Social Media Rules and HIPAA Rules

HIPAA was established many years before social media networks such as Facebook were set up, so there are no official HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare groups and their staff. Healthcare organizations must therefore develop a HIPAA social media policy to minimize the risk of privacy violations.

There are many advantages to be gained from the use of social media. Social media channels allow healthcare groups to interact with patients and get them more involved in their own healthcare. Healthcare groups can quickly and simply communicate important messages or provide guidelines about new services. Healthcare suppliers can attract new patients via social media platforms. However, there is also significant potential for HIPAA Rules and patient privacy to be breached on social media networks. So how can healthcare groups and their staff use social media without violating HIPAA Rules?

Social Media and HIPAA

The first rule of using social media in healthcare is to never publish protected health information on social media channels. The second rule is to never publish protected health information on social media.

The HIPAA Privacy Rule disallows the use of PHI on social media networks. That includes any text about specific patients as well as pictures or videos that could lead to  a patient being identified. PHI can only be published in social media posts if a patient has given their expressed consent, in writing, to permit their PHI to be used and then only for the purpose specifically stated on the consent form.

Social media channels can be utilized for posting health tips, details of events, new medical research, bios of employees, and for marketing messages, provided no PHI is published in the posts.

Staff Must be Educated on HIPAA Social Media Rules

71%, during 2017, of all Internet users visited social media platforms. The popularity of social media platforms combined with the ease of sharing data means HIPAA training should involve the use of social media. If staff are not specifically trained on HIPAA social media rules it is highly likely that breaches will be experienced.

Training on HIPAA should be given before an employee begins working for the company or as soon as is possible following appointment. Refresher training should also be given a minimum of once a year to ensure HIPAA social media rules are not forgotten.

Social Media and HIPAA Violations

In 2015, ProPublica revealed the results of a review into HIPAA social media violations by nurses and care home staff. The review primarily centered on photographs and videos of patients in compromising positions and patients being abused.

In some instances, pictures and videos were widely shared, in others photographs and videos were published in private groups. ProPublica uncovered 47 HIPAA breaches on social media since 2012, although there were undoubtedly many more that were not found and were never reported.

In most instances, the HIPAA violations on social media lead to disciplinary action against the staff members concerned, there were several terminations for breaches of patient privacy, and in some instances, the violations lead to in criminal charges. A nursing assistant who published a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

It is not only staff members that can be punished for breaching HIPAA Rules. There are also severe fines for HIPAA violations for healthcare supplierss.

Common HIPAA Violations Involving Social Media

  • Publishing of pictures and videos of patients without written consent
  • Publishing of gossip regarding patients
  • Publishing of any data that could allow a person to be identified
  • Publishing of photographs or images taken inside a healthcare center in which patients or PHI are visible
  • Publishing of photos, videos, or text on social media websitess within a private group

HIPAA Social Media Guidelines

Bbelow are some basic HIPAA social media guidelines to follow in your group, together with links to more information to help ensure compliance with HIPAA Rules.

  • Develop concise policies covering social media use and ensure all staff are aware of how HIPAA relates to social media websites
  • Educate all staff on acceptable social media use as part of HIPAA training and carry out refresher training sessions yearly
  • Provide examples to employees on what is acceptable – and what is not – to improve comprehension
  • Advise of the possible fines for social media HIPAA violations – termination, loss of license, and criminal prosecution
  • Make sure all new users of social media sites are approved by your compliance department
  • Audit and update your policies on social media yearly
  • Formulate policies and procedures on use of social media for marketing, including standardizing how marketing is conducting on social media accounts
  • Formulate a policy that requires personal and corporate accounts to be totally separated
  • Develop a policy that requires all social media posts to be approved by your legal or compliance team before publishing
  • Review your group’s social media accounts and communications and adapt controls that can flag possible HIPAA violations
  • Maintain a record of social media posts using your group’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not participate in social media discussions with patients who have disclosed PHI on social media.
  • Encourage staff to report any possible HIPAA breaches
  • Ensure social media accounts are included in your group’s risk assessments
  • Ensure proper access controls are in place to cut out unauthorized use of corporate social media accounts
  • Review all comments on social media platforms

The Department of Health and Human Services’ Office for Civil Rights (OCR) has released guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that relate to social media networks.