HIPAA Compliance in the Age of Social Media

Protecting patient privacy is the goal of HIPAA regulations for healthcare practices. While HIPAA regulations were established before the era of social media, the Privacy Rule safeguards against the unauthorized disclosure of patient health information (PHI) on these platforms.

What is ePHI under HIPAA?

Electronic PHI is any health information that is created, stored, transmitted, or received in electronic format or media relating a patient´s past, present, or future:

• Physical or mental health condition
• Health care services provided
• Payment of health care

Individually identifiable health information also includes the 18 common identifiers listed under the Privacy Rule. Full list of the identifiers available here.

Almost anything identifiable to a patient in your records is protected by HIPAA. Importantly for social media, this includes photos in which a patient’s name, face, or other recognizable details are visible.

HIPAA and Social Media

The HIPAA Privacy Rule prohibits the disclosure of PHI on social media without express content from patients. This includes information about patients that could lead to them being identified in:

• Text
• Photos
• Videos

“Express consent” is written consent from the patient and PHI can only be used for the purpose specifically mentioned in the consent form.

Patient Consent Form

What needs to be included in a patient consent form to use PHI on social media:

• Specific description of the information to be used or disclosed
• Description of each purpose for the use or disclosure
• The individual´s right to revoke the authorization
• An expiration date or event for the authorization

Common Violations via Social Media

• Posting images and videos of patients without written consent
• Posting gossip about patients, even if name is not disclosed
• Posting of any information that could allow an individual to be identified
• Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
• Sharing of photos, videos, or text on social media platforms within a private group

Examples of Violations on Social Media

There have been cases in recent years of HIPAA violations relating to social media and revealing PHI.

In 2010, a nurse posted on social media after treating the suspect in the fatal shooting of a police officer. While she left out names, she did post enough details so that other social media users could quickly connect her post with news coverage. A HIPAA fine and professional discipline followed.

Another example is of a Rhode Island physician who was reprimanded after posting information describing the injuries of a trauma patient who the physician had recently treated. The post did not identify the patient specifically but included enough details that the patient could easily be identified.

Social Media Policies

Practices should have established policies and procedures to ensure HIPAA compliance. Policies should include:

• An outline of how HIPAA affects social media
• PHI is never disclosed on social media unless prior patient consent is obtained
• Include guidelines addressing the professional and personal use of social media

• HIPAA rules apply to the personal accounts of healthcare employees.

• Requirements for posts coming from practice’s social accounts and any approval process

• e., content should be approved by Privacy/Security Officer or Office Manager before posting

Example of Social Media Policy Wording

Here some examples of wording that could be used in a social media policy to explain the purpose or rules relating to the practice specifically.

“This policy provides guidance on the proper and acceptable use of social media through both external platforms (External Social Media), including YouTube, LinkedIn, Facebook, Twitter, Instagram, Pinterest, Snapchat, TikTok, or any other existing or future social media platform, as well as internal social media tools like Slack, Microsoft Teams, Yammer, and other future social media tools used by the company internally (Enterprise Social Media).”

“Remember that you are responsible for your actions. Realize that what you post may be shared by others or even go viral, spreading rapidly and widely. You are personally responsible for the content you publish on social media. This means you should use common sense and use at least the same caution with social media as you do with all other forms of communication.”

“You are not authorized to use any online name or other identification that incorporates the Company’s name or any of its brand names (or any variants thereof).”

Guidelines for Practices

Some guidelines for practices to mitigate the exposure of PHI through social media channels:

• Limit who has access to practice’s social media accounts
• All employees should be trained on and understand the policies relating to social media whether they have access to PHI or not. Employees without access to PHI can still inadvertently disclose information on social media.
• Build a system of HIPAA violation social media sanctions into the guidelines. This ensures employees understand the repercussions of breaking the rules.

• Provide ongoing training/reminders to reiterate the importance of protecting patient information.
• Periodic updates to these policies may be warranted to account for new technologies and changing circumstances.

As the landscape of healthcare communication evolves with social media, it is imperative for healthcare practices to adapt their policies to maintain HIPAA compliance. To avoid common violations and potential consequences, healthcare organizations should implement clear social media policies and ensure that employees are well-versed in the rules governing the professional and personal use of social media. With a proactive approach, practices can effectively protect patient privacy in the age of social media while continuing to provide quality healthcare services.