HIPAA and Social Media

The issue of HIPAA and social media can be complicated for Covered Entities and Business Associates that do not implement policies that stipulate how social media can be used in compliance with HIPAA or that fail to enforce sanctions for impermissibly disclosing Protected Health Information on social media.

Social media can be a valuable communication channel for Covered Entities and Business Associates. It can be used by healthcare organizations to promote healthy lifestyles, by health plans to alert members to new benefits, and by Business Associates to advertise HIPAA-compliant services to healthcare organizations, health plans, and other Business Associates.

However, Covered Entities and Business Associates have to take care about what information is published on social media channels if the information includes individually identifiable health information protected by the HIPAA Privacy Rule, or if a social media post makes unsubstantiated, inaccurate, or misleading claims about a product or service.

The Issue of HIPAA and Social Media

The HIPAA Privacy Rule was published years before social media platforms such as Twitter and Facebook existed, so there are no references to social media in the text of the Rule. However, there are standards relating to permissible uses and disclosures of Protected Health Information (PHI). These limit how PHI can be used or disclosed without an individual´s authorization.

At this stage it is important to understand what PHI consists of, because although it is well known that individually identifiable health information should not be published on social media without an individual´s authorization, non-health information maintained in the same designated record set is also protected by the Privacy Rule and is subject to the same permissible uses and disclosures.

Therefore, a Covered Entity – or a member of a Covered Entity´s workforce – could inadvertently violate HIPAA if they publish a thread about (for example) a patient´s emotional support animal, if information about the emotional support animal is maintained in the same designated record set as the patient´s health information, and the patient has not authorized the disclosure.   

Individuals´ Authorizations for Social Media Disclosures

As well as understanding what PHI consists of, it is important for organizations and their workforces to understand the standard most closely related to individuals´ authorizations for social media disclosures (§164.508). This is because, with most authorized uses and disclosures of PHI, individuals have the right to revoke their authorization. Disclosures on social media are different.

Although social media posts can be deleted, if a screenshot is taken of the post before it is deleted, any PHI included in the post is still in the public domain and organizations have no control over how it is further used or disclosed. Therefore, in the context of HIPAA and social media, individuals´ authorizations must explain that PHI may be further disclosed, that the organization may not be able to comply with a revocation request, and that it may not be possible to observe an expiration date.

These conditions do not mean it is impossible to use or disclose PHI on social media with an individual´s authorization. One of the clauses of §164.508 provides an exception to the right to revoke if “a Covered Entity has taken action in reliance thereon”, meaning that – provided the required explanations are included in the authorization – it is within the permissible uses and disclosures of the Privacy Rule to disclose PHI on social media with a valid authorization. 

FTC Rules May Also Apply to Social Media Disclosures

Even when an organization has obtained a valid authorization to disclose PHI on social media, it is important that all social media posts must comply with Section 5 of the Federal Trade Commission Act. This section prohibits unsubstantiated, inaccurate, or misleading claims about products and services and applies to all advertising and marketing. The Act defines a deceptive claim as:

• a representation, omission, or practice that misleads or is likely to mislead a consumer, 
• that the consumer´s interpretation is reasonable under the circumstances, and 
• that misleading representation, omission, or practice is material in nature.

The best way to interpret this Section of the FTC rules is that any claim made by an organization or on behalf of an organization – regardless of whether PHI is included in the social media post to support the claim –   must not “seek to gain an advantage while avoiding competing on the merits” by being unsubstantiated, inaccurate, or misleading.

HIPAA and Social Media Violations

Because of the issues regarding HIPAA and social media, it is not uncommon for Covered Entities, Business Associates, and their workforces to violate HIPAA inadvertently or unthinkingly. In one recent incident, a dental practice that had disclosed PHI on a social media review site without valid authorizations to support the disclosures was fined $10,000 by HHS´ Office for Civil Rights.

For workforce members that violate HIPAA via social media, the consequences can be far worse. In 2016, a nursing assistant was fired from her job for impermissibly photographing a patient and posting the photo on Snapchat. The impermissible disclosure was notified to HHS´ Office for Civil Rights who referred the case to the Department of Justice. The nursing assistant was subsequently found to be in violation of §1177 of the Social Security Act and was sentenced to 30 days in jail. 

One this occasion, the nursing assistant´s employer escaped a penalty for the social media violation of HIPAA; however, if a Covered Entity or Business Associate fails to secure PHI as required by the Security Rule or fails to enforce a sanctions policy for impermissibly disclosing PHI on social media, they too could face enforcement action from HHS´ Office for Civil Rights.

Conclusion: Control Social Media Activities 

Covered Entities, Business Associates, and their workforces should take steps to prevent HIPAA social media violations. These include providing training on the organization´s social media and sanctions policies, controlling corporate social media activities, and ensuring full-explained and valid authorizations are obtained from individuals prior to disclosing PHI on social media. 

Organizations unsure about the best way to address HIPAA and social media issues should seek professional advice from a compliance expert. 

HIPAA and Social Media FAQs