Because HIPAA was enacted a number of years prior to the evolution of social media platforms, there are no provisions specifically addressing social media networks and PHI in the HIPAA text.
However, this does not mean HIPAA does not apply to social media networks. In relation to regulating the use of social media by covered entities, business associates, and their employees, the provisions of the HIPAA Privacy Rule and Security Rule still apply. Consequently, it is important for anyone handling any type of PHI to be aware of these provisions.
One of the most important things for a covered entity to do is establish a HIPAA social media policy that clearly defines what public messaging is allowed. By providing employees with this information in training situations, organizations will reduce the probability of a HIPAA breach occurring via social media.
Social media can be a very useful tool for range of different purposes within the healthcare sector, including:
- Communicating with patients to allow them to take a more active role in their own healthcare.
- Quicker relaying of updates and important messages.
- Raising awareness of certain conditions and treatments.
- Tackling misinformation in relation to illnesses and treatments.
- Answering patients’ queries.
- Attracting new patients to a healthcare practice.
However, there is also serious potential for HIPAA Rules and patient privacy to be breached on social media networks. So how can healthcare organizations and their employees use social media without violating the HIPAA Rules?
HIPAA & Social Media Usage
The most important thing to remember when social media platforms are being used in a healthcare setting is that it is never acceptable to disclose or share PHI on social media sites.
The HIPAA Privacy Rule is very clear on this as posting anything linked to a particular patient, such as images or videos, could result in a patient being identified. PHI can only be included in social media posts if a patient has given their permission, in writing, to allow their PHI to be used and then only for the purpose specifically referred to on the consent form.
Health tips, details of events, new medical research, and bios of staff and marketing messages can all be posted on social media channels if no PHI is included.
In 2017, 71% of all Internet users viewed social media websites. Due to this, HIPAA training should always incorporate social media usage. If employees are not given specific information about the HIPAA social media rules in training sessions, it is highly likely violations will occur.
Some of most common mistakes made by healthcare workers on social media are:
- Sharing pictures and videos of patients without their express permission.
- Referring to unconfirmed news about patients.
- Not blurring images of patients or PHI when publishing healthcare center pictures.
- Uploading photos, videos, or text containing PHI on social media platforms within a private group.
HIPAA Social Media Rules
There are a range of simple guidelines covered entities and business associates should keep staff aware of in order to prevent breaches of the HIPAA Rules. These rules should also be included in HIPAA training courses for onboarding new employees and in refresher HIPAA training sessions for existing staff members.
- Give examples of what is acceptable and what is not as part of HIPAA training and conduct refresher training sessions annually.
- Set clear policies covering social media use and ensure all employees are aware how HIPAA impacts the use of social media platforms.
- Let staff know the possible penalties for social media HIPAA violations, such as termination, loss of license, and even criminal penalties.
- Devise a policy that requires personal and corporate accounts to be kept separate.
- Review and update policies on social media on a yearly basis.
- Design policies and procedures in relation to the use of social media for marketing.
- Review all comments on social media services.
- Implement a usage policy that requires all social media posts to be considered by a legal/compliance department before they are published.
- Audit group social media accounts and communications and implement controls that can flag potential HIPAA breaches.
- Ensure social media accounts are taken into account during in risk assessments.
- Maintain a record of social media posts on your organization’s official accounts. Save posts, edits, and the format of social communications.
- Do not participate in social media discussions with patients who have shared PHI on social media.
- Encourage employees to report potential HIPAA violations.
- Ensure the correct access controls are in place to stop unauthorized use of corporate social media services.
The Department of Health and Human Services’ Office for Civil Rights has made guidance available on the HIPAA social media rules, describing the specific aspects of HIPAA that apply to social media services. A HIPAA compliance checklist for social media can be reviewed on the HHS website.
Healthcare workers need to be conscious of the ease at which a HIPAA breach can happen when they are using social media platforms in the workplace. HIPAA training sessions, at the commencement of employment and annual refresher sessions, should make the HIPAA social media rules clear so that there is no chance of organizations violating patient privacy and being put at risk of a financial penalty for failing to comply with HIPAA.
Fully customize the HIPAA training for your own requirements.
Select core and optional modules
Adjust the training text
Add your own questions
Decide your own grading scheme
Add your own certificate