HIPAA was established many years before social media networks such as Facebook evolved, so there are no official HIPAA social media rules. However, there are HIPAA standards and regulations that apply to social media use by healthcare groups and their staff. Healthcare organizations must therefore develop a HIPAA social media policy to minimize the risk of privacy violations.
There are many advantages to be gained from the use of social media. Social media channels allow healthcare groups to interact with patients and get them more involved in their own healthcare. Healthcare groups can quickly and simply communicate important messages or provide guidelines about new services. Healthcare suppliers can attract new patients via social media platforms. However, there is also significant potential for HIPAA rules and patient privacy to be breached on social media networks. So how can healthcare groups and their staff use social media without violating HIPAA rules?
Social Media and HIPAA
Because social media channels can be viewed publicly, the HIPAA Privacy Rule prohibits the publication of PHI on social media networks. That includes any text about specific patients as well as pictures or videos that could lead to a patient being identified. PHI can only be published in social media posts if a patient has given their consent in writing to permit their PHI to be used and then only for the purpose specifically stated on the consent form.
Social media channels can be utilized for posting health tips, details of events, new medical research, bios of employees, and for marketing messages, provided no PHI is published in the posts.
Staff Must be Educated on HIPAA Social Media Rules
During 2017, 71 percent of all Internet users visited social media platforms. The popularity of social media platforms combined with the ease of sharing data means HIPAA training should involve the use of social media. If staff are not specifically trained on HIPAA social media rules it is highly likely that breaches will occur.
Training on HIPAA should be given before an employee begins working for the company or as soon as is possible following appointment. Refresher training should also be given a minimum of once a year to ensure HIPAA social media rules are not forgotten.
Social Media and HIPAA Violations
In 2015, ProPublica revealed the results of a survey into HIPAA social media violations by nurses and care home staff. The review primarily centered on photographs and videos of patients in compromising positions and patients being abused.
In some instances, pictures and videos were widely shared, in others photographs and videos were published in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not found and were never reported.
In most instances, the HIPAA violations on social media lead to disciplinary action against the staff members concerned, there were several terminations for breaches of patient privacy, and in some instances, the violations lead to in criminal charges. A nursing assistant who published a video of a patient in underwear on Snapchat was fired and served 30 days in jail.
It is not only staff members that can be punished for breaching HIPAA Rules. There are also severe fines for HIPAA violations for healthcare providers.
Common HIPAA Violations Involving Social Media
- Publishing of pictures and videos of patients without written consent
- Publishing of gossip regarding patients
- Publishing of any data that could allow a person to be identified
- Publishing of photographs or images taken inside a healthcare center in which patients or PHI are visible
- Publishing of photos, videos, or text on social media websites within a private group
HIPAA Social Media Guidelines
Below are some basic HIPAA social media guidelines to follow:
- Develop policies covering social media use and ensure all staff are aware of how HIPAA relates to social media platforms
- Educate all staff on acceptable social media use as part of HIPAA training and carry out refresher training sessions periodically
- Provide examples to employees on what is acceptable – and what is not
- Advise of the possible fines for social media HIPAA violations – termination, loss of license, and criminal prosecution
- Make sure all new users of social media sites are approved by your compliance department
- Audit and update policies on social media yearly
- Formulate policies and procedures on use of social media for marketing, including standardizing how marketing is conducted on social media accounts
- Formulate a policy that requires personal and corporate accounts to be totally separated
- Develop a policy that requires all social media posts to be approved by your legal or compliance team before publishing
- Review your group’s social media accounts and communications and adapt controls that can flag possible HIPAA violations
- Maintain a record of social media posts using an official account that preserves posts, edits, and the format of social media messages
- Do not participate in social media discussions with patients who have disclosed PHI on social media.
- Encourage staff to report any possible HIPAA violations
- Ensure social media accounts are included in your organization´s risk assessments
- Ensure proper access controls are in place to prevent unauthorized use of corporate social media accounts
- Review all comments about the organization on social media platforms
The Department of Health and Human Services’ Office for Civil Rights (OCR) has released guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that relate to social media networks. You can read a more comprehensive guide here.