Social Media Rules for HIPAA Compliance

HIPAA was enacted several years prior to social media networks such as Facebook being established, so there are no dedicated HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare groups must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.

There are many advantages to be obtained from using social media. Social media channels allow healthcare organizations to communicate with patients and get them more involved in their own healthcare. Healthcare bodies can quickly and easily send important messages or provide details about new services. Healthcare providers can win new patients via social media websites. However, there is also massive potential for HIPAA Rules and patient privacy to be breached on social media networks. So how can healthcare bodies and their employees use social media without breaking HIPAA Rules?

The first rule of using social media in healthcare is to never share protected health information using social media channels. The second rule is to never disclose protected health information using social media.

The HIPAA Privacy Rule bans the use of PHI on social media networks. That includes any copy regarding text about specific patients as well as images or videos that could lead to a patient being identified. PHI can only be included in social media posts if a patient has given their expressed consent, in writing, to allow their PHI to be used and then only for the purpose specifically referred to in the consent form.

Social media channels can be implemented for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

In 2017, 71% of all Internet users logged onto social media websites. The popularity of social media networks added to the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically giving dedicated training on HIPAA social media rules it is highly likely that violations will happen.

Training on HIPAA should be given prior to an employee beginning work for the company or as soon as is possible following appointment. Refresher training should also be conducted at least once a year to ensure HIPAA social media rules are not forgotten.

In 2015, ProPublica released the results of an investigation into HIPAA social media violations by nurses and care home staff. The investigation mainly centered on photographs and videos of patients in compromising positions and patients being abused.

In some instances, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica found 47 HIPAA violations on social media since 2012, although there were unquestionably many more that were not discovered and were never reported.

In most cases, the HIPAA violations on social media lead to disciplinary action against the employees involved, there were several terminations for violations of patient privacy, and in some cases, the violations lead to criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

Typical Social Media HIPAA Violations

  • Publishing of images and videos of patients without written consent
  • Publishing of gossip about patients
  • Publishing of any information that could allow an individual to be identified
  • Publishing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
  • Publishing videos, or text on social media platforms within a private group

Guidelines for HIPAA Compliant Social Media Use

Included here are some basic HIPAA social media guidelines to follow in your group, together with links to further data to help ensure compliance with HIPAA Rules.

  • Create clear policies covering social media use and ensure all employees know how HIPAA relates to social media platforms
  • Train all employees on acceptable social media use as part of HIPAA training and provide refresher training sessions annually
  • Give examples to staff on what is acceptable – and what is not – to enhance understanding
  • Share the possible penalties for social media HIPAA violations – termination, loss of license, and criminal fines
  • Make sure all new uses of social media sites are given approval by your compliance department
  • Review and refresh your policies on social media annually
  • Establish policies and procedures on use of social media for marketing, including standardizing how marketing happens on social media accounts
  • Implement a policy that requires personal and corporate accounts to be totally different
  • Put in place a policy that requires all social media posts to be approved by your legal or compliance department before posting
  • Monitor your organization’s social media accounts and communications and put in place controls that can flag potential HIPAA breaches
  • Keep a record of social media posts using your group’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not enter participate om discussion with patients who have disclosed PHI on social media.
  • Encourage staff to report any possible HIPAA violations
  • Ensure social media accounts are reviewed during assessment

The Department of Health and Human Services’ Office for Civil Rights has published on HIPAA social media regulations, listing the specific aspects of HIPAA that apply to social media networks.