HIPAA was introduced prior to social media platforms like Facebook being launched. Due to this there are no HIPAA rules that refer spefically to social media rules.
However, there are HIPAA laws and standards that apply to social media use by healthcare outfits and their staff. Healthcare outfits must therefore create a HIPAA social media policy to reduce the risk of privacy breaches.
Social media channels allow healthcare outfits to communicate with patients and get them more involved in their own healthcare management. Healthcare outfits can quickly and easily interact via messaging or provide information about new services. Healthcare providers can attract new subscribers using social media websites. However, there is serious potential for HIPAA Rules and patient privacy to be violated via social media platforms.
HIPAA and Social Media
The main rule of using social media in healthcare is to never spread protected health information through social media platforms.
The HIPAA Privacy Rule does not permit the use of PHI on social media networks. It makes it illegal. This includes all copy regarding specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in published social media posts if a patient has given their expressed consent, in writing, to allow their PHI to be used and then only for the purpose specifically referred to in the consent form.
Social media platforms can be used for posting health tips, details of events, new medical research, biographies of employees, and for marketing reasons, provided no PHI is included in the posts.
Staff Must be Guided on HIPAA Social Media Rules
In 2017, 71% of all Internet browsers used social media websites. The popularity of social media networks linked with the simplicity of sharing information means HIPAA training should include the use of social media. If staff are not specifically trained on HIPAA social media rules it is highly probable that breaches will happen.
Training on HIPAA should be given to all employees prior to them beginning work for the company. Failing that it should happen as soon as is possible following appointment. Refresher training should also be conducted at least once annually to ensure HIPAA social media rules are not disregarded.
Typical Social Media HIPAA Violations
- Sharing of images and videos of patients without written permission
- Sharing gossip about patients
- Sharing any information that could allow a person to be identified
- Posting photographs or images taken inside a healthcare facility in which patients or PHI can be seen
- Posting of photos, videos, or text on social media websites within a private group
Guidelines for HIPAA Social Media
Listed here are some standard HIPAA social media guidelines to follow in your outfit, together with links to further information to help ensure you adhere with HIPAA Rules.
- Create clear policies covering social media use and ensure all employees are knowledgeable of how HIPAA relates to social media platforms
- Guide all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions yearly
- Supply examples to staff on what is acceptable – and what is not – to improve comprehension
- Make staff aware of the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
- Ensure all new uses of social media sites are given authorization by your compliance department
- Review and refresh your policies on social media annually
- Create policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
- Create a policy that requires personal and corporate accounts to be totally unlinked
- Formulate a policy that requires all social media posts to be approved by your legal or compliance department prior to sharing
- Review your outfit’s social media accounts and communications and implement controls that can flag possible HIPAA violations
- Manage a record of social media posts using your outfit’s official accounts that preserves posts, edits, and the style of social media messages
- Do not participate in discussions with patients who have disclosed PHI on social media accounts.
- Tell your staff to report any potential HIPAA violations
- See to it social media accounts are included in your organization’s risk assessments
- Ensure proper access controls are configured to stop unauthorized use of corporate social media accounts
- Moderate all comments
The Department of Health and Human Services’ Office for Civil Rights has released guidance on HIPAA social media regulations, listing the specific parts of HIPAA that apply to social media networks. This can be viewed on the HHS website.