HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.
There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?
The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to never disclose protected health information on social media. (see the definition of protected health information for further information).
The HIPAA Privacy Rule prohibits the use of PHI on social media networks. That includes any text about specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose specifically mentioned in the consent form.
Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.
In 2017, 71% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.
Training on HIPAA should be provided before an employee starts working for the company or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.
In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.
In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.
In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.
It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.
Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.
The Department of Health and Human Services’ Office for Civil Rights has issued guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that apply to social media networks. A HIPAA compliance checklist for social media can be viewed on the HHS website.