Social media networks such as Facebook, Twitter, Instagram and YouTube have the potential to lead to HIPAA breaches as they allow people to stay connected and share information with their friends, families, acquaintances, and in some cases, total strangers.
Any date published social networks is considered to be in the public domain and it potentially becomes accessible by anyone with who is connected to the Internet. Published information can be shared with a massive audience quickly and very little control exists over data once it has been posted. It can be part of a permanent online record.
The potential for an even seemingly harmless post or status update to inflict considerable harm and damage has been emphasized by a recent lawsuit filed by a Chicago ER patient, who claims her PHGI was exposed when an ER doctor uploaded a photo of her drunk in the ER room to his Facebook account.
This may have been a one-off incident, but social media platforms have considerable potential to expose PHI and these risks should be found in the risk analyses healthcare organizations are required to complete under HIPAA regulations.
A HIPAA-compliant social media policy must be put in place and the staff should be advised about what can and cannot be posted on social media accounts under federal Privacy and Security Rules.
Developing a comprehensive social media policy can require a lot of resources, although it is possible to implement the social media policy of a company such as the Mayo Clinic and use that as base and adapt it to sort your organizations requirements.
The simplest way to implement the policy is to provide the workforce with very clear and precise guidelines on the use of social media channels, both at work and privately. HIPAA compliance does not finish when you’re gone home as far as social media channels are concerned.
Supply a list of easy to read bullet points which concisely state social media policies and tell the staff not to engage with patients online unless they are sure it is via a HIPAA compliant medium. Whenever possible staff should ask for a face to face meeting or make a telephone call.
It is not permitted to post any photos of patients online or disclose personal information online without first recieving consent, and it should be communicated that posts may form a permanent online record.
Social media is an easy and convenient way to interact with patients, develop brand image and build up an online profile; however the dangers to privacy and security are considerable and it is therefore essential that policies are developed and regularly monitored and updated as necessary.
