A Guide to HIPAA Violations Associated With Social Media

    While HIPAA isn't that old of a law, it does predate the rise of social media. Still, social media isn't immune to the effects of HIPAA. HIPAA violations associated with social media are just as important as other violations, and you should take them seriously. That way, you can provide professional, good care. Read on to learn more about HIPAA and social media.

Don't Disclose PHI

The biggest thing you and your employees need to remember is that you should never use or disclose protected health information (PHI) on social media. Disclosing PHI is one of the biggest HIPAA violations associated with social media and in general. It doesn't matter if you use Facebook or Instagram or if you have a private or public account. Social media is a place to be social, not to talk about patients. You should never talk about patient names, addresses, or medical records. While you can talk about what you do at work, you should keep patient information vague. Instead of talking about a specific case, talk about your work more generally, such as your specialty.

Social Media HIPAA Violations

When considering HIPAA and social media, you should consider some common ways you can violate HIPAA. These violations could happen accidentally or on purpose. Either way, you and your employees should avoid these violations. While there are other HIPAA violations on social media, you should know how to spot and avoid the most popular ones.

Sharing Patient Gossip

If you have a unique patient case, it can be tempting to share it with others online. You can ask if others have had a similar situation, or you can share your experience. But sharing patient gossip can be an easy way to violate HIPAA on social media. Even if a post's purpose isn't to gossip, sharing too much is a problem. It's one thing to share a health tip based on a condition. However, sharing details about the patient's history or treatment isn't okay.

Photos or Videos With Patients or PHI

One thin line you also have to walk when posting on social media is with photos and videos. You can share a picture or video of you at your desk or otherwise working. However, you can't post a photo or video if it includes a patient. If someone can identify the patient, you should delete the content or edit the patient out. You also need to avoid posting photos or videos where PHI is visible. A picture at your desk may be okay if you have your desktop open. But if you're looking at a patient file, you should adjust your camera angle.

Photos or Videos Without Written Consent

Now, there is one exception regarding posting photos and videos of patients. If you have written consent from a patient, you can share a photo or video with that person in it. Photos and videos can be a good way to share social proof for your medical practice. You can ask for patients to record video testimonials of their experience with you. Or you can share before and after photos of something like weight loss or improving acne. Testimonials and patient stories can be a great marketing tool. However, you have to get consent if such tools require disclosing individuals.

Including Identifiable Information

It's especially important that you don't post photos or videos that can identify patients. Avoid posting anything with patients in view, even if they're facing away from the camera. You should also avoid posting about patients and sharing identifiable information in a text post or video. For example, sharing your favorite healthy eating tip can be a great way to interact with others online. However, you can't share how that tip has helped your 45-year old female patient lose 20 pounds. Make sure you keep any tips or health information as vague as you can. If you aren't sure if something is okay, don't post it.

Posting to a Private Group

Another one of the most common HIPAA violations associated with social media is sharing photos, videos, or text within a private group on social media. Just like posting to a more public platform, sharing information here is risky. If you wouldn't post it on a public feed, you shouldn't share it in a group. Perhaps you have a private group with your coworkers. Move the conversation to a secure messaging system so that you can make sure the messages are encrypted. You can't control the privacy or security breaches that social networks experience. By using a different system, you can make sure your messages are secure.

How to Avoid HIPAA Violations on Social Media

When ensuring HIPAA compliance on social media, you can take a few steps to protect your organization and employees. You should follow HIPAA guidelines when posting to any company accounts as well as your personal social media. Whether you have a new health care organization or need to update your policies, you can do so. That way, you can avoid HIPAA violations on social media now and in the future. Consider what you can do to ensure everyone in your organization understands social media and HIPAA compliance within that.

Set Social Media Policies

The first thing you should do is to create social media use policies. You should allow people to use social media, but you can set guidelines for what they can post. Your policy should cover using social media during work and after hours. That way, you can make sure employees don't engage in patient gossip or share photos with visible PHI. Make your social media policies as clear as you can. Consider your organization's code of ethics as well as HIPAA. Your policy should also outline discipline when someone doesn't follow it so that you can take the right steps to prevent a recurrence.

Give Examples

When setting your policies, you should give examples of what is okay to post. You can answer questions that your employees have and share in more detail what is off-limits. Take photos and videos in your office, some of which have PHI and others that don't. Then, your employees can review and compare the footage. That way, they will know what they can photograph or not. If employees still have questions, you can have them take a HIPAA course. That way, they can understand what HIPAA protects, and they can know what information to avoid posting online.

Set Violation Penalties

To reinforce the importance of HIPAA, you need to have a strong discipline policy. That way, you can take the right steps when someone happens to violate HIPAA on their social media. While the federal and state governments have penalties for violating HIPAA, setting your own policies lets you take immediate action. As soon as you learn of a HIPAA-violating post, you can talk to the employee who posted it. You can set your policies to be as strict as you want. So you may decide that one offense is enough to fire someone. Or you may give one warning before terminating someone's employment. Of course, you should also follow governmental penalties. Make sure whoever violates HIPAA pays any fines necessary. When someone does violate HIPAA, don't be afraid to remind everyone of your organization's policies.

Ask for Reports

If you have a lot of employees, you probably can't monitor all of their personal accounts. Instead, you can ask for help from employees and have them report any violations they see. Consider using an anonymous report form. That way, you can encourage employees to speak up when they see something bad. No one will feel pressured to stay quiet if their best work friend is the one guilty. And you can catch and resolve HIPAA violations more quickly.

Separate Personal and Professional Accounts

Creating a social media presence for your organization can be a great marketing and engagement tool. You can share health tips and promote your medical practice. But you should keep your professional accounts separate from your personal profiles. Avoid using one Instagram account for both your personal life and your medical practice. Then, don't post medical stuff on your personal account. Instead, you can post health tips and other information on your company account. As always, follow HIPAA guidelines and avoid identifying patients and PHI.

Create a Social Media Marketing Policy

You should also create a social media marketing policy to follow when posting to your company accounts. A policy is especially helpful if you will have other people help you run the account. Your policies can be similar to those you provide individual employees. But you can also include details about what you want to post to market your organization. If you will be hiring a social media marketer, you can require that your legal or compliance department approves the post before publishing. That way, you can make sure you maintain a good, professional image for the account and your office.

Monitor Company Accounts

While you should be able to approve what your team posts to your social media, you should also monitor the accounts. That way, you can take down anything questionable or that didn't get a review. You can also remove comments from users who are sharing PHI or are otherwise violating HIPAA. Be sure to monitor your account regularly. When you first start, you may only need to monitor the account once or twice a week. As you have more posts and get more followers, you may want to check things once a day so that you can delete stuff more quickly.

Record Content

You should also keep a record of everything that you post on your company accounts. That way, you can preserve earlier versions if you decide to edit a post later. Keeping a record can also include who posts what on your page. If you notice that one admin tends to post the same content that violates HIPAA, you can talk to that person. Follow your discipline policy, so do anything from giving a warning to firing the employee in question. Make a record of any disciplinary action you take as well so that you can do the same when similar situations happen later.

Don't Communicate With Patients

As your patients find you or your office page, they may want to use it to communicate with you about their concerns. While they can message you about things like office hours, you shouldn't use social media to discuss their medical records. Instead, direct them to your company email address. If you use an online patient portal, you can use that to communicate with patients. That way, you have a secure tool that will protect patient data. And you can avoid potential HIPAA violations associated with social media.

Don't Offer Individual Advice

If you post about your favorite health tips, you may get questions in the comments with more details. You can answer general questions, like about the symptoms of dehydration. However, you should never answer individual questions, such as if someone is experiencing dehydration. For one, you should only answer those individual questions for your patients, not anyone who finds your page. But answering questions for patients in the public puts their PHI at risk. If you need to use someone's medical records to answer their question, you should have them book an appointment.

Review Your Policies

Another thing you should do to avoid HIPAA violations on social media is to review your social media policies. You can review your policies each year to make sure you stay in compliance with HIPAA and social media networks. If a new social platform gains popularity, you should also review your policies when that happens. That way, you can edit or add a social media policy for that network. That way, people can use Facebook, Instagram, and TikTok individually without compromising patient records.

HIPAA Violations Associated With Social Media

Violating HIPAA is something every health care professional should consider each day. With social media growing in popularity, so have HIPAA violations associated with social media. That means you and your employees need to take extra precautions to protect patient information. Having the right policies can help you avoid violations and take action when they do occur. Do you your employees to brush up on HIPAA? Enroll your team in our HIPAA courses today.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.