Discussions

Facebook check-ins and HIPAA implications

Posted by Mike Boehmer @mikeboehmer57, Jan 8, 2016

Hello,

We received this e-mail from the Kentucky Hospital Association. Would like your thoughts, please:

“Recently, a hospital brought to our attention a change in the way Facebook handles check-ins. It seems that there is no longer a way to disable check ins at your hospital on your hospital’s Facebook page, meaning photos taken while inside your facility could show up on your page, and you would have no way to block them, unless you blocked all posts to your site. We are concerned about the HIPAA implications and have contacted representatives of Facebook and found that they are aware of the issue, but don’t currently have plans to change it.
So, we need to hear from you and your hospitals. Please let me know if you have heard similar concerns.”

We are struggling with this too and we just took one of our specialty centers, my center which is a neuroscience center, off of facebook for that specific reason. Since we are a local center that has expertise in Alzheimer’s, Dementia and Parkinson’s Disease, among other neuro specialties, people were checking in or posting photos with tagged info which made us begin to ponder our own questions.

Unfortunately, the ability to create check-in points without there being a true point that’s associated with where that exact visitor destination is still exists. For example we have new parents that check in at the NICU rather than just our center Mercy Health. It’s a problem. I am interested in how others are dealing with this as well.

I came here to post this exact question as we just received a similar note from the Maine Hospital Association. We have always allowed check-ins but monitor them very carefully. I have to admit some ignorance here and ask how could people see the check-ins? Myself and a few others in the department have been trying some different scenarios and we are not able to see any photos or posts associated with check-ins, only those that are posted directly to the page. With that being said, is it a HIPAA concern if patients choose to check in to a hospital facility and post photos of themselves?

Here is the concern Tessa – I go to your hospital’s cancer center and I love the fish tank in the waiting room because it is so relaxing and I take a photo of it and post it to Facebook saying “this is relaxing” without any additional information. The meta data that is being parsed with that photo now uses location management info that not only will place it at your hospital but may also place it at the cancer center of your hospital. Unknowingly I shared info that I didn’t mean to share.

@TessaBrown

I came here to post this exact question as we just received a similar note from the Maine Hospital Association. We have always allowed check-ins but monitor them very carefully. I have to admit some ignorance here and ask how could people see the check-ins? Myself and a few others in the department have been trying some different scenarios and we are not able to see any photos or posts associated with check-ins, only those that are posted directly to the page. With that being said, is it a HIPAA concern if patients choose to check in to a hospital facility and post photos of themselves?

Jump to this post

Hello! When people check in or do a review, these appear on an unofficial page for a location that is automatically generated by Facebook. This is where photos are sometimes posted. I know of no way you can prevent people from posting photos on these pages. Maybe somebody else does. For an example, see: https://www.facebook.com/pages/St-Vincent-Mercy-Hospital/115445711812057?fref=ts

@susanwoolner

Here is the concern Tessa – I go to your hospital’s cancer center and I love the fish tank in the waiting room because it is so relaxing and I take a photo of it and post it to Facebook saying “this is relaxing” without any additional information. The meta data that is being parsed with that photo now uses location management info that not only will place it at your hospital but may also place it at the cancer center of your hospital. Unknowingly I shared info that I didn’t mean to share.

Jump to this post

Thank you for that clarification @susanwoolner, I think misunderstood the concerns that are being raised thinking it was specifically referring to those who intentionally check-in to locations. I do see the issue with what you are referring to.

@mikeboehmer57 – In regards to the unofficial page, have you tried claiming it? We had an issue recently where some executives here stumbled upon an unofficial page and were upset by a few of the reviews. I actually worked with a Facebook consultant and they recommend claiming the page which will bring over all the data on that page and eliminate the unofficial page.

@TessaBrown

@mikeboehmer57 – In regards to the unofficial page, have you tried claiming it? We had an issue recently where some executives here stumbled upon an unofficial page and were upset by a few of the reviews. I actually worked with a Facebook consultant and they recommend claiming the page which will bring over all the data on that page and eliminate the unofficial page.

Jump to this post

Good idea, Tess. I believe some of our markets have claimed pages for the reasons you mention.

Mike Boehmer, APR

@ TessaBrown We have done so already and like you, encourage others to do so, for all the renegade sites but have found just when you thing the ground is safe, another sink hole appears. It takes constant monitoring – as all of you know.

We had a similar inquiry from the Connecticut Hospital Association.

We’ve had similar situations where photos have been posted from within our facilities of patients by the patients themselves. These clearly indicate location (either by tagging one of our facilities or via other metadata), but, in consulting with our legal department, are not considered HIPAA violations because it is information revealed by the patients themselves.

While the situation outlined here is slightly different, and I’m not a lawyer, we’ve been applying the same principles. My understanding is that Facebook terms and conditions (which everyone checks off as having read by rarely ever do) apply first in such cases.

It should also be noted that check-ins will continue to occur no matter what admins do, as Facebook will create a “ghost” or unofficial page for a company or organization if someone chooses to check in and does not find an official page. We do what we can to keep ghost/unofficial pages to a minimum so that we can maintain brand integrity.

It’s all very complicated – yet intriguing. I look forward to hearing what others are doing.

@susanwoolner Is the location management info FB uses tied to the user’s authorization to “turn on” locations on their mobile device? Like @TessaBrown, I had notifications of check-ins, but have never seen it on our actual page. The topic “help” on FB was not all that helpful. Thanks! kathy

Another topic for a separate discussion:
How to leverage applicable check-ins in ways that bring value to the person checking-in. (i.e. acknowledging the check-in and providing content on dining options or concierge services.)

Liked by Jackie Massie

@jenniferdearborn

Another topic for a separate discussion:
How to leverage applicable check-ins in ways that bring value to the person checking-in. (i.e. acknowledging the check-in and providing content on dining options or concierge services.)

Jump to this post

That’s a tricky one – and I’ve avoided responding unless the check-in either criticizes us (which I do my best to take off line so that we can do some service recovery) or praises us (at which point I’ll thank them and ask if I can share with staff).

In between those two extremes are the dining options, concierge services, etc. – information that I’d love to provide yet hesitate. I’m not exactly certain why. Perhaps it’s this gut feeling that a response from me is an official acknowledgement of the hospital/patient relationship, and HIPAA might apply at that point.

Do other folks provide information on these kinds of services via check-ins, comments or reviews?

I have not responded to check-ins. I do monitor, and occasionally will thank them, or reach out to them privately. But typically just monitor only with no interaction.

Interesting discussion. Similar to others who have also weighed in already, we also monitor check-ins, but do not regularly respond to them in public. If there is something that needs attention, I will usually screen shot and send to our Patient Relations team as a heads up.

I believe that FB page managers can only see check-ins that are public, and that check-ins for other privacy settings are not visible to us. https://www.facebook.com/help/477587325603876/

Our general rule of thumb has been to respond if someone posts to OUR page, but a check-in is a bit different as it shows up on their personal profile – so they are sharing their information and just happen to be tagging us. We apply similar workflow for a “mention” without a check-in, such as someone posting that a family member is at our hospital.

Trying to keep up with the unofficial/ghost pages is constant and can sure be a struggle! Claiming doesn’t always help, and if you are trying to limit the # of official pages for your organization for branding and consistency reasons, it makes it a little more complicated if you are considering merging location pages/business pages.

This is from FB help – “If your Pages can be merged, the people who like your Pages and any check-ins will be combined, but posts, photos, reviews, ratings and the username will be deleted from the Page you merge. The Page you want to keep will remain unchanged, except for the addition of people who like the Page and check-ins that were merged from the other Page. The Page you don’t want to keep will be removed from Facebook, and you won’t be able to unmerge it.”

We don’t reply to check-ins here unless our monitoring picks up a particularly negative comment, in which case we’ll try to help. I used to get indications that people thought that was creepy; now everyone seems to expect it.

Honestly, I had not really thought of the HIPAA implications of the fish tank scenario @susanwoolner mentioned. Since FB creates those “ghost” pages anyway, is it on the hospital if someone inadvertently discloses their location this way? Couldn’t a similar issue come up if they’re using Google or other services from their phone while sitting in the hospital, since Google would know exactly where they are?

Along the same lines, I’m unsure what to do with the Facebook reviews we get on our page that mention “my husband,” etc. We can’t hide or delete them, and I’m reluctant to turn off reviews altogether.

A HIPAA expert needs to write a book or at least a white paper about all this. I’d pay for it!

Please login or register to post a reply.

© Mayo Clinic Social Media Network. All Rights Reserved.