HIPAA and Social Media Guidelines
Since HIPAA was passed far before the real era of social media, there are no laws or amendments that are specific to the connection between HIPAA and social media. However, many of the existing laws and regulations have details that certainly apply to conduct within social media channels.
Social media may not seem like it would have a significant impact on the healthcare industry but the large quantity of people that are making their doctor and hospital decisions through social media is constantly increasing. Social media can be an important resource for organizations within the healthcare industry to utilize but it also can be a risky platform due to the risk of HIPAA violations. The potential for HIPAA violations via social media reveals how important it is that organizations create clear training and policies to protect them from this type of HIPAA violation.
PHI in Social Media
The most important thing in terms of social media and HIPAA is that no form of PHI can be shared in any type of social media content. Protected Health Information, or PHI, is any piece of information that can be used to identify a patient. Although this is necessary information in order to complete many of the treatments and care related processes within healthcare, it is also crucial that it is taken care of in a way that does not compromise HIPAA compliance.
Examples of unauthorized social media use:
- Any text/message/snapchat about a specific patient
- Any image of a patient shared where they could be identified
- Marketing campaigns using specific patient information without consent
- Responding to comments with any individual identifiers
- Neglecting to inform patients of any privacy breaches
- Sharing PHI in any social form without patient’s consent
- Snooping into patient records for a case that is not assigned to you
When it comes to internal uses of social media, be sure to moderate the comment section of posts to assure that no information is added that could identify patients in any way. In addition to keeping an eye on organization and employee social media channels, PHI must also be kept out of any form of marketing campaigns that are made. Marketing teams must be careful to advocate for the services that are provided without revealing any PHI that has not been expressly allowed by the patient.
These days, most PHI that is used in the healthcare system is accessed in electronic form, known as ePHI. Due to the electronic nature of the PHI, it is important that companies utilize strict computer systems that can track each employee that opens a record. This way, the company can be sure that an employee’s usage and access to this important information is entirely traceable and secure.
Cost of Noncompliance
Although one employee’s social media post may seem to be insignificant in the larger scheme of things, just one small post or message can reveal PHI, violating HIPAA and bringing on a wide variety of penalties. It is important for organizations to set clear expectations and rules for their employees to follow so that they can avoid the high cost of noncompliance.
Social media is one of the main avenues where breaches in protected health information occur for healthcare organizations. Due to the high risk nature of these platforms, training employees on social media & HIPAA is vital so that the organization can be protected from potential violations and fines.
It is also important to be clear and direct with employees about the direct consequences that can happen to them if they are responsible for a breach in PHI. Their understanding of the risk of being fired, losing their license, incurring fines or receiving criminal charges will significantly affect how seriously they take their contribution to HIPAA compliance.
Policies & Procedures
Social media is one of the most common places that misunderstandings happen that lead to HIPAA compliance violations for healthcare professionals. Due to the lack of social media specific rules, it is important that organizations create, implement & share their own policies to their own employees. Properly training employees on the ins and outs of HIPAA and social media is vital in preventing them from committing costly violations. Creating policies and handbooks that fit your organization’s specific company culture will help to increase the employee’s buy-in to complying with HIPAA.
One of the challenges that social media creates is that it blurs the line between public and private information. People typically assume that if their accounts are set as “private”, that their posts and messages are secure. However, social media channels do not adequately encrypt their messaging systems which means that any form of PHI sent via a social media post or message would violate HIPAA. As organizations implement their own policies, it is important to remind them of the lack of true privacy and security when handling sensitive information on social media.
The policies and procedures for protecting PHI from social media posts, needs to be part of an employees initial training and onboarding process so that they are aware of the expectations before they ever even access this type of information. The training sessions that are held and handbooks that are written will need to be regularly updated as social media changes and new social platforms enter the market.
Social media in the Healthcare Industry
Due to the potential consequences of sharing PHI on social media, you can’t be too careful in enforcing social media policies. The idea should always be that it is better to refrain from posting something if you aren’t sure if it qualifies as a HIPAA violation.
Here are some precautions to take in terms of social media posting:
- To be safe, don’t talk about patients in any way via social media.
- Don’t share any workplace related frustrations online.
- Refrain from discussing patients even in a general way via social media direct messages
- Monitor the comment section and delete anything that could elicit a compromising response
As we have seen there are many risks associated with social media usage in the healthcare industry affecting HIPAA compliance. However, with the proper precautions being taken, there are still many ways to use social media to benefit your healthcare organization. In general, social media can be used to attract new clients to your company or educate current clients on a topic or piece of news.
Here are a few specific ways that covered entities can use social media beneficially:
- Offer health tips that patients might find helpful
- Advertise upcoming events for patients to attend
- Share new research in the field of your organization
- Display honors or awards you have been given
- Create profiles or biography of your staff
- Post advertisements of your services as long as they DO NOT contain the PHI of any patient
- Discounts or special offers on services you provide
The expectations and requirements of HIPAA can be difficult and confusing, especially in relation to social media where there are no specific laws for the topic. Social media can be used in many useful ways in healthcare but we have also seen that there is a high level of potential risk of HIPAA violations through these platforms. A strong understanding of HIPAA and it’s requirements will help to build guidelines and policies for managing social media in a HIPAA approved way.