- Home
- » e-Newsletters
Teach your physicians how to blog without violating patient privacy
HIPAA Training Advisor, June 12, 2008
Imagine a place where physicians can support each other in difficult situations, discuss case-specific successes, and compare notes about everything from pay-for performance to the efficiency of information technology. This interaction is luring many physicians to the online blogging community—also known as the physician blogosphere—where bloggers post about their experiences or opinions in a journal-style format.
“The feedback, critiques, and encouragement have been extremely helpful,” says physician blogger Nicholas Genes, MD, PhD, a resident in the emergency medicine program at
However, this exchange of information comes at the price of a potential privacy breach, says Reece Hirsch, Esq., of Sonnenschein Nath and Rosenthal, LLP, in
Nonetheless, Genes and Hirsch agree that there are HIPAA-friendly ways for physicians to blog. Physicians who plan to start a blog should consider their goals and the corresponding risks, says Hirsch. For example, physicians who write about their clinical experiences must attend to the risk of inappropriately using or disclosing patient information.
Physicians should think of their blogs as extensions of a physicians’ lounge—with one important difference—physician blogs are open for the entire world to see, says Genes. “Just as it behooves a doctor in a lounge to observe some social niceties and polite discretion when discussing patients and employers, it’s wise for the anonymous doctor-blogger to do the same,” he says.
But even when the tone of a physician’s blog post is polite, it can be a HIPAA violation if he or she uses or discloses PHI. Because physician blogging doesn’t fall under HIPAA’s permitted uses or disclosures, physician bloggers must de-identify the patient data they post online. 45 CFR 164.514(b) of the privacy rule requires covered entities to use one of two methods when de-identifying PHI. One option is having a statistician determine that the information cannot reasonably identify an individual; the other is the removal of 18 specific identifiers.
However, HIPAA requires more than removing these identifiers. The privacy rule adds that it is a HIPAA violation for the covered entity to have “actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.”
Physician bloggers could violate this catch-all requirement in a variety of ways, even if they blog anonymously. “A blogger might go on and on about an uneducated, young female patient that he saw ‘just yesterday’ who clearly had an STD but denied the possibility of sexual transmission. And maybe a few days before, the blogger described how great it is in his remodeled emergency department. And before that, he complained about a cold snap in his Midwestern town—the temperature dropped below zero,” says Genes. “How hard would it be for a reader to put this all together and realize that the patient being described is a friend or sister or daughter?”
When Genes posts a story on his blog, he doesn’t specify where or when it occurred. He also obscures details that aren’t relevant to the story by changing the patient’s gender, age, race, or medical problem (e.g., a left-sided stroke becomes right-sided). These precautions are a step toward the de-identification that HIPAA requires, and they don’t diminish the value of the blog post.
The safest way to blog about patients is to obtain an authorization that is compliant with HIPAA and state law with respect to use of the information. Although this would allow physician bloggers to be very specific about clinical cases, asking for the authorizations will probably raise red flags for patients, Hirsch says.
Physicians must be cautious with respect to their own blogs and should be sensitive to responses from other physicians. Although the original blog post might avoid revealing PHI, a commenter might do so during the ensuing discussion. The safest course is to delete these problematic comments, Hirsch says.
“As a doctor, I don’t want to harm my patients,” says Genes. “As a blogger, I’m acutely aware that my name is permanently attached to every utterance and certainly don’t want anything to appear online that could jeopardize my employment or put my hospital or colleagues in an uncomfortable position.”
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched