Last Updated: Oct 10, 2019
By Andrew C. Harvan, Esq., PAMED’s legal and regulatory analyst
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted several years before the advent of today’s social media platforms. Social media can be a useful resource for practice advertising, professional networking, and patient engagement; however, many practices struggle with how to ensure HIPAA compliance in the social media age.
HIPAA and its accompanying rules set forth policies and protections that safeguard the privacy, security, and confidentiality of protected health information (PHI). Although HIPAA does not contain any explicit rules regarding social media usage, HIPAA’s privacy protections still apply to social media posts concerning health information. Given the ease by which information can be shared on social media, social media presents unique challenges to HIPAA compliance.
Improperly disclosing PHI on social media not only compromises the privacy of a patient’s health information but also exposes you and your practice to potential liabilities such as HIPAA violation fines and professional discipline. Therefore, it is best to develop appropriate policies to prevent impermissible disclosures on social media before any violation occurs.
What Is PHI and What Constitutes a Valid Authorization?
HIPAA defines PHI as individually identifiable health information transmitted by or maintained in electronic media or any other medium/form. PHI includes any information that a health care provider collects and utilizes for purposes of identifying patients and determining appropriate care. This includes but is not limited to: patient names and addresses, patient financial and demographic information, test and laboratory results, medical histories and records.
Subject to limited statutory exceptions, a valid patient authorization is required for a disclosure of PHI to anyone other than the patient or the patient’s personal representative. Authorizations must be written, signed, and describe how and why PHI will be used or disclosed. Authorizations must also meet certain other content and format requirements.
When a valid authorization is obtained for the use or disclosure of PHI, such use or disclosure must be consistent with the authorization obtained. HIPAA violations occur when PHI is used or disclosed without proper authorization.
How Can Social Media Posts Violate HIPAA?
Generally, health care providers should never post information about patients on social media. There may be some limited circumstances where certain information can be posted if a valid patient authorization was first obtained. However, this authorization must clearly describe how the PHI will be used and disclosed, and the patient must have an absolute understanding about how their PHI will be disclosed.
The posting of any PHI, without patient authorization, on social media may constitute a HIPAA violation. This includes any text, image, video, or other media identifying the individual as a patient of the practice as well as any media in which patients of a practice or PHI are visible.
Note that patients do not need to be specifically identified by name in order to be potentially identified. Even a posting that does not specifically identify a patient but includes enough detail that could allow the patient to be identified, could be considered an impermissible disclosure.
Practices should also avoid acknowledging a patient’s posting of health information on social media. For example, if a patient posts an unfavorable review of a practice or cites a disagreement with a practice, the practice and its employees should not subsequently confront the patient on social media. Acknowledging the health information that the patient has posted could lead to HIPAA violations as the ensuing conversation typically leaves to further details of the patient’s treatment being discussed and subsequent improper disclosures of PHI.
Unfortunately, there are several recent examples of health care providers violating HIPAA privacy protections because of ill-advised social media interactions:
- A Rhode Island physician was reprimanded after posting information describing the injuries of a trauma patient who the physician had recently treated. The post did not identify the patient specifically but included enough details that the patient could easily be identified.
- A Connecticut physician’s office violated HIPAA protections after responding to a local news outlet. A complaint had been made about the practice to the outlet. In defending itself, the practice disclosed PHI. The practice subsequently paid a significant fine for this violation.
- A hospital employee posted derogatory information on social media after treating the suspect in the fatal shooting of a police officer. A HIPAA fine and professional discipline followed.
- In October 2019, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) reached a $10,000 settlement with a dental practice for potential HIPAA violations after the practice had responded to social media reviews by disclosing patient names and other PHI. OCR alleged that the practice had no policy ensuring that its social media postings complied with HIPAA and also lacked a HIPAA compliant Notice of Privacy Practices. Click here for more information on this case.
Remember that best practice is to avoid posting information about patients on social media, even if such posting does not explicitly identify a patient. Although there may be circumstances where limited information can be shared on social media, a valid patient authorization for such use must first be obtained.
Practices should have established policies and procedures to ensure HIPAA compliance:
- These policies and procedures should include specific guidelines addressing both professional and personal use of social media.
- These guidelines should ensure that PHI is never disclosed on social media unless a valid patient authorization has first been obtained.
- All employees should be trained on and understand these social media guidelines. Employees must understand what information about their work is and is not acceptable to post on social media. Refresher training on these rules should be conducted routinely.
- Periodic updates to these policies may be warranted to account for new technologies and changing circumstances.
Where Can I Find Additional Information?
HHS and OCR have a number of FAQs regarding HIPAA compliance for health care professionals.
The Office of the National Coordinator for Health Information Technology (ONC) also has a number of resources on PHI privacy and security, which can be accessed here.
The Pennsylvania Medical Society (PAMED) has a wealth of information on HIPAA compliance that can be accessed at www.pamedsoc.org/HIPAA. And, find PAMED’s general legal information on medical records at www.pamedsoc.org/medicalrecords.
PAMED’s Quick Consult on “Confidentiality of Medical Records and Other Personal Health Information” details HIPAA’s Privacy Rule and is available to all PAMED members.
PAMED members with questions can also contact our Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.