Social media has transformed the nature of business communication and healthcare is no exception. HIPAA on the other hand is a highly controversial topic that moderates the use of social media in the healthcare industry. HIPAA which stands for the Health Insurance Portability and Accountability Act was established several years before the advent of today’s social media platforms. The purpose of this law is to protect the privacy of patients’ sensitive health information. This is why many healthcare professionals struggle with HIPAA compliance in the age of social media.
HIPAA came into existence before the arrival of any social media platforms, hence, the law does not contain any explicit rules regarding the use of social media. Social media platforms can be a very useful resource for advertisement, networking, and patient engagement. However, the provisions of HIPAA concerning health-related information still apply to social media posts. Given the amount of reach and simplicity of sharing information on social media, social media usage presents unique challenges to HIPAA compliance for healthcare professionals.
What can you not share on social media?
The only important rule to remember when engaging on social media is to never share any information that can be used to identify individual patients’ or their health records. Information that can be used to identify an individual is known as protected health information (PHI), under HIPAA. PHI consists of information that healthcare providers use to identify patients and determine their appropriate care. Such as patients’ names, addresses, medical record numbers, biometric identifiers (iris patterns, fingerprints, photos), Social Security Numbers (SSN), appointment schedules, to name a few.
Generally, sharing PHI on social media platforms does not qualify as healthcare operations, treatment, or payment. If a healthcare worker were to share a patient’s PHI without permission, it would be considered as a violation of HIPAA, and likely violation of state law as well. In order to share PHI-related information, physicians or nurses must first obtain a valid authorization from the patient.
That being said, social media channels are an integral part of many business functions and you cannot be too careful in enforcing social media policies. If you aren’t sure about what information constitutes a HIPAA violation, you should rather refrain yourself from posting such information. Here are some precautionary steps you can take when it comes to social media use:
- Monitor company’s social media accounts and moderate sections by implementing controls that can automatically moderate potential violations
- Just in case, never talk about patients in any way on social media platforms
- Refrain yourself from engaging with patients who have disclosed PHI on social media
- Don’t vent your work-related frustrations on social media
What if you don’t have a valid authorization?
Even with valid patient authorization, health care providers can share information on social media only under the circumstances that the patient has a clear understanding of how their PHI will be used or disclosed. However, if a provider wants to share information without the patient’s consent, then the PHI must first be de-identified.
PHI de-identification is the process where any information that can be used to identify an individual is removed from the health record. There should be no reasonable basis to believe that the information shared can be used to identify a patient. Before using or disclosing PHI, the health care provider can remove the following identifiers:
- Geographic information;
- Dates (e.g birth dates, appointment dates, discharge dates, date of deaths);
- E-mail addresses;
- Telephone numbers;
- Fax numbers;
- Medical record numbers;
- Social Security numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate numbers;
- Vehicle identifiers and serial numbers (e.g license plate numbers);
- Device identifier numbers;
- IP address numbers;
- Biometric identifiers (e.g fingerprints and iris patterns);
- Photographic images of full face and any comparable images; and
- Other unique identifiers, numbers, characters, codes.
Some common unauthorized social media
The possibility of HIPAA violations via social media channels reveals how vital it is to include clear policies and procedures regarding the use of social media in HIPAA training. It is highly likely that a violation will occur, whether intentionally or inadvertently if employees are not trained on the appropriate use of social media.
Here are some common examples of unauthorized social media use:
- Messaging/texting about a specific patient
- Gossiping about a patient on social media
- Sharing image or videos of a patient
- Using a patient’s information in your marketing campaign without written consent
- Assuming that the post got deleted or is private when they are still visible to the public
Organizations must be careful when it comes to the internal use of social media. Comment sections can be moderated to ensure that no information is shared that could potentially be used to identify a patient in any way.
Using Social Media
With proper guidelines in place, social media can be used in many ways that can benefit a healthcare organization. Practices should develop and implement clear policies and procedures addressing both personal and professional social media usage to ensure HIPAA compliance. Generally speaking, social media are now used to attract new customers or educate current customers on useful topics or a piece of news. Here are some ways that healthcare organizations can use social media to their advantage:
- Post information that viewers might find helpful, for example, health tips
- Details of upcoming events/seminars
- Share new medical research information
- Biographies of staff members
- Posts about awards or honors that you or organization have received
- Marketing messages without including any PHI
- Promotional offers such as discounts on services you offer
Engagements on social media platforms have skyrocketed since the onset of the COVID-19 pandemic. Most doctors are now interacting with their patients using online tools and channels to reduce unneeded visits and facilitate optimal care. This presents a real challenge in regards to HIPAA compliance. Health care members who are working from home should not only be careful when communicating online but also secure their devices and networks to avoid PHI breaches of any kind. Whether it’s social media or a physical workplace, if you prioritize patients’ privacy then you are already on the right track toward being HIPAA compliant.