Ok, #1: If you are outside of the US, you do not follow HIPAA. HIPAA is a US law. Other countries may have their own versions of patient privacy laws, and they probably differ from ours, so be sure and find out what your country’s standards are.
#2, if you are a medical person who is working or studying in a country that is not your own, you should adhere to that country’s guidelines for patient privacy. If that country’s guidelines are fairly loose, no one would blame you for following stricter rules. If the country you are in does not have patient privacy guidelines, the ethical thing to do would be to follow cultural norms there while also still protecting patient information. For example, when I travel, I do not share patient information (patient’s name, condition, labs, etc) with anyone other the patient unless the patient tells me I am free to do so. This is a bit hard when you work in hospitals that have large open wards, but it’s still possible.
And now a little summary of HIPAA: the whole point of it is to minimize the number of people who are given access to patient information and identifiers. Protecting patient privacy is a lot more than not sharing their name. It covers any information that could be used to identify a patient. For example, say my practice has a patient with an extremely rare congenital disorder. Now if I were to say what kind of disorder this patient had, or if I told you where my practice was, it would potentially be very easy to identify them, right? This is why in my own blog I often leave out specific details of patients’ stories, or I change their demographics in some way, or I change the time frame that the event occurred (yeah, most of the time when I say something happened “yesterday”… it didn’t) so as to blur the lines a bit and make them even less identifiable.
The easiest way to keep your patients’ identities secret is to keep your own identity secret. I say easy, but trust me, it’s hard to stay anon. I’m certainly no expert on this, and I flub it up all the time. Cranquis would definitely be the best model to follow for blog anonymity out there. That man (or is he?) is paranoid about being identified.
But total anonymity is not required to be HIPAA compliant online.
Here are some major guidelines to follow:
- Never share names, birthdates, social security numbers, addresses, special identifiers, or specific information about a patient’s condition online.
- Don’t check out patients to other providers via text or facebook message
- Find out what your hospital or university’s social media policy is and be sure you stick to it.
- Make sure your blog is strongly protected by passwords and/or special browsers (like Tor) so that no one but you can access it—from your end or the other end of the intertubes.
- Do not link your personal information to your blog. For example, I created an anonymous email account that I used to sign up for this blog, so that I can’t be identified through my email address. And don’t link your personal and private blogs.
- Let your posts simmer a bit before releasing them into the world. I usually have mine in the drafts pile for several days before posting. This gives me a chance to review them, make changes, or delete them if I think on a second look that I went too far.
- If you’re not going to be anonymous, do not post anything that you would be embarrassed for one of your patients to read, or that you would be embarrassed to have published in a newspaper.
"Ms." WayfaringMD reminds all the Undercover Medblr Agents to double-check their HIPAA-compliant covers.