patient posts on Facebook “yay! My syphilis test came back negative”, that is not a HIPAA violation (though it is of questionable wisdom) – the patient originated the message, and therefore gave permission for all to see it. However, a physician cannot post on Facebook “hey… your syphilis tests just came back negative” – that would be a HIPAA violation. The physician is the custodian of the PHI and cannot disclose it that way.

So how should a physician engage social media? A Facebook page may be an appropriate way to promote one’s medical practice – that is simply a “new media” way of promoting one’s business. However, engaging patients one-on-one as Facebook friends (when the basis of the relationship is professional, rather than social-friendship or family) is not wise, in my opinion. There are other media which are secure (like secure web messaging, or combined EHR-PHR tools) that can be a better forum for communication where PHI exchange may take place.

Robert Rowley, MD
Chief Medical Officer
Practice Fusion EMR