In a world where hundreds of millions of tweets, posts, snaps, and stories are posted on social media daily, sharing information about our lives may seem like second nature.
But for those in the healthcare industry, sharing the wrong thing could result in a HIPAA violation. Here are a few examples of how a seemingly innocent social media post can go wrong and result in a HIPAA violation.
Social Media and HIPAA – The Basics
If you compare HIPAA Rules and Regulations to a building, patients’ protected health information (PHI) would be the foundation. PHI is the focus of the HIPAA Privacy Rule, which demands limited access. PHI is the data that the HIPAA Security Rule requires to be encrypted, whether in motion or at rest.
Unless a patient has given express written permission to share their PHI, healthcare employees cannot release any of the following details:
- Name
- Address (including subdivisions smaller than states, such as a street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
So if a doctor shares a photo from an accident scene that shows the car license of the person he rescued, or if a nurse posts about how great it is to see Mrs. Smith recovering from surgery, both would be violations and could result in substantial HIPAA fines.