Social media HIPAA violations are becoming a more and more common occurrence, especially in today’s increasingly digital health care landscape. With news stories of social media HIPAA violations making headlines day after day, the risk to your patients’ privacy and your practice’s reputation can’t be ignored.
Let’s look at a hypothetical situation that helps illustrate some HIPAA social media basics, and assess when a provider can disclose PHI.
Imagine Dr. Smith is a Doctor of Optometry. He has many patients who are pleased with his work. One such patient is so pleased, she details her treatment and results in a post on a popular social media platform. When Dr. Smith sees his patient’s post, he decides he wants to use the patient’s account on his own website and social media platforms to help promote himself and his practice. Dr. Smith assumes he does not need her permission to use it because the patient has posted it publicly.
When the patient sees what Dr. Smith has done, she sues him for $500,000, claiming a HIPAA violation.
Dr. Smith contacts this attorney to ask how he could be violating HIPAA when the patient herself has already posted the information on social media.
This situation is exactly why social media HIPAA violations can be so detrimental. It begs the question, when can a physician disclose protected health care information (PHI)?
Protected health information (PHI) is any demographic information that can be used to identfiy a patient. Common examples of PHI include a patient’s name, address, phone number, email, Social Security number, any part of a patient’s medical record, or full facial photo to name a few.
HIPAA Authorizations and Disclosures
There are two clear-cut scenarios in which a covered entity, like a physician or health care facility, can disclose PHI:
- If the patient has provided formal written authorization.
- If there is a statutory exception to requiring formal written authorization.
HIPAA authorizations for disclosures of patients’ PHI must follow specific requirements outlined in the HIPAA standards. Such requirements include descriptions of who is authorized to disclose and receive the PHI, specific and meaningful descriptions of the PHI disclosed, the purpose of the disclosure, an expiration date, information detailing the individual’s right to revoke the authorization, information about the condition treatment, payment, enrollment or eligibility for benefits on the authorization as well as the authorizing individual’s signature.
Additionally, there are certain situations when a physician does not need a patient’s written authorization for every disclosure, but these are only when there is a statutory basis for the exception.
Exceptions are clearly stated in the HIPAA statute. For example, Treatment and Payment Operations are some of the broadest exceptions. In those cases, an optometrist would not need a patient’s authorization to disclose PHI each time to get paid or to send information to another treating doctor.
Disclosures of PHI on Social Media
Considering this, if a patient has described her treatment and experience with Dr. Smith on her Facebook page, can he comment? Can he correct any information she might have misrepresented in her post?
Without the patient’s written authorization, the answer is NO.
Physicians cannot even acknowledge that a patient is, indeed, their patient. While it may seem counterintuitive that a patient can detail every account they’ve ever had with Dr. Smith and Dr. Smith cannot acknowledge this, HIPAA regulations are clear. Dr. Smith cannot make acknowledgements even if the patient’s information is incorrect. Patients have the right to disclose their own PHI or experiences with a provider, however the same rights do not extend to providers without proper authorization for disclosure.
A recent Connecticut HIPAA fine demonstrates this even more clearly.
A patient contacted a local TV station to say a medical practice turned her away because of her service animal. When the reporter called the practice for its side of the story, a physician disclosed the patient’s PHI while defending the practice.
An Office of Civil Rights (OCR) investigation discovered that the physician’s discussion with the reporter constituted a reckless disregard for the patient’s privacy. The investigation also revealed that the doctor disclosed this information after the practice’s privacy officer instructed the doctor to not respond to the media or to respond with no comment.
Further investigation found that the practice did not take any disciplinary action against the doctor and did not take any corrective action after the media disclosure.
The practice was forced to pay $125,000 after being found liable for the HIPAA violation.