In a world where hundreds of millions of tweets, posts, snaps, and stories are posted on social media daily, sharing information about our lives may seem like second nature.
But for those in the healthcare industry, sharing the wrong thing could result in a HIPAA violation. Here are a few examples of how a seemingly innocent social media post can go wrong and result in a HIPAA violation.
Social Media and HIPAA – The Basics
If you compare HIPAA Rules and Regulations to a building, patients’ protected health information (PHI) would be the foundation. PHI is the focus of the HIPAA Privacy Rule, which demands limited access. PHI is the data that the HIPAA Security Rule requires to be encrypted, whether in motion or at rest.
Unless a patient has given express written permission to share their PHI, healthcare employees cannot release any of the following details:
- Name
- Address (including subdivisions smaller than states, such as a street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
So if a doctor shares a photo from an accident scene that shows the car license of the person he rescued, or if a nurse posts about how great it is to see Mrs. Smith recovering from surgery, both would be violations and could result in substantial HIPAA fines.
Social Media and HIPAA – No Name, but Everyone Still Knows
Now that you know that PHI is forbidden to post, you must also remember that even if you don’t use PHI, a post could still identify a patient. In one memorable case, a hospital employee posted negative comments on social media after treating the suspect in the fatal shooting of a police officer.
Even though she did not use the suspect’s name, the notoriety of the case meant that anyone could determine who the patient was. Because her comments included PHI, the result was a HIPAA fine and professional discipline.
Social Media and HIPAA – The Wrong Response
If a patient posts something about themselves on social media, there is no HIPAA violation. But how you choose to respond could land you in HIPAA hot water.
For example, if a patient posted a family holiday picture and tagged you in the post, a response like “so glad we could get him home for the holidays” will likely earn you a HIPAA violation. You may not realize it, but you just divulged that the patient received treatment and care from you. Does it seem nitpicky and unfair that a polite response could lead to a HIPAA violation? It doesn’t matter. The essential thing in the eyes of the HIPAA law is protecting patient PHI, period.
What about when someone leaves a positive or negative comment about you on social media? In 2019 a Dallas, Texas, dental practice had to pay a $10,000 settlement to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) for potential HIPAA violations resulting from their response to a review posted on the practice’s Yelp.com page.
In their response, the practice made the mistake of disclosing patient names and other PHI. OCR alleged that the organization had no policy to ensure that its social media postings complied with HIPAA and lacked a HIPAA compliant Notice of Privacy Practices.
Social Media and HIPAA – The Wrong Response
Generally, healthcare providers should not post about their patients on social media. At a minimum, a practice should have a social media policy as part of its HIPAA policies and procedures.
There might be limited circumstances where healthcare providers can post specific information if a valid patient authorization was first obtained. However, this authorization must clearly describe how the PHI will be used and disclosed, and the patient must understand how their PHI will be disclosed.
The bottom line is that if you post on social media or respond to patient posts, think twice and be sure the post is worth the possible problems.
