HIPAA, Health Care and Social Media

Social media has turned the world upside down. People are constantly plugged into their phones or computers, and lines of right and wrong have gotten hazy. Healthcare providers and anyone who deals with Protected Health Information (PHI) on a regular basis must understand the implications of the HIPAA privacy rule on their social media usage.

HIPAA rules affect a large group of people, including any individual or organization that fits the definition of “a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” HIPAA protects individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral.

Penalties for violation are steep. Fines start at $100 per disclosure and can reach $25,000 for multiple violations in a year. If a healthcare provider knowingly missuses PHI, fines are $250,000 and can include 10 years in prison.

HIPAA privacy rules can seem ambiguous to an individual in the health care field. Unlike in the legal field where client confidentiality is considered broken when a client discloses specific information. A patient may disclose their information, but a provider violates the privacy rule if they do the same. So, how do you avoid finding yourself in a predicament with social media and HIPAA? Here are 6 tips to help you on the road to HIPAA compliance.

1. Learn from the past.

Mainstream media has shone the spotlight on several health care providers. Don’t be another story. Learn from the errors of past violators. Candace Yath sued the Fairfield Clinics in Minnesota when her personal information was published over MySpace by a nurse. This nurse had a personal grievance with the patient, and the clinic paid gravely for it with a massive lawsuit and publicity tarnished reputation. Another case involved nurses who posted photos of a patient x-ray to Facebook. While the photos didn’t disclose the patient name, the pictures did violate HIPAA standards. Finally, a major case, Doe v. Green, involved a paramedic and a rape victim. Simon Green, a paramedic, posted information on his MySpace page about a rape victim. He didn’t use her name, but he did disclose where he picked her up, the rape details he knew, and a description of the perpetrator. It’s likely that he was trying to help find the assailant and despite posting only vague details, it did constitute a violation. There have been enough public examples that health care institutions should learn from these cases and act accordingly.

2. Don’t talk about patients, even in general terms, but do talk about conditions, treatments, and research.

As the world becomes more social, doctors and other health professionals can engage in social media, but they need to understand what is off limits. Don’t ever talk about patients, even in general terms. The cases above illustrate the implications of doing so. It is, however, permissible to talk about conditions, treatments, and research. There is a lot to be gained by connecting through social media. Just leave your patients out of it.  

3. Educate your staff, yourself, and your patients.

Many times, health care staff members create these violations. So, make sure they understand what the violations are. Train them on appropriate social media usage. If they wouldn’t say it in an elevator, they shouldn’t say it online. Most of these circumstances happen because staff finds humor in a situation or want to talk about an interesting case after a long day. Your staff needs to understand that their humor and online conversation cannot include any patient information and help them understand the consequences of doing so. Posting any photo or video without patient consent is considered a violation. By educating your staff and yourself, you can better protect your institution. Also, prominently display your policies and procedures on your social media platforms and continue to emphasize the importance of security and HIPAA compliance with your staff. Keep your legal and HIPAA advisors close and ask them questions about compliance as they come up. Furthermore, many organizations have struggled maintaining compliance due to patient behavior. In order to mitigate this risk, post signs prohibiting photography and camera use. While patients may choose to defy the policy, your due diligence will help protect you company.

4. Just Ask!

Most cases aren’t like the ones mentioned in the first point. Your hospital may be on a mission to improve its community relations. Liberty Home Care and Hospice posted a blog about a patient who they gave a puppy. Liberty avoided a HIPAA violation by simply asking for her permission before they posted the blog. More often than not, patients will provide permission to post certain information if it is for a good cause. Other popular initiatives involving patient information and social media include weight loss and baby photos. If you choose to have photos and some patient information, make sure there is a Terms of Use policy where they voluntarily give you permission to post that information.

 5. Ask better. Ask patients to post the information themselves.

Rather than get involved in the red tape of HIPAA compliance by posting patient information yourself, invite patients to post their own photos or stories. When your organization is not the one posting, the onus of violation is lifted. Plus, from a social media standpoint, it encourages your patients to interact with you on these platforms, hopefully with positive results.

6. Monitor your social media platforms

Consistently monitor your platforms. While you aren’t liable for non-employee postings on forums you host, it is best to scrub your platforms for PHI regularly. This will maintain a professional and safe online environment. Proactively staying aware allows you to take appropriate action quickly.

Remember, that once something goes online, it may never go away. For better or worse, online media has allowed for the rapid spread of information nearly instantly. Even if you delete something, there’s a chance someone has taken a screenshot (or print screen) of it to post somewhere else. Don’t make mistakes in social media. Use it as a tool to enhance community relations and improve healthcare across the board. By educating all parties involved on HIPAA’s standards, you can save yourself a lot of stress. Keep your patients involved (and consenting) and monitor your social media. HIPAA doesn’t have to kill social media use by health care institutions, but if you follow its standards, you can protect your patients, your staff, and yourself.

For more information on privacy in health care, download our whitepaper: Solving the Mystery of HIPAA and HITECH