What is Social Media Compliance Training?

The earliest known use of the phrase “social media” as that term is now understood, was in 1997. That year, AOL executive Ted Leonsis, spoke of the need to offer Internet users “social media, places where they can be entertained, communicate, and participate in a social environment.” HIPAA was passed in 1996, a year before the phrase “social media” was invented. The HIPAA rules do not regulate use of “social media” – not by name. Compliance with HIPAA in the social media context is regulated by the HIPAA Privacy Rule. Portions of this rule prohibit use, disclosure, or sharing of PHI under any circumstances, through any medium. HIPAA social media compliance requires that workforce members be trained on these rules, and that the training be embodied in written policies and procedures. The subject of social media compliance training is discussed below.

What is Social Media Compliance Training? Privacy Rule Restrictions

Under the HIPAA Privacy Rule, covered entities and business associates may not use or disclose protected health information (PHI), except as that rule specifically permits or requires. Use (“use” means use for payment, treatment, or healthcare operations) may not be made by a person without written patient authorization. Disclosure cannot be made from or to a person without authorization.

Consider an example of social media PHI sharing that breaks the rules: a worker at a nursing home takes a selfie with a patient, then posts the picture on Facebook and says “Patient Smith and I discussed U.S. History today. We had a great time!”

What is wrong with this situation?

The person taking the picture does not have authorization to use or disclose either the picture or the person’s name. Both the photograph and the patient’s name are types of PHI. Therefore, the person who took the picture impermissibly disclosed the patient’s PHI. 

Social media compliance training must emphasize this principle above all others: without patient authorization in writing, PHI may not be used, transmitted, stored, received, or posted to social media. 

Social media compliance training should emphasize the fact that there are instances in which PHI can be used or disclosed without written patient authorization. Such PHI can be disclosed for payment, treatment, or healthcare operations (PTO). However, posting patient information on social media does not constitute any of these activities. One might be tempted to argue that if the worker takes a selfie with the patient as the worker is administering a flu shot, that the disclosure is of “treatment,” and that there is no HIPAA violation. This argument reveals a misunderstanding of the “PTO Rule.” To disclose PHI for treatment purposes means to disclose PHI to enable, further, coordinate, modify, or discontinue treatment. Taking a picture of someone after the fact of treatment does none of these things. It takes a picture. The same concept applies to “payment.” Taking a selfie of a patient as the patient pays cash after her appointment, is not disclosing PHI for the purpose of payment. Payment has already been made.

Social media compliance training should emphasize the fact that the Privacy Rule permits use or disclosure of PHI, without written authorization, for a number of other purposes. These include circumstances in which the PHI is:

• Required by law to be disclosed.
• Needed for conducting public health activities.
• About or related to a victim of abuse, neglect, or domestic violence.
• For health oversight activities.
• For research purposes.
• Made to avert a serious threat to health or safety.

The Privacy Rule allows use or disclosure of PHI for these purposes because of the government’s interest in promoting research, overseeing the healthcare system, and identifying and apprehending criminals. Where does this leave the selfie-taker? In no better position than he or she was previously. Posting patient pictures on social media, with or without the patient’s name, is not associated with or for any of these above purposes. 

A person can use social media in any number of ways. Social media can be used to send texts, tweets, for marketing purposes, to respond to patient feedback, and to discuss a patient. Regardless of how social media is used, it cannot be used to disclose information about a patient that can directly or indirectly (i.e., together, with other information) identify a patient.

To ensure employees know not to use social media to transmit or store PHI, social media compliance training should be offered as part of a new employee’s training. As new social media platforms become available, providers should offer refresher social media compliance training, reminding employees that PHI cannot be accessed for disclosure on social media.