Electronic Documentation
Electronic media – including email, blogs, social networking platforms, websites, texting and instant messaging have become a primary means of self-expression and communication for many individuals, including providers and other medical practice personnel. The increasing volume of online communications and instant messaging has created a new sense of connectedness – as well as a myriad of risks, including electronic discovery requests that may encompass text messages, blog entries and social media postings.
The substance of all electronic communications related to patient care – whether by phone, text, email or instant messaging should be documented in the patient’s healthcare information record. At a minimum, the following information should be included when documenting any electronic communication:
- Date and time of the discussion
- Patient’s name and date of birth
- Identity of the other party (if other than the patient)
- Identity of the staff member involved in the communication
- Subject of the communication
- Advice given or other outcome and recommended follow-up
The following clinical information also should be included, among others:
- Patient’s relevant medical history and allergies
- Nature of the patient’s symptoms and associated complaints
- Aggravating and relieving factors
Electronic Media Exposures
The risks associated with electronic media continue to evolve and expand with increased usage. Providers should be aware that litigation discovery requests may transcend the traditional scope of patient treatment and financial records, potentially encompassing text messages, blog entries and social media postings. Consequently, providers must understand the associated exposures and create policies that recognize their benefits while minimizing the possibility of carelessness or misuse. The use of social media and electronic devices by healthcare personnel may result in the following additional risk exposures, among others:
Patient confidentiality. Workplace emailing or text messaging may violate privacy and security requirements imposed under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as protected health information (PHI) may be inadvertently transmitted to an unauthorized third party. If protected health information (PHI) is inadvertently revealed on organization-owned equipment or employee-owned devices, disclosure may constitute a breach of the HIPAA Privacy Rule and the Security Rule, as well as related state laws. The use of cellular telephones and smartphones to take and share photographs relating to a patient has significant privacy implications. Every healthcare setting should consider implementing a HIPAA compliance program that encompasses ongoing staff training, review of protocols and technical upgrades, including use of a HIPAA-compliant encrypted email system. A wide range of resources and tools are available to aid medical practices in this effort , including resources from the
US Department of Health and Human Services and
CMS.
Improper texting. Harassing, threatening or otherwise inappropriate messages posted by employees from workplace computers, texted from employer-issued mobile telephones, or employee-owned equipment can create vicarious liability exposures for the healthcare practice. In addition, improper litigation-related postings and text messages can undermine legal defense efforts.
Overuse of electronic devices. Texting and conversing on cellular telephones in patient care areas may decrease staff efficiency, leading to distraction and patient safety issues.
Network security issues. Unregulated web browsing and emailing on networked computers can introduce viruses or spyware into the system, resulting in possible data loss, theft or damage. Sharing of passwords and other security lapses can compromise confidential information, with potentially serious regulatory and liability implications.
Reputational risk from patient comments. Patients’ use of electronic media, especially through blogs and online rating sites, creates reputational risk exposures for providers and practices. Many states have enacted laws that affirm the patient’s legal right to offer a public opinion, even if that opinion is considered inaccurate or offensive to the provider. In general, legal cases in which providers challenge patient statements have not resulted in favorable outcomes for the providers.
Patient recruitment risks. Utilizing electronic media forums to recruit new patients or build loyalty may damage the reputation of a healthcare practice, unless the effort is managed in accordance with ethical guidelines. Risk exposures include, but are not limited to, jurisdictional issues and allegations of fraud and defamation.
Risk Management Strategies
Policies should directly address the issues raised by the proliferation of electronic media, in order to clarify rules and expectations and reduce liability exposure. These policies should clearly state that they apply to administrative, support and professional staff, as well as any contractors working for the organization.
The following strategies can help providers effectively manage the widespread use of these communication tools:
- Create and enforce a formal policy governing personal use of networked computers, with provisions that strictly prohibit all messages and activities of an offensive, threatening, harassing, defamatory or unprofessional nature.
- Request that employees sign a form acknowledging that they understand the rules and the consequences of noncompliance. Signed forms should be retained in personnel files.
- Provide staff with written copies of electronic monitoring policies. Explain that employers have the right to monitor email messages and other communications on practice-owned computers and that inappropriate conduct may have disciplinary consequences, up to and including termination.
- Regulate cellular telephone use by staff members, specifically addressing such key issues as personal telephone calls while at work, confidentiality, conversational volume and etiquette, talking while driving and utilization of the camera feature.
- Revisit the privacy and confidentiality policies on a routine basis, taking into consideration the risks of posted and texted messages containing PHI or other sensitive material.
- Convey to staff the possible legal and ethical implications of the unprofessional use of email, texts and social media, including the permanence and recoverability of deleted messages, limits of anonymity and realities of e-discovery. Clearly describe both the nature of the risks and the consequences of policy violations in the employee handbook, and reinforce the importance of sound judgment through staff training.
- In consultation with administration and/or legal counsel, formulate a protocol requiring written authorization from patients before discussing PHI on any electronic media or outside the patient care setting.
- Encourage appropriate etiquette and model a mature attitude. Remind staff members that they are viewed as ambassadors of the practice, and their posture on the internet should reflect this fact. Consider assigning mentors to coach less experienced staff in the nuances of professional conduct.
- Regularly underscore cyber security rules and concerns, using orientation and training sessions, posters, supervisory reminders and other means.
- Have both legal counsel and information technology staff review all social media-related policies for regulatory compliance and technical relevance.
- Draft policies addressing the following important activities: engaging e-patients, managing online discussions, conveying medical advice and general medical information, integrating electronic communications with the personal healthcare information record, and disengaging e-patients who publish derogatory statements or falsehoods about the practice.
- Review marketing language used online to avoid inaccurate statements of services provided, avoiding use of superlative and absolute phrases such as “best care,” “highest quality” or “state of the art,” as these descriptions may be quoted in lawsuits alleging breach of an express or implied warranty. In addition, social media messaging should not entice patients to expect care beyond the capabilities of the practice.
- Adopt a HIPAA-compliant email encryption system in order to better protect the confidentiality of sensitive information.
Social Media
Many healthcare organizations use social media for purposes of outreach, reputation management and emergency communication. They expand their networking ability by linking their practice-based websites to the following types of media platforms:
- Social networking sites, such as Facebook and Instagram, which promote mutual sharing of news and information, as well as marketing messages.
- Video and photo-sharing sites, including YouTube, Flickr, DropBox, Google Drive and OneDrive, which facilitate exchange of footage and images.
- Micro-blogging sites, such as Twitter, which encourage interaction via short published messages and links.
- Weblogs, including practice, personal and media blogs, which communicate ideas and opinions in journal format.
- Business networks, such as LinkedIn, which connect job seekers and potential partners to the practice or organization, and colleagues with each other.
Launching an effective social media site requires preparation, planning and attention to a number of risk management considerations. Before initiating a social media project, consider its implications from a strategic, marketing, liability and information security perspective. The following questions may help focus the planning process:
- What is the underlying purpose of the social media activity?
- Does the proposed social media presence complement the business strategy?
- Who is the intended audience for the site, page or profile?
- Which topics, activities and forms of interaction will be promoted, and which will be excluded?
- Are adequate human and financial resources available to maintain and update the project on an ongoing basis?
- Which media platform, tool or application is best suited to the intended purpose and audience?
Organizations may wish to retain a social media specialist to address these initial questions, as well as to assist in the planning and implementation of the following essential activities:
- Establishing practical boundaries and guidelines for electronic media use.
- Promulgating sound operating rules and security controls to protect against infiltration and other external threats.
- Negotiating with vendor platforms regarding terms of use, such as requirements for separate login pages and written notice of changes in privacy conditions.
- Reviewing insurance policies for potential cyber liability insurance coverage gaps and recommending portfolio changes, where necessary.
Once the site goes online, the social media consultant also can help to educate staff, patients and other users on rules and etiquette, advise on updating guidelines, assist legal counsel in reviewing and updating vendor contracts and site controls, and ensure that all social media tools have a consistent identity and appearance – including appropriate use and placement of the organization’s logo.
Continue reading Chapter 8: Technology and Electronic Media
Additional Resources:
Skip to next Section - Section 9 - Hazard Risks