Social Media and HIPAA Violations

Social media has revolutionized how people communicate. 90% of Americans use it in some form. Globally, more than 4.6 billion people are on social media. For healthcare organizations, platforms like Facebook, Instagram, and LinkedIn can be an effective way to market facilities, services and products, share healthy habits with patients, and quickly spread information about health-related emergencies. Using social media can increase the risk of HIPAA violations which organizations need to be aware of.

Avoiding HIPAA Risk on Social Media

Posting protected health information (PHI) on any social media site or website is the biggest mistake an organization can make regarding social media-related HIPAA violations. PHI includes:

• Common identifiers such as names, birthdates, SSNs, telephone numbers, email addresses, etc.
• Past, present, or future physical or mental health conditions
• The healthcare services you provide to the patient

While the HIPAA regulations do not specifically address social media, largely because the rule was written before the platforms became prominent, guidance from the Department of Health and Human Services (HHS) has clearly indicated that covered entities must not disclose PHI on social media for any reason. Any disclosure of the PHI on social media falls under the HIPAA Privacy Rule, which establishes patient rights to control how their health data is used.  That rule is relevant even if the patient has already disclosed their PHI on social media. Responding to those posts would be a HIPAA violation.

HIPAA does allow for the disclosure of PHI if the patient has given the covered entity written authorization. A valid authorization must include:

• A meaningful description of the information to be disclosed
• A description of each purpose of the disclosure
• Information on the right to revoke authorization
• The authorization’s expiration date
• A signature of the person giving the authorization

If a patient has given consent, it is still best practice to NOT put any PHI online. The Privacy Rule states that individuals have the right to revoke authorization. Once information is put online, the organization can’t control what happens to that data (saved images, sharing of information from other parties. etc.), making it difficult, if not impossible, to comply with the revocation request.

Pictures

Photos uploaded to social sites carry a lot of risks. Often the person who takes or posts the image may not realize the amount of information that can be derived from the photo. Any identifiable PHI in the picture is a HIPAA violation if the patient hasn’t given authorization. Some other things to keep in mind about the risks of posting images include:

• A picture of a patient’s injury posted online is a HIPAA Privacy Rule violation if the identity of the individual can be determined from the image.
• A photo that implies any past, present, or future medical treatments for the patient is a disclosure of PHI.

Employees Posting on Personal Accounts

Your employees’ personal social media accounts are subject to the same HIPAA rules as corporate accounts. On top of Privacy rule violations, an employee post that included PHI could result in HIPAA Security Rule violations if the employee accessed the information without authorization.

Enforcement of HIPAA Violations on Social Media

There are numerous examples of the HHS Office of Civil Rights (OCR) penalizing healthcare organizations for HIPAA violations on social media.

• Manasa Health Center paid a $30,000 fine and agreed to corrective actions. The psychiatry practice was accused of posting a patient’s PHI when responding to a negative review the patient posted online. OCR’s investigation found that Manasa Health Center impermissibly disclosed the protected health information of three other patients in response to their negative online reviews.
• Elite Dental Associates paid a $10,000 fine and agreed to corrective actions. Elite was accused of disclosing PHI in responses to patient reviews on Yelp.
• Dr. U. Phillip Igbinadolor and Associates was fined $50,000. The dental practice was also charged with including PHI in response to negative online reviews.

Social Media Policy

All healthcare organizations should have an implemented and enforced social media policy. Here are some items that need to be included in any organization’s policy to minimize HIPAA risk:

All Posts Must Align with Company Privacy Standards

It seems obvious, but it can’t be emphasized enough, NEVER post PHI. Even if the patient has given authorization, there needs to be a very strong business case to do so. There’s just too much risk.

Avoid Photos of Patients

Patient photos can inadvertently reveal PHI. Any photo with a patient needs to have authorization and should be thoroughly reviewed for any other identifiable information before posting.

Separate Personal and Business Accounts

Post all company-related content through the organization’s social media accounts. Limit access to the corporate accounts and have a staff member or team responsible for reviewing all posts before publishing. Make sure your employees know that posting company or patient-related information on their personal accounts could result in HIPAA violations. A nurse in Texas was fired from her job when she posted on Facebook about a young measles patient she had seen at the hospital she worked at.

Employees should avoid connecting with patients and their families. They should encourage patients to connect with the organization’s profiles instead.

Monitor Social Media for Potential Violations

The faster you catch a disclosure of PHI on company social media, the faster you can react and hopefully reduce the odds of a complaint being filed. Implement a cadence to monitor for hashtags and keywords relevant to your organization. This will allow for quick detection of employee posts that violate company rules and give the organization a better understanding of what’s being said about it on social media.

Prohibit Employees from Responding to Online Reviews

The penalties highlighted above demonstrate the risk associated with responding to online reviews. If the organization chooses to respond to a review, the response needs to be carefully crafted and reviewed to ensure it doesn’t include HIPAA Privacy or Security Rule violations.

Give your employees training on your social media policy so they can understand the risk and what they can and cannot do on their social media accounts.

For more guidance to help ensure your organization’s social media activity isn’t violating HIPAA or any other applicable laws, use this social media checklist from HHS.

CompliancePoint has a team of experienced healthcare, privacy, and security experts that can help your organization with all aspects of HIPAA compliance. Contact us at connect@compliancepoint.com to learn more.