HIPAA was established before any mainstream social media platforms such as Twitter and Facebook were launched, hence, there are no specific HIPAA social media rules. However, healthcare organizations and their employees are still entitled to follow HIPAA laws and standards when using social media. Therefore, it is in the best interest of healthcare organizations to implement a HIPAA social media policy in their practice to reduce the risk of HIPAA violations.
Healthcare professionals as well as the patients reap many benefits from using social media. Social media channels allow healthcare professionals to easily interact with their patients and get them more involved in the decision making of their own healthcare. Healthcare organizations are now able to convey important information or new services through social media. Social media platforms are also a great medium for advertisement; healthcare providers can now attract new patients through social media pages and websites.
However, healthcare organizations and their employees need to be careful about the information they share on social media. Disclosing certain types of information on social media can lead to potential violations of HIPAA rules and patient privacy. So, how can organizations and their employees comply with HIPAA when using social media? Let’s find out.
HIPAA and Social Media
The only important rule about HIPAA social media is to never share or disclose Protected Health Information (PHI) on social media channels. Disclosing or sharing PHI on social media is prohibited under the HIPAA Privacy Rule, including any texts, images, or videos where the patient could be identified. Sharing PHI on social media is only permissible if a patient gives their consent, in writing, to allow their PHI to be used and specifically for the purpose mentioned in the consent form. Healthcare organizations can use social media for sharing health tips, marketing messages, bios of their employees, new medical research, and details of events, without including any PHI.
Organizations need to ensure they include guidelines for the appropriate use of social media in their policies and procedures. Using software like HIPAAReady, these guidelines can be easily implemented and communicated throughout the organization.
Training on Social Media policies
All the employees and staff members must be trained on HIPAA social media rules. Combining popularity and ease of sharing information on social media means that organizations must convey the correct use of these platforms in their training. If employees do not receive proper training on HIPAA social media rules, it is highly likely that these employees may violate HIPAA standards.
It is recommended to provide HIPAA training before an employee starts working for the organization or as soon as they start working. Annual refresher HIPAA training for employees should be provided to ensure HIPAA social media policies are not forgotten. Software like HIPAAReady can simplify the overall training process. It allows users to easily set up and schedule training sessions for their employees. With HIPAAReady, organizations can keep track of all the progress that is needed to ensure compliance.
In October 2019, Elite Dental Associates paid a fine of $10,000 for disclosing PHI on Yelp, a business review platform. In one of the reviews, Elite responded with a patient’s name, insurance details, treatment costs, and treatment plan details. The Office of Civil Rights (OCR) launched an investigation after the patient complained and discovered similar comments on Yelp.
Texas Children’s Hospital dismissed a nurse who disclosed details of a patient’s condition in a Facebook group. The pediatric patient had contracted a rare disease and a received measles vaccination when he was too young. The nurse posted details of the boy’s condition to an anti-vaccination Facebook support group. The nurse did not include the child’s name, but her Facebook profile listed where she worked. One parent in the group whose child was in the same hospital, worried about the exposure, sent screenshots to the hospital’s Facebook page. The hospital immediately launched an investigation and dismissed the employee.
These examples show that not only the employees get punished, but healthcare providers as well. Some common social media violations include:
- Posting a patient’s images or videos on social media without their written permission
- Posting gossip about a patient on social media
- Posting any information by which an individual can be identified
- Sharing a healthcare’s facility images where the patient or PHI is visible
HIPAA Guidelines for Social Media
Here are a few basic HIPAA social media guidelines to help organizations avoid violations:
- Develop and implement policies covering appropriate use of social media and how HIPAA is related
- Provide training to all staff member on the appropriate use of social media and conduct annual refresher training
- Provide examples of acceptable and unacceptable use of social media and make your employees aware of the possible consequences, such as loss of job or licenses and criminal penalty.
- Review and update the social media policies and procedures when required
- Get social media sites approved by the compliance department
- Include social media accounts in risk assessments
- Create a policy to ensure personal and corporate accounts are separated
- Do not engage in discussion with patients on social media where PHI has been disclosed
- Encourage staff to report potential violations of HIPAA standards
- Use moderation for comments on social media platforms
- Monitor the social media account’s activities and communications and implement appropriate control measures that can flag potential HIPAA violations
Get real-time information and simplify training with HIPAAReady
To comply with HIPAA, organizations need to follow and maintain multiple requirements. That is why we bring you HIPAAReady. HIPAAReady offers a complete HIPAA compliance solution through a cloud-based application. With HIPAAReady, organizations can easily manage and set up training sessions for their employees and simplify overall compliance processes by performing self-audits, risk assessments, and developing and maintaining policies and procedures. Invest in HIPAAReady and easily manage your compliance program from a single centralized platform.