HIPAA and Social Media

The issue of HIPAA and social media can be complicated for Covered Entities and Business Associates that do not implement policies that stipulate how social media can be used in compliance with HIPAA or that fail to enforce sanctions for impermissibly disclosing Protected Health Information on social media.

Social media can be a valuable communication channel for Covered Entities and Business Associates. It can be used by healthcare organizations to promote healthy lifestyles, by health plans to alert members to new benefits, and by Business Associates to advertise HIPAA-compliant services to healthcare organizations, health plans, and other Business Associates.

However, Covered Entities and Business Associates have to take care about what information is published on social media channels if the information includes individually identifiable health information protected by the HIPAA Privacy Rule, or if a social media post makes unsubstantiated, inaccurate, or misleading claims about a product or service.

The Issue of HIPAA and Social Media

The HIPAA Privacy Rule was published years before social media platforms such as Twitter and Facebook existed, so there are no references to social media in the text of the Rule. However, there are standards relating to permissible uses and disclosures of Protected Health Information (PHI). These limit how PHI can be used or disclosed without an individual´s authorization.

At this stage it is important to understand what PHI consists of, because although it is well known that individually identifiable health information should not be published on social media without an individual´s authorization, non-health information maintained in the same designated record set is also protected by the Privacy Rule and is subject to the same permissible uses and disclosures.

Therefore, a Covered Entity – or a member of a Covered Entity´s workforce – could inadvertently violate HIPAA if they publish a thread about (for example) a patient´s emotional support animal, if information about the emotional support animal is maintained in the same designated record set as the patient´s health information, and the patient has not authorized the disclosure.   

Individuals´ Authorizations for Social Media Disclosures

As well as understanding what PHI consists of, it is important for organizations and their workforces to understand the standard most closely related to individuals´ authorizations for social media disclosures (§164.508). This is because, with most authorized uses and disclosures of PHI, individuals have the right to revoke their authorization. Disclosures on social media are different.

Although social media posts can be deleted, if a screenshot is taken of the post before it is deleted, any PHI included in the post is still in the public domain and organizations have no control over how it is further used or disclosed. Therefore, in the context of HIPAA and social media, individuals´ authorizations must explain that PHI may be further disclosed, that the organization may not be able to comply with a revocation request, and that it may not be possible to observe an expiration date.

These conditions do not mean it is impossible to use or disclose PHI on social media with an individual´s authorization. One of the clauses of §164.508 provides an exception to the right to revoke if “a Covered Entity has taken action in reliance thereon”, meaning that – provided the required explanations are included in the authorization – it is within the permissible uses and disclosures of the Privacy Rule to disclose PHI on social media with a valid authorization. 

FTC Rules May Also Apply to Social Media Disclosures

Even when an organization has obtained a valid authorization to disclose PHI on social media, it is important that all social media posts must comply with Section 5 of the Federal Trade Commission Act. This section prohibits unsubstantiated, inaccurate, or misleading claims about products and services and applies to all advertising and marketing. The Act defines a deceptive claim as:

  • a representation, omission, or practice that misleads or is likely to mislead a consumer, 
  • that the consumer´s interpretation is reasonable under the circumstances, and 
  • that misleading representation, omission, or practice is material in nature.

The best way to interpret this Section of the FTC rules is that any claim made by an organization or on behalf of an organization – regardless of whether PHI is included in the social media post to support the claim –   must not “seek to gain an advantage while avoiding competing on the merits” by being unsubstantiated, inaccurate, or misleading.

HIPAA and Social Media Violations

Because of the issues regarding HIPAA and social media, it is not uncommon for Covered Entities, Business Associates, and their workforces to violate HIPAA inadvertently or unthinkingly. In one recent incident, a dental practice that had disclosed PHI on a social media review site without valid authorizations to support the disclosures was fined $10,000 by HHS´ Office for Civil Rights.

For workforce members that violate HIPAA via social media, the consequences can be far worse. In 2016, a nursing assistant was fired from her job for impermissibly photographing a patient and posting the photo on Snapchat. The impermissible disclosure was notified to HHS´ Office for Civil Rights who referred the case to the Department of Justice. The nursing assistant was subsequently found to be in violation of §1177 of the Social Security Act and was sentenced to 30 days in jail. 

One this occasion, the nursing assistant´s employer escaped a penalty for the social media violation of HIPAA; however, if a Covered Entity or Business Associate fails to secure PHI as required by the Security Rule or fails to enforce a sanctions policy for impermissibly disclosing PHI on social media, they too could face enforcement action from HHS´ Office for Civil Rights.

Conclusion: Control Social Media Activities 

Covered Entities, Business Associates, and their workforces should take steps to prevent HIPAA social media violations. These include providing training on the organization´s social media and sanctions policies, controlling corporate social media activities, and ensuring full-explained and valid authorizations are obtained from individuals prior to disclosing PHI on social media. 

Organizations unsure about the best way to address HIPAA and social media issues should seek professional advice from a compliance expert. 

HIPAA and Social Media FAQs

What is “non-health information”?

Non-health information is more commonly referred to as the 18 HIPAA identifiers that need to be removed from a designated record set before any health information left in the set is deidentified. These days, there are more than 18 pieces of non-health information that could be used to identify an individual, and while any are maintained with health information they are protected.

What is the connection between the FTC, HIPAA, and Social Media?

The FTC was given the authority in the HITECH Act to take enforcement action against noncompliant organizations that are not Covered Entities or Business Associates (i.e., vendors of electronic health devices). While FTC enforcement action is usually limited to violations of the Breach Notification Rule, the agency has imposed fines on organizations who have misrepresented consumer privacy.

Do all employees have to be trained on social media policies?

In theory, any member of the workforce can violate HIPAA within seconds by taking a photo of a patient and posting it on a social media channel. Alternatively, any member of the workforce could prevent a HIPAA violation by stopping a colleague from posting a patient´s photo on social media. For these reasons, all employees should be trained on the organization´s social media policies.

If an image of an injury is attached to a Tweet with no identifying information, is this still a violation of HIPAA?

This depends on whether a written authorization has been obtained from the patient to publish the image on social media and the patient understands that the authorization cannot be revoked because the organization has no control over how the image is used or disclosed once it is in the public domain. If these conditions have not been met, the Tweet is a violation of HIPAA.

Do HIPAA and social media rules apply to personal accounts or just corporate accounts?

HIPAA and social media rules apply to all types of accounts. Furthermore, if an impermissible disclosure occurs via a private social media account, questions may be raised by HHS´ Office for Civil Rights about how the account holder got unauthorized access to PHI or how the account holder was able to misuse their authorized access to PHI.