HIPAA and Social Media: How to Avoid Breaches

Social Media Use: Employees and the Practice

Let’s face it, most of your practice’s employees are on some form of social media. Even when they are not on the clock, there is a potential that the employee could violate HIPAA on social media.

Your practice is probably using social media to market, too. Social media marketing is great, but it opens the door to widespread breaches of protected health information (PHI).Generally, posting any PHI without patient authorization on social media may be a HIPAA violation.

Common Social Media HIPAA Violations

HIPAA Journal created a list of common social media breaches:

• Posting images and videos of patients without written consent
• Posting gossip about patients (even if a name is not disclosed)
• Posting any information that could allow an individual to be identified
• Sharing photographs or images taken inside a healthcare facility in which patients or PHI are visible
• Sharing photos, videos, or text on social media platforms within a private group

Employees Violating HIPAA on Social Media

A lot of healthcare employees talk about previous cases on social media. They often give details about the case. In the comments, people debate over whether the healthcare employee violated HIPAA. “There was no name, so it’s not a HIPAA breach,” people try to argue.

But HIPAA can be violated without the name of the patient. All employees should be educated on the 18 PHI identifiers. However, even if there’s one detail that could identify a patient, it could be a HIPAA breach.

For example, Pennsylvania Medical Society writes, “Note that patients do not need to be specifically identified by name in order to be potentially identified. Even a posting that does not specifically identify a patient but includes enough detail that could allow the patient to be identified, could be considered an impermissible disclosure.”

What if my practice is listed on the employee’s profile?

If the employee’s place of employment is listed on their profile, the information they gave can be considered a HIPAA breach. For example, check out this story:

“Clinical Advisor shared an RN’s story violating HIPAA laws. The nurse was fired after posting about a toddler with measles in a private Facebook group. While the patient’s name wasn’t shared in the post, the nurse’s place of employment was listed on her profile. The patient was identified and the nurse was fired for a HIPAA violation.”

What precautions should my employees take on social media?

• Avoid connecting with patients on social media
• Don’t interact with any posts the patient makes about the medical conditions they have
• Avoid posting about patients on social media at all (even if a post doesn’t explicitly identify a patient, it could still be a HIPAA breach)
• Avoid taking and posting photos in the practice (a patient chart could go unnoticed in the background)

A violation could be devastating to a health professional’s career. But even after the employee is done working, it would be safe for employees to avoid disclosing PHI on social media. Even if the employee doesn’t have to worry about being fired or losing their career, they can be put in jail for violating HIPAA.

What about my marketing team and HIPAA?

If you want to use photos of patients, as well as a brief description, you’ll need to have the patient sign a Social Media Use and Disclosure Consent form. This is a required HIPAA document if you wish to use photos and descriptions of your patients for promotional material.

Here are the topics to include in your Social Media Use and Disclosure Consent:

• What your practice will not disclose on social media
• What the patient’s signature means on this form
• The patient’s ability to revoke consent at any time, and how to do so
• That the patient’s willingness to participate will have no impact on the care they receive

When can I use social media freely in healthcare?

• Posting health tips and suggestions
• Providing event details
• Sharing medical research
• Marketing efforts that only include a patient if they have signed a Social Media Use and Disclosure Consent form

How can my practice avoid HIPAA social media breaches?

Training

Practices need to provide adequate HIPAA training for employees to understand the risks of social media. HIPAA training is required, but you can create extra training modules specifically about social media and HIPAA. You may also wish to give your social media marketing team specialized training that relates closely to their job function.

It’s best to provide refresher training to employees, and have monthly security meetings. These meetings can take place in the form of training modules on a learning management system (LMS).

Within your training, provide examples on what is acceptable social media usage and what is not. Be sure your employees know the possible penalties for social media HIPAA violations: termination, loss of license, and criminal penalties.

Policies and Procedures

You should also update your practice’s HIPAA policies and procedures to include social media guidelines. Here’s a general rule of thumb to explain to your employees: If you wouldn’t say it in public or in the practice, don’t post it on social media.

Have policies and procedures in place for using social media as a marketing tool. Make sure your marketing team seeks the approval of your compliance department before posting. Consider standardizing the process of using social media as a marketing tool. You can monitor your social media posts, and implement controls to warn you of possible HIPAA violations. Keep a record of social media posts, including the edits.

Social Media Guidelines:

• Do not enter discussions with patients who have disclosed PHI on social media
• Encourage your employees to report any potential HIPAA violations
• Moderate all social media comments
• Ensure appropriate access controls are in place
• Include social media accounts in your HIPAA risk assessments
• Develop a policy requiring personal to be separate from corporate accounts

Review and update your policies on social media annually. New changes in technology and social media means your compliance department should be constantly considering ways to improve your practice’s social media policy.

Need help with HIPAA?

HIPAA training, Policies and Procedures, and documentation—it’s all a lot! Smart Training is here to make HIPAA compliance easier for you. Smart Training’s Dental Platinum+, Dental Essentials, and Complete Medical Compliance packages provide you with all the HIPAA help you need.

If you have none of the packages above, request a demonstration with a Compliance Adviser.