Welcome to this CME presentation, Mitigating Risk when Using Social Media and Technology in Psychiatry. The content in this presentation is intended solely to provide general information concerning developments in the area of risk management. It's not intended as legal or medical advice, nor does it offer or solicit for offers with respect to any insurance product. Legal or medical advice should be obtained from qualified legal counsel or other professionals to address specific facts and circumstances and to ensure compliance with applicable laws and standards, and listeners should consult their own insurance advisors for information pertinent to the purchase of any insurance product. This content may not be reproduced or redistributed in whole or in part without the prior written consent of Allied World. This activity has been planned and implemented in accordance with the accreditation requirements and policies of the Accreditation Council for Continuing Medical Education through the joint providership of the American Psychiatric Association and Allied World. The APA is accredited by the ACCME to provide continuing medical education for physicians. This APA-designated presentation provides a maximum of one AMA PRA Category 1 credit. Physicians should only claim the amount of credit commensurate with the extent of their participation in the activity. No one in a position to influence course content has anything to disclose. I'm Allison Funicelli. I'm an Assistant Vice President for AWACS Services, a member company of Allied World. I provide risk management services to Allied World's medical professional liability policyholders and insured psychiatrists, psychologists, psychiatric nurse practitioners, and physician assistants. So these are the objectives for the presentation I'm going to be covering today. I'll be explaining patient confidentiality and boundary issues related to the use of social media. I'll be describing the psychiatrist's duty of professional behavior when engaging in social media. I'll be discussing case examples with social media as the central issue and exploring risk management and liability exposures pertaining to confidentiality, boundary issues, and general standards of care as they apply to social media, online reviews, and technology. So social media, we generally know what that is, right? It's an exchange of information in a virtual community or network. And users can find information using social media and spread information, and we can use it personally, professionally, or a blending of the two. So here's examples of each. Examples of personal use of social media includes communicating with family and friends on private personal social pages such as Facebook or Instagram. Information may be shared related to personal hobbies of areas of interest and chat groups that focus on that area or hobby. Another example is sharing information related to school alumni activities. Professional use of social media includes things as posting stuff on LinkedIn or using a professional podcast or professional blogs or professional pages for the office practice or the facility on social media sites. Now what about blending the two together? So blended examples where the lines become more blurred between professional and personal use and information include professional services being advertised on a personal social media website or comments open to patients or the public on personal social media pages versus limiting the personal information to accepted friends and family. Finding patients on personal media pages, including after the patient's been discharged from care, should be avoided because it could lead to a boundary violation. And it's important to check the settings in your social media platforms to limit the access to just those who you intend. So let's talk about some potential liability exposures. So as HIPAA-covered providers, you need to maintain patient privacy, right? That's really important. I'll be discussing shortly examples of where a provider was fined for violating HIPAA related to the use of social media. Failure to comply with HIPAA can also expose a provider not only to fines, but also a medical malpractice claim or a licensing board complaint. Various states have enacted privacy regulations and not just related to HIPAA and medical-related information, but it could also be related to consumer information that's gathered. It's important to follow all state and federal regulations related to patient and consumer privacy. So what are some of the areas of concern when using social media and what are some of the allegations that may be brought against a health care provider? So the first one I'm going to talk about is content ownership. So remember, just because something's posted on the internet does not necessarily mean that the information is free for the public domain to use. This is especially true when you're selecting photographs generally found on the internet that a provider may use for their office practice website. Most photographs, even if it does not explicitly say it, are proprietary to its creator. There have been an uptick in health care providers finding themselves receiving what's called a cease and desist order because they've used content that they did not create themselves or paid for someone to create on their behalf. False advertising. So be aware of what and how you're advertising on your webpage. Do not guarantee services provided or specific outcomes. As mentioned previously with content ownership, be aware that intellectual property infringement can occur. Be sure to protect your information as well so others don't copy it. Use employee disclaimers in your hiring paperwork. Make sure employees and contracted workers are aware of your office practice policy related to posting things about your office practice on social media websites. Plus, everyone should be signing confidentiality agreements as well to protect patient information. Failure to create clear office practice policies for both the employees and your patients or acting outside of state and federal regulations can result in a claim for unprofessional conduct. We're going to talk shortly about online reviews specifically, but regarding blogs and other information exchange forums, avoid posting anything that may be deemed liable or slanderous. So these are four areas I'm going to cover next. We're going to talk about confidentiality, professional reputation, boundaries, and standard of care, all as they relate to social media. So first, we're going to talk about confidentiality and protecting the patient's health data. So what about, for example, exchanging information on email and text? While privacy and confidentiality tend to be used interchangeably, they're not technically the same. Privacy relates to people. It is the desire to control the access of others to themselves. For example, a person may not want someone to see them sitting in an exam room, right? So we shut the door to give them privacy. However, confidentiality relates to information held in confidence with the expectation that it will only be shared with others with the express consent of the person whose information it is. For example, we don't release medical records typically without the patient's written consent. When sharing information electronically, such as through email or text, the information should be encrypted and HIPAA-compliant software should be used. An example is communicating with patients through a secure patient portal. A facility or office practice should establish a process and procedure for the appropriate use of email and text, including the patient always has the ability and right to opt out of use. New patient documents should explain the practice's use of email and text, or lack thereof, and ask patients to sign off on it. The same applies for an employee use of email and text about confidential information. If a patient agrees to use email or text, they should understand the risks. It's preferred texting in particular not be used, or the practice should limit it to things like confirming or canceling appointments. Texting should not be used by either party for discussing treatment and obtaining informed consent or sharing HIPAA-protected information. I'm going to talk in a little while about why that's important related to text and documentation in the medical record. In order to protect the privacy of your patients and keep their HIPAA-protected information confidential, again, use HIPAA-compliant software and apps that include encryption. For example, use a HIPAA-compliant email system, a HIPAA-compliant video platform if you're going to do telehealth. And if a vendor claims that they are HIPAA-compliant, they should be giving you a business associate agreement. If you don't have one, you can ask for that. It's also referred to as a BAA for short. So anytime a vendor will or may have potential access to information, a BAA is important because what that does is it protects you in the event they cause a confidentiality breach. Then they should be defending and indemnifying you if you get dragged into the case because the breach had occurred by them. And plus under HIPAA, you're required to get a BAA from any vendors that you're using. So by obtaining the BAA, again, that will protect you. And we also recommend you get a BAA and use HIPAA-compliant software and apps for credit card processing. So there's many, many apps out there for processing credit cards, Zelle, Vemo, Cash App, Apple Pay, you know, all these different things. And so we don't endorse any particular product, but most of those are not HIPAA-compliant. So and they may have the right to sell patient information like their contact information and stuff to others. So you really need to use a HIPAA-compliant one. All you have to do is Google on the internet HIPAA-compliant payment apps and you will or credit card apps and you'll find three or four out there that you can use. Using email that's encrypted is also important. So again, if you happen to have an electronic health record, a lot of them have a secure patient portal as a component. Maybe you're not using it, but you can ask your vendor if there's one available. There's certainly standalone patient portals as well. So that's the best way to communicate by emailing to patients, especially if it also is connected to an EMR that lets you upload the information to the documentation. So then you don't have to worry about trying to now incorporate that information into the patient's record if you can securely upload the communications through and they're connected to the health record of the patient. If a patient insists on obtaining, say, for example, their records and they want them provided in a non-HIPAA-compliant manner, we have to give it to them. Just have them sign off a document that just says they understand that the way they're asking for their information is not going to be HIPAA-protected. So if they say, can you put it on a thumb drive and throw it in a mailbox or something, right? I mean, like that would not really be protected. If they want them sent by mail, that's fine. I always recommend you just put on the envelope personal and confidential to their attention. Technically sending things through the mail is confidential because by law, only mail addressed to that person, that person's the only one that's allowed to open it. But I would encourage your patients to get their information if they want it through a secure way. If your new patient paperwork, when you create that paperwork, you should spell out for your patient in your practice policy regarding the use of email and text. Again, if you're using texting, it should be limited if at all. And again, you want to restrict its use and remind patients if they're not following the policy that you may not be responding to texts if they're sending them to you because they're not complying with the policy of the office practice. And again, you want to have your patients affirmatively opt in and out. And if they opt in, they always have the option to opt out. So I'm not saying that you have to create policies and procedures for 25 different things, but sometimes just a paragraph here or there in your paperwork makes it so that there's no surprises and everybody's on the same page as to how your office practice operates, what the expectations are, and so there's no surprises later. So here are some risk considerations in using email and text. Again, create your office practice policies and procedures so the expectations are clear. Again, this is true for patients. Some of these may also apply for your employees and contracted workers as well. If a patient violates the policy, remind them of the policy and the practice and direct them to the documents that they had signed. You know, remind patients that email and text should not be used to convey emergencies in particular, right? Again, use that HIPAA-compliant software. Use out-of-office messaging when you're not available, for example, after hours or when you're away on vacation so patients are aware if they do email you that you're not available. And it's a good idea in your out-of-office messaging to also say, you know, not, you know, if it's an emergency, contact 911 or et cetera. You know, set those patient expectations and add general response times to texts and emails in your new patient documents. For example, you might have something that states, emails and texts are typically responded to within two business days. No responses will be provided on weekends and holidays. If this is an emergency, please call 911-988 or go to the closest emergency department. So things like that, these little disclaimers you have in your text messaging, in your office messaging, your email messaging, sets that expectation with the patient. If they're emailing you at 1 in the morning and you're sleeping, clearly they should not be expecting that you're going to respond. If you're using an email system that has a read receipt, that's a great thing, too. So if you have something important you're emailing to a patient, hopefully securely, and it has a read receipt option, what that does is if you can turn that function on, then it alerts you that the person has opened the email. Whether they read it or not, we don't know, but that does trigger an assumption of reading. And if you have the ability to capture that read receipt and save that in the documentation, that's great because now you have proof that they've opened the document and allegedly read it. This is especially true if you have to terminate care with a patient and you're doing a termination letter. So traditionally, the recommendation was you send two mailed copies to the patient, one regular mail, one certified mail. And then this way, if they accept the certified mail copy and sign it, you get that green card back from the post office, you have documentation that they got the letter. But if it came back undeliverable, we generally could assume they got the regular mailed copy. But after the pandemic, sometimes the post office is not getting signatures or sending that green card back, or patients want to be communicating through electronic means, I would recommend if you're going to send a termination letter or a confirmation letter that a patient has terminated care with you, that if you have one of those read receipts in the email, then you have that documentation of like sort of that same idea with the green card that you've confirmed they've opened it, plus you could also mail a regular copy. So you've made two attempts to notify them of the letter. Again, if you have an electronic health system, or you want to consider having a standalone patient portal, you know, those are generally secure, comply with HIPAA, and the vendors will give you a BAA. And remember, anything of substance you're discussing with a patient, care, treatment, anything like that in electronic format is considered part of the documentation. So you need to properly document. So if a person, you and a patient are emailing back and forth key information, that has to get into the medical record. So again, do you have a system that's friendly to upload that information? Again, patient portals that are attached to EMRs typically have that capability. Again, find out from your vendor how their system works and what capabilities they have if you haven't already done so. So next we're going to talk about professional reputation, right? You go to medical school, you've invested a ton of time in education, and you want to make sure you maintain a professional reputation. It's an easy thing to lose and a hard thing to get back. So we want to make sure we protect it upfront. So the personal nature of a relationship between a doctor and a patient, especially psychiatrists, you know, results in a high standard of professional behavior. You know, when engaging in social media, including for personal use, it's important to be mindful of how your interactions on social media reflect your personal and your professional reputation. Online reputation. So the AMA, the American Medical Association, has a guideline for the use of social media. The resources provided at the end of this presentation in our resource slide, and it's also linked, as you can see, on the slide that you're viewing. Your state licensing board or the American Psychiatric Association's district branch in your state may also have additional resources for you. So make sure you're familiar with what your ethical requirements are for maintaining your online reputation and communicating online. Responding to negative social media posts. So what can we do when we get a negative post? So ideally, you'd ignore the post. If possible, if you can possibly just ignore it. And consider even not Googling your reviews if it's going to upset you. If you do feel the need to respond or you see a negative review about yourself, you have to respond in a specific way or not respond at all, like I just said. If you're going to respond, it needs to be generic, not a specific response back to that particular post. So for example, let's say someone gives you a one-star review stating that you were led to believe that you're taking new patients, but they called and they were told the practice is full. So they decide to give you a one-star review. But in reality, maybe the patient called, you asked them some information, and you screened them out as not an appropriate fit for their practice. And so they just got mad, and they decide they're going to post something like that. So it's not exactly true what they posted. So what are you supposed to do? So again, you could choose to ignore it, or you can just do a general response that just says, in general, something like, we are accepting new patients in our practice. But we want to avoid a specific response back like, we are accepting new patients that have been appropriately screened. So this way, if you posted it something like that, now someone implies that the person that did the one-star review was screened out for some reason, right? So we don't want to give them any information that may suggest something about that person. If the review is something that you feel you need to address and it's an active patient, like they either put their name in the review or they put sufficient information that you know who the person is, do it offline, right? We're not going to have a discussion with patients online, you know, you're going to talk to them about it, whether on the phone or in a visit, but also consider your motive for doing so. Are you doing it because your feelings are hurt and you kind of want to call them out on it? Or is there generally information that you feel you need for therapeutic reasons to talk to them about the review? And you need to respect the fact that they may not want to talk about it and we don't want to, you know, we want to avoid making patients feel uncomfortable. If a current or former patient writes something threatening, immediately capture that screen and keep a copy of it and contact authorities and you can ask the platform that they posted on if they'll take it down because it's threatening, but try to first get a screen print of it because if it is taken down and you want to have proof if you're going to go to the authorities that somebody has been threatening you. And remember, we have freedom of speech in this country and that includes technically the ability to lie. So proving a defamation case is very expensive and it's very hard to prove. Having the evidence that supports actual financial detriment to your practice specifically related to one negative review is hard to prove, right? So while reviews may hurt our feelings, people are free to post their opinions in most cases about what they think of us. And you know, it's best to get the advice from a risk management professional or an attorney about a negative review before responding to it. So here are some lessons learned. So here's three people that learned the hard way about responding inappropriately to an online review. So the first one, on June 25th, 2023, so this is a current case, the Department of Health and Human Services posted a settlement agreement with a New Jersey psychiatrist whose practice was fined $30,000 for disclosing patient information in response to a negative online review. The settlement resolves a complaint received by the Office for Civil Rights, who usually does these investigations. First the complaint originally came in in April of 2020, alleging that a healthcare provider impermissibly disclosed the protected health information of a patient in response to the patient's negative online review. Following the OCR investigation, potential violations of the HIPAA privacy rule include impermissible disclosures of patient protected health information in response to negative online reviews and a failure to implement policies and procedures with respect to protected health information. So the response to the review included the patient's diagnosis and treatment for a mental health condition, and they also found information for three other patients that were disclosed in response to negative reviews. So again, you can see there's a link here, you can Google these and you can get the details of each of these, but again, you know, an expensive lesson learned. A Rhode Island physician was reprimanded by the Rhode Island Board of Medicine for responding to a negative review. While the physician did not reference the patient's name, she used specific information in a small community, allowing for readers to determine who the patient was. As a result, the physician lost her admitting privileges to a hospital and was sanctioned by the licensing board. Again, expensive price to pay for responding. And then a North Carolina dentist was fined $50,000 by the OCR for impermissibly disclosing a patient's protected health information in response to a negative review. In this case, not only did the provider share the protected health information publicly about the patient, but they also failed to respond or object to an administrative subpoena that they received and waived their rights to a hearing, and that, you know, created an additional fine. So as you can see, responding to online reviews, even if a patient provides their name and their protected health information, it's their right to do so, can result in a significant consequence for the provider when they respond or, you know, add additional protected health information. A patient does not waive their right to privacy by a provider because they chose to write a negative or positive review or any information about themselves publicly. So next let's talk about boundaries. So consider how professional boundaries may be affected by communications between a clinician and their friends and followers on social media. A record of electronic communications may support, depending on the information discussed, the existence of a patient-provider relationship, right? So we have to be careful what we're doing, who we're communicating with, and are we doing so in a manner that the licensing board may deem this has now created a doctor-patient relationship. You want to have a record of electronic communications in a way that, you know, does not create that if it's unintended. And we have to be careful because, again, licensing implications for boundary violations. So there are pros and cons to accepting and declining a patient's friend request. So again, if you put it in your up front, in your paperwork, you know, please respect, you know, that you're complying with the ethical standards that you cannot friend patients on social media in your patient paperwork, you know, then they know that. But let's assume somebody does it and they send you a friend request. By accepting the request, it can create an alliance, right? So, you know, but the downside is it can blur the professional boundary. It can change the nature of that doctor-patient relationship and expand the treatment setting now through social media. So now you friend a patient so they feel good about themselves, but on the other hand, not only does it blur the boundary, but now it can expand that treatment setting into that social media site, and we don't want to do that, right? There should be no discussions about, you know, going back and forth with the patient about their care through that social media platform. It also invites a breach of potential confidentiality. We already talked about online reviews. The same is true for other social media platforms. Now while declining the friend request can create an alliance breakdown because now someone's hurt, feelings are hurt, just explain to them why you needed to do it. Confirm your professional reputation, confirm that you're working, acting in the patient's best interest, and let them understand you have ethical obligations per the American Psychiatric Association, the AMA, you know, that you have to, the licensing board, you have to follow, you know, proper ethical standards and maintain that professional boundary. Risk management implications when Googling patients. Let's say you decide you want to Google your patient and see what's going on in their world, right? Here are the risk implications. You create the possibility of a boundary violation because it can impede the patient's privacy. They have the right to privacy. So, you know, don't, at your very best, don't be Googling your patients. If you feel a need that you have to for some therapeutic reason, then talk to your patient about it. Talk to them if there's a reason why you feel that you should be looking at their social media that they understand and they've consented to you doing it. How are you going to handle discrepancies? Let's say you see a patient's Googling stuff about themselves, but they're telling you the opposite when they're meeting with you in session and in office visits. How are you going to reconcile that? How are you going to naturally bring up stuff in conversation that you want to call them out on those discrepancies, right? It creates a difficult situation and it could create, you know, a breakdown in trust with your patient. And we don't want to destroy that trust with our patient. So next let's talk about standards of care as it relates to social media. So here's a scenario. A psychiatrist has a social media page where the patient posts public comments about their treatment seeking advice. What should you do? How are you going to handle this situation? So by acknowledging the direct response through that post, you've created a privacy implication, even though the patient posed the question. The best practice is to generally comment on the social media page. Anyone seeking advice should contact your office directly. Use disclaimers and confidentiality notices on the website so patients are informed not to post personal information publicly. Remember your goal is to avoid violating HIPAA and protecting patient privacy and abiding by privacy laws. Let's say a former patient asks to friend you professionally through LinkedIn. Again, we want to avoid accepting that friend request because even though they're a former patient and we want to avoid posting public comments. So you can direct message them, letting them know that unfortunately for ethical reasons you cannot accept their request. The patient should understand that you are required to follow the code of ethics for your profession and violating do so could have a negative licensing implication for you. So let's talk about social media implications related to standard of care. So staying within the standard of care is important. Essentially the standard of care is driven by what other providers in the same specialty would do under the same or similar circumstances. The more a provider deviates from what most providers would do in the same situation can create a claim potentially for a deviation from the standard of care. As a reminder, protect access to the patient's private information. Limit access by others to that protected health information to only those individuals that need to access it and that includes your employees. Do all employees need to access all information to do work for you? Maybe, but maybe not. And then again, beware of posting false information to avoid allegations of fraudulent practices. Let's talk a minute about patient portals. I talked about them a little bit earlier. One way again to help secure limited access to patient data is through the use of a secure patient portal. Most electronic medical record systems have a patient portal option or a secure patient portal can be purchased as a standalone. I had mentioned that earlier. From the patient's perspective, patient portals allow access and completion of appointment scheduling, getting copies of the invoice statements. You can usually upload the new patient intake forms, exchanging updated information, maybe they changed their address, phone number, exchange information with you, access their medical records, request prescription refills. Again, you don't have to use all those functions, but these are examples of things that a patient can do if you have those functions available to them and turned on through the system. From your perspective, a patient portal can provide appointment reminders, help you prepare electronic invoices, securely communicate through email communications with patients, allows communications maybe to be uploaded to the medical record. Maybe you could also upload lab testing results, et cetera. Again, you make sure that your patient portal is encrypted and secure and you have a BAA with the vendor. Let's talk more about specifically within a patient portal. If you use psychotherapy notes, again, not all providers use them. That doesn't mean progress notes. You can Google what psychotherapy notes are, but generally, psychotherapy notes are notes that a provider takes usually contemporaneously during an office visit for themselves. They're just notes for themselves, and then they'll separately document in the patient record. If you do use psychotherapy notes for any patients, if you have a paper record, it needs to be in its own folder. If you have an electronic record, it should be in its own tab, technically secure enough that only you can see that tab because those are really highly sensitive notes that you've taken. By keeping them separate from the main part of the medical record, they enjoy extra protections. When a person asks for their medical records to be released, psychotherapy notes are not released. They're generally not released unless they're requested through a court order. The patient should only be able to view the information that you want them to. You have the ability to turn on and off certain information. Progress notes will then be protected through a portal, so that's a good thing. Informed consent, so the portal can securely house the informed consent forms and other documents that the patient signs off. It's really great if you have a system that lets the patient docu-sign documents, so you don't have to mail stuff, especially if you're not seeing patients in person. The system should automatically log a user off after a short period of inactive use. If someone logs in and then they don't affirmatively log out when they're done, if there's no activity within 10, 15 minutes, whatever it is, usually the system will log them off, so you want to make sure that it automatically logs them off, makes it less likely for a hacker to get in. Each patient portal user, both patients and staff, should have their own unique login credentials. No one should be sharing logins and passwords. Remember to discuss with your IT professional a way to back up your system. Again, in case a hacker gets in and you want to lock them out, if you have a backup system of data, then you can shut down that system. There are IT professionals specifically certified to work with healthcare professionals, so that's the best kind of IT person you should use. So let's talk a little bit about emerging social media issues. So emerging trends you need to be aware of with social media. Be prepared. If you are notified or see a patient is live streaming dangerous behaviors, or they're threatening to harm somebody, and this is being live streamed and it has happened, consider contacting authorities to protect the patient and the public. Can you tell from what you see behind them where they might be? Maybe you can tell that they're in a room that they are also in when they do telehealth visits with you, that's their home, and you can tell the police to go to their home. So again, if someone is harming themselves through live streaming or threatening harm to someone else or the public, contact authorities. If time is not of the essence, then you can contact an attorney or a risk management professional, but usually in a live streaming time is of the essence. Do you have an emergency contact for the patient so that you can contact them? When there are online threats posted, contact authorities, especially if danger is imminent. Again, if time is not of the essence, you can consult others. Do you have a mandatory reporting requirement now? Again, you may have that, especially if someone's threatening someone else and you're in a state that follows the Tarasov decision. It is not a HIPAA violation when law enforcement is contacted in good faith to protect a person or the public, and again, you only need to give law enforcement the information they need to act. They don't need to get all the patient's records and everything, just the information that they would need to protect the patient, protect the public, and again, when safety is important under the circumstances, contacting a family member may be appropriate. So you may be about to violate HIPAA, so you have to tell yourself, am I prepared to defend a HIPAA violation because I wanted to save a life, stop someone from harming themselves or harming others? So it's better to defend a HIPAA violation when you were trying to protect someone's safety than if there's a poor outcome and then the person harms themselves or others and we were more concerned about HIPAA. So technology, right? The good, the bad, and the ugly. So it could be a great tool because it improves access to care, it improves communication, it can provide real-time exchange of information and support, and it can increase professional networking and collaboration. But it can also create unrealistic expectations, like someone's texting you at 1 in the morning and expecting a response. It can expose protected health information to unauthorized third parties, and it can sometimes blur these boundaries and make them more difficult to maintain. So in summary, respect boundaries. Do not invite or accept friend requests from patients or former patients. Avoid dual relationships, you know, patient does not equal an online friend. Respect privacy. Beware. Googling patients without consent. Online information does not belong in a medical record, okay? And use encryption and follow HIPAA guidelines. Maintain your professional reputation, you know, exercise restraint when disclosing information on the internet, even about yourself, right? It might be funny that your friends post you, you know, having maybe some extra drinks at a party, but, you know, if your patients can see that, you know, it can ruin your reputation. Respect your privacy, right? You know, limit access to your social, personal social media pages through your privacy settings. You know, patients should not be able to access that, and, you know, people should have to be making a request for a friend request, and you can deny it, right? And make sure when you're posting stuff, it's just to your friends and family. And remember, encryption alone does not satisfy HIPAA. It's important to have policies and procedures that document employee training on relevant privacy, security, confidentiality policies. If you're not a solo practice, define who is entitled to access the protected health information based upon their respective role and establishing access controls, and it's great to have two-step authentication, so it's not just using a password. Sometimes we have, like, a text gets sent to us or something to confirm, you know, so, you know, that, yes, I'm the person logging in, and, you know, when you have remote access to patients' records, make sure that they are protected. You want to maintain, you know, control of and privacy through your devices and who accesses the information. You know, don't use public Wi-Fi that's not secure. You may not realize it, but someone next to you could be trying to hack you. You know, if you have a Bluetooth-enabled device, make sure you go into your settings for the Bluetooth on the device and put that it there's a disabling so that no one else can see that Bluetooth. I will tell you, almost always, I'll be on a plane, I have my tablet with me, I have Bluetooth headset, right, so I go into, like, watch a movie, say, on my tablet, when I enable my Bluetooth, if I go into my Bluetooth settings, I can see other people's Bluetooth devices because they didn't disable my ability to see it, so you need to do that. Here are some resources for you. You know, again, go to the AMA social media code of ethics. There's information here about HIPAA, and if you have any questions, you know, please contact if you have an insurance information or you want more information about or you are part of the APA Endorsed Professional Liability Program through American Professional Agency. Here's American Professional Agency's contact information. I want to thank you for listening to this CME presentation. Remember, in addition to one CME, if you are insured with the APA Endorsed Program, by participating in this presentation, it provides you with one risk management credit towards the three credits you're needed to get your risk management discount on your renewal premiums. Just contact American Professional Agency and let them know that you participated. Thank you.

CME presentation

risk management

social media

technology

psychiatry

patient confidentiality

boundary issues

liability exposures