HIPAA was developed many years prior to social media networks such as Facebook being launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare groups and their staff. Healthcare groups must therefore put in place a HIPAA social media policy to lessen the risk of privacy violations.
There are many advantages to be obtained from using social media. Social media channels permit healthcare groups to interact with patients and get them more involved in their own healthcare. Healthcare groups can quickly and easily communicate important messages or supply information about new services. Healthcare providers can gain new patients using social media websites. However, there is also considerable possibilities for HIPAA Rules and patient privacy to be breached on social media networks. So how can healthcare groups and their employees use social media without breaching HIPAA Rules?
Social Media and HIPAA
The first rule of using social media in the healthcare sector is to never share protected health information on social media platforms. The second rule is to never share protected health information on social media. (see the definition of protected health information for further advice).
The HIPAA Privacy Rule outlaws using of PHI on social media platforms. That includes any text about specific patients including images or videos that could lead to a patient being identified. PHI can only be used in social media posts if a patient has provided their consent, in writing, to permit their PHI to be used and then only for the aim specifically mentioned in the consent form.
Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.
Staff Must be Trained on HIPAA Social Media Rules
During 2017, 71% of all Internet users logged on to social media websites. The popularity of social media networks along with the ease of sharing information means HIPAA training should include the use of social media. If staff are not specifically trained on HIPAA social media rules it is highly likely that violations will happen.
Training on HIPAA should be given prior to an employee starting work for the company or as soon as is possible following appointment. Refresher training should also be conducted at least once a year to ensure HIPAA social media rules are not forgotten.
HIPAA Breached on Social Media
In 2015, ProPublica released the results of an investigation into HIPAA social media violations by nurses and care home professionals. The investigation primarily focused on photographs and videos of patients in compromising positions and patients being abused.
In some instances, images and videos were widely shared, in others photographs and videos were shared only in private groups. ProPublica found 47 HIPAA breaches on social media since 2012, although there were undoubtedly many more that were not found and were never reported.
In most instances, the HIPAA violations on social media lead to disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations lead to criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in prison.
It is not only workers can be penalised for breaching HIPAA Rules. There are also hash penalties for HIPAA violations for healthcare suppliers.
Typical Social Media HIPAA Breaches
- Publishing of images and videos of patients without written consent
- Sharing of gossip about patients
- Publishing of any information that could allow an individual to be identified
- Posting of photographs or images taken inside a healthcare facility in which patients or PHI are visible
- Posting of photos, videos, or text on social media platforms within a private group
Guidelines for HIPAA and Social Media
Detailed below are some basic HIPAA social media guidelines to adhere to in your organization, along with to further information to help ensure compliance with HIPAA Rules.
- Set up clear policies covering social media use and ensure all staff are aware of how HIPAA relates to social media platforms
- Show all staff what acceptable social media use is as part of HIPAA training and conduct refresher training sessions yearly
- Give examples to staff on what is acceptable – and what is not – to enhance understanding
- Share the possible penalties for social media HIPAA violations – sacking, loss of license, and criminal penalties
- make sure all new uses of social media sites are given the ok by your compliance department
- Look over and update your policies on social media yearly
- Put in place policies and procedures on use of social media for marketing, including standardizing how marketing happens on social media accounts
- Set up a policy that requires personal and corporate accounts to be totally different
- Design a policy that means all social media posts must to be approved by your legal or compliance department prior to publishing
- Review your organization’s social media accounts and communications and implement controls that can flag potential HIPAA breaches
- Keep a record of social media posts using your organization’s official accounts that saves posts, edits, and the format of social media messages
- Do not engage in social media discussions with patients who have shared PHI on social media.
- Ask employees to report any potential HIPAA violations
- make sure social media accounts are included in your group’s risk assessments
- Make sure appropriate access controls are implemented to stop unauthorized use of corporate social media accounts
- Review all comments made on social media platforms
The Department of Health and Human Services’ Office for Civil Rights (OCR) has released guidance on HIPAA social media regulations, listing the specific aspects of HIPAA that apply to social media platforms. A HIPAA compliance checklist for social media can be viewed on the HHS website.