The rise of social media has predictably impacted HIPAA rules and regulations to a degree. Technically, because HIPAA was enacted prior to the existence of social media platforms, there are no HIPAA rules that specifically apply to them. However, current HIPAA standards do indicate how relevant entities should behave on social media.
It’s important that all healthcare organizations take the time to develop their own social media policies to ensure their workers don’t violate the pertinent regulations and end up needing the help of a personal injury lawyer. Ensuring patient privacy and other aspects of HIPAA are observed is key to maintaining your professional reputation.
What You Need to Know
The first step in developing a social media policy is to review what qualifies as Protected Health Information (PHI) with all employees at your organization. Sharing PHI on social media constitutes a HIPAA violation.
You also need to remind employees that their own personal social media use still requires HIPAA compliance. Even if they aren’t sharing information via your organization’s account, they can still violate patient rights. For instance, a Texas nurse was recently fired when she made comments about a patient’s case of measles on Facebook. Another nurse was even sentenced to jail time due to posting a revealing image of a patient.
Text, videos, images, and anything else that can be used to identify a patient can’t be shared or posted. You may need to offer your employees comprehensive social media training to confirm they understand this. With 71% of Internet users visiting social media sites regularly, this is a substantial issue. After all, employees aren’t the only ones who may face disciplinary action for such violations. Healthcare providers in general can face consequences for their errors.
Specifically, it’s crucial that your organization and its workers avoid the following common HIPAA violations on social media:
- Sharing images of patients without getting written consent first
- Sharing gossip related to patients
- Posting anything that could allow others to identify a patient
- Posting images of healthcare facilities which display patients and/or PHI
Keep in mind that sharing any of the above-described content on social media is also prohibited within private groups. Even if the content isn’t accessible to the general public, posting it is still a violation of HIPAA rules.
How to Avoid a HIPAA Violation on Social Media
The following points summarize basic social media guidelines your organization and workforce need to consider. Review and implement them during training sessions, and when putting together a social media policy:
- Provide examples of social media violations to clarify major points
- Review new proposed uses of social media platforms with compliance departments before adopting them
- Explain the potential penalties of violations
- Ensure marketing departments also understand the impact of HIPAA regulations on social media marketing campaigns
- Conduct annual reviews of (and, if necessary, make updates to) your social media policies
- Ensure personal and corporate accounts are kept separate
- Confirm access controls are in place
- Assign someone (or multiple employees) the responsibility of moderating social media comments
- Encourage staff to report potential violations
- Monitor your organization’s social media use, and maintain a record of all posts, comments, etc.
- If patients share PHI on social media, do not engage with them or discuss these issues on social media
- Ensure all internal social media posts are approved
HIPAA also offers a compliance checklist. Use it to confirm you’re not violating patient rights on social media. Being vigilant is key to staying compliant.
This is a guest post by Catherine Metcalf.