HIPAA was passed many years prior to the proliferation of social media platforms and, due to this, there were never any specific HIPAA social media rules formulated. Despite this there area number of HIPAA laws and standards that can be used to regulate social media use by healthcare organizations and their staff members. As a result, healthcare groups must establish a HIPAA social media policy to address the potential of privacy violations occurring.
Social media can be used in many different way for assist in the work of healthcare organizations. They can use it to communicate with patients and allow them more management over their own healthcare. Messages can be sent more quickly to allow important messages and information regarding news services information about new services. Healthcare providers can try and win new patients using social media platforms However, there is also serious potential for HIPAA Rules and patient privacy to be breached on social media networks. So how can healthcare bodies and their employees use social media without falling foul of HIPAA Rules?
HIPAA and Social Media
The first rule for implementing social media usage in healthcare provision is to never disclose protected health information on social media channels. The next rule is to never disclose protected health information on social media.
The HIPAA Privacy Rule rules out the use of PHI on social media services. That includes any text in relation to specific patients as well as images or videos that could lead to a patient being identified. PHI can only be included in social media posts if a patient has given their permission, in writing, to allow their PHI to be used and then only for the purpose specifically referred to in the consent form.
Health tips, details of events, new medical research, bios of staff and marketing messages can be posted on social media channels if no PHI is included in the posts.
In 2017, 71% of all Internet users viewed social media websites. Due to this HIPAA training should always incorporate using social media. If employees are not given dedicated training on HIPAA social media rules it is highly likely that violations will take place.
Typical Social Media HIPAA Mistakes
- Publishing pictures and videos of patients without expressed permission
- Publishing unconfirmed news about patients
- Publishing identifying information about any individual
- Not blurring images of patients or PHI when publishing healthcare center pictures
- Sending of photos, videos, or text on social media platforms within a private group
HIPAA Social Media Rules
Here we detail a number of basic HIPAA social media guidelines to follow in your group, together with links to additional information to help ensure compliance with HIPAA legislation.
- Set up clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media services
- Show all staff what acceptable social media is as part of HIPAA training and conduct refresher training sessions annually
- Give examples to staff on what is acceptable – and what is not – to better your staff’s understanding
- Let your staff know the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
- Ensure all new uses of social media sites are passed for use by your compliance department
- Review and update your policies on social media on a yearly basis
- Design policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media services
- Devise a policy that requires personal and corporate accounts to be kept apart
- Implement a usage policy that requires all social media posts to be given the ok by your legal or compliance department before posting
- Audit your group’s social media accounts and communications and implement controls that can flag potential HIPAA breaches
- Maintain a record of social media posts using your group’s official accounts that saves posts, edits, and the format of social communications
- Do not participate in social media discussions with patients who have shared PHI on social media.
- Encourage all employees to report any potential HIPAA violations
- Ensure social media accounts are taken in to account during in your group’s risk assessments
- Ensure the correct access controls are in place to stop unauthorized use of corporate social media services
- Review all comments on social media services
The Department of Health and Human Services’ Office for Civil Rights has made guidance available on HIPAA social media rules, describing the specific aspects of HIPAA that apply to social media services. A HIPAA compliance checklist for social media can be reviewed on the HHS website.