Don't be afraid of HIPAA, say nurse bloggers

Published on
November 11, 2011

The Health Insurance Portability and Accountability Act of 1996 scares a lot of health professionals away from blogging and joining social media discussion because of its provisions protecting patient information. But three registered nurses at BlogWorld LA last week told health professionals that they can blog and converse online about their careers without fear.

Kim McAllister has been blogging at Emergiblog for six years. The fear of breaching HIPAA can stifle creativity and "take all the joy out of writing," she said. "But you can tell your story and write your narrative with worrying about your facility's ten-pound social media policy."

"HIPAA is certainly not something that you should let hold you back," said Jamie Davis, managing director of the ProMed Network. Davis has hosted hundreds of educational podcasts for health care professionals and said that the rules governing the use of social media and online publishing are still relatively new. "We are all helping to shape some of these policies through how we act," he said.

Registered nurses Jamie Davis, Terri Pollick and Kim McAllister discuss blogging and steering clear of HIPAA violations. (Photo by Angilee Shah)One rule for health care professionals' online lives is obvious: "Don't disclose patient information ever," said McAllister. Don't disclose, name, weight, height, eye color -- any patient information that allows your reader to discern the identity of the patient you are discussing. Focus on your own observations, which will make you less likely to reveal information about those around you in your blog.

[Left: Jamie Davis, Terri Pollick and Kim McAllister at BlogWorld LA. Photo by Angilee Shah]

"It doesn't necessarily have to be 100 percent true. We can have composite patients, patients who never really existed," McAllister said. "I'd love to blog about every single patient who come through the doors in the ER. You should never blog about people. You should focus on the issues."

Terri Pollick, also known as Mother Jones, RN, is the blogger behind Nurse Rached's Place. She focused her comments on the more immediate platforms of Twitter and Facebook, where tweets and status updates are too often like "knee-jerk reflexes with a keyboard."

Pollick gave an example of a breach of HIPAA in social media. In 2009, an administrative assistant at a Mississippi nursing school lost her job when she tweeted a message to Governor Haley Barbour about his recent medical exam. Barbour tweeted out a call for ideas about cutting costs, and Jennifer Carter replied, "Schedule regular medical exams like everyone else instead of paying University Medical Center employees overtime to do it when clinics are usually closed."

"It's popular to be snarky. You get a lot of people to follow. But is it worth losing your job?" Pollick asked. Even though Carter did not use Barbour's name, Twitter readers could see that she was replying to his tweet. "If people can connect the dots and draw correct conclusions of who the patient is, then it can be [a HIPAA violation]," said Pollick. Remember that identifying information includes websites and Twitter handles.

Like a small town doctor, health care professionals need to be careful about how they comment and converse in public settings. "I tell people it's ok to friend your patient [on Facebook]. But you have to use some common sense," Pollick said. For example, don't comment on a patient's status update about a health problem by asking, "Are you taking your medications?" This can be construed as a HIPAA violation because you are disclosing that the patient has been prescribed medication.

McAllister also advocated for transparency: "Be accountable. Put your name on your blog. The days of anonymity in health care blogs are over." Anonymous bloggers "cross the line routinely" and will have a lot of trouble if their institutions ever identify them as staffers. But if you put your real name on your blog, you might think a bit more critically about what you publish, which in turn will help you have more coherent and HIPAA-compliant posts.

"Feel now, blog later," McAllister says. "It behooves you to put a lot of time and space between you and an incident that has made you upset, even if it's only 24 hours."

McAllister's third rule: "Some things should just never be blogged about," she said. If you are trying hard to come up with a composite patient but the post just isn't working, "listen to your gut and don't write about it." She recalls having lost a young patient and deciding that it was not a good idea to blog about her experience. "Sometimes it's too personal or too soon," she said. Also, keep in mind that your writing can be used in malpractice suits, so follow your instincts about keeping certain cases out of your blog. 

McAllister's blogging rules apply to podcasting and video podcasting, Davis said. Redact irrelevant information but understand that HIPAA has important exceptions for education and training, he explained. While you might offer less information in a podcast than you would in grand rounds, you can still give enough information to help your readers and listeners learn something. But if you are streaming live, invite guests familiar with HIPAA regulations.

"If you're not sure," Davis said, "remind them of HIPAA. Just say, 'Remember patient confidentiality.'" If your podcast is produced ahead of time, you have more control and more responsibility to remove information that violates patient privacy.

Be careful about HIPAA, but don't over-react, Davis said. Breaches of patients privacy are often made worse by how institutions handle incidents, he said, citing the case of Doyle Byrnes, a nursing student who was dismissed for posting an image of a patient's placenta on Facebook. Byrnes challenged her dismissal in court and the story became national news, which placed the placenta photo, since removed from Facebook, all over the Internet. The court ultimately agreed with Byrnes, ruling that she should not have been dismissed because she was given permission to take the photo and the image did not reveal the patient's identity.

 "[The judge] said throwing them out of school was probably more disruptive than putting the picture up," Pollick said.

Are you a health professional who blogs or discusses your profession in social media? Read more about HIPAA and publishing online and let us know what you think in comments.

Should Doctors be the New Curators of Medical Information?

Doc Gurley's Ground Rules for Haiti

Spamming for Public Health