Thin Ice Ahead! Offering Lactation Help on Social Media and Cell Phones

Another ask, from another IBCLC. I get a lot of these, too. Goes something like this: “Can I help a parent on a Facebook Group, who voluntarily described their situation, sharing all sorts of personal health information (PHI)? They started the convo; can’t I jump in?”

Um, no. Regardless of whether the patient/client voluntarily shares (overshares!) personal information on a social media platform, the question is whether the clinician is meeting the VERY high bars for protection of PHI, *and* electronic security standards, under HIPAA-with-two-As and its companion enforcement regulation HITECH.  Think about the uneven bars in gymnastics … you gotta master both bars without falling off; one protects privacy, and one protects electronic record storage and transmission.

There is more to consider than whether or not the parent “consents” to making Facebook posts or sending you cell phone texts. They all will. BUT they are not held to the *independent* high privacy and security standards to which the clinician is held under the law. And any violations put the clinician’s butt in a sling, not the parent’s.  Their consent won’t save you from the HIPAA/HITECH enforcers, who are looking with increasing scrutiny at smaller healthcare operations (like IBCLC practices).

(1) Parents can tell parents any dang thing they want, on any platform, with impunity. They do NOT hold a duty of care to one another, and they have been giving each other excellent and awful advice over the proverbial picket fence ever since Cave Parent chipped the first picket out of stone.  Clinicians like IBCLCs, however, *do* have a duty of care to their clients/patients.  And Facebook groups are hugely problematic because you can “constructively” create a professional relationship with any parent with whom you engage, offering specific information on their specific situation (versus, say, a post of general interest to any ol’ parent who stumbles along). And ALL of the professional and ethical obligations attach when you create a professional relationship. You got a consent? History? Way to send healthcare concerns/report to the primary healthcare provider (HCP)? Way to follow up? Way to get paid? Have you OBSERVED a feed? Ya. Not so much on Facebook, or any social media platform.

(2) Facebook, like most (all?) social media platforms (where THEY run the entire show, and you consented to that when you clicked “I agree” on that one long boring page when you opened your account) is not secure enough to meet HIPAA/HITECH.  Rule of thumb: If you get to it or store it in the Cloud, you are *not* complying with HIPAA/HITECH privacy and security obligations *unless* you first meet several requirements, not the least of which is a signed HIPAA Business Associate Agreement (BAA) with the Internet service provider/social media platform.  A pretty good barometer, for whether you are meeting one of those important requirements, is to ask whether the Internet host/platform is willing to sign a HIPAA Business Associate Agreement with you, promising to never reveal PHI about any client/patient, at shared risk of liability to the same degree as your own under HIPAA/HITECH. Ya. Not so much with Facebook.  And for those of you clutching your Apple iPhone and iPad pearls to your clinical chests, Apple doesn’t do BAAs, either.

(3) All is not lost. There *are* methods and business practices that allow one to use electronic devices to communicate with clients/patients while meeting HIPAA/HITECH’s high standards and protection requirements. I urge any IBCLC (or other clinician) to run, not walk, to the excellent resources (nearly all of which are free) on ethics, HIPAA, and providing protected client care over the Internet, at this fab-you-loso website: www.personcenteredtech.com.

(4) IBCLCs in private practice are especially in luck: This website offers for a very reasonable fee information and resources galore about establishing a practice, and performing one’s duties, while adhering to ALL the privacy and security requirements of cell phone, laptop, and cloud-based communication: https://www.paperlessibclc.com/

© Liz Brooks JD IBCLC FILCA, 22 Dec 2017
revised 13 June 2018

Leave a reply