HIPAA and Social Media – The Need for Policies and Training

Posted by Ken Reiher

Healthcare organizations and their third party vendors have an obligation to the federal government and their patients to abide by the HIPAA regulations. Unfortunately the very foundation of social media opposes everything in relation to the privacy, security, and confidentiality of information. Social media allows for anyone to see your organizations information, at any time, in any part of the world.

So how can healthcare organizations protect against unauthorized disclosure of PHI?

The first line of defense is clear, specific, written policies and procedures. Here are some points that should be covered:

  • Staff must never post ANY Protected Health Information (PHI) to personal or business social media sites (e.g. Facebook, Twitter, LinkedIn, Blogs, YouTube, Google+, etc.) unless there is a signed, written authorization from the patient.
  • Statements like “the opinions posted here are mine and mine alone and do not reflect the opinions of the company or management” are fine but DO NOT extend to disclosure of PHI without consent
  • Who is (and therefore who is not) permitted to set up company branded social media site and what content is acceptable on those sites (e.g. images, pictures and videos)
  • Clear examples of PHI. PHI is uniquely identifiable information that can be used by anyone (even close friends) to identify a patient.
    • Note: U.S. Department of Health and Human Services notes that information about an individual’s five-digit zip code, birthdate and gender can possibly be enough to uniquely identify an individual’s PHI.
  • Just because a patient posts something to you or on your site does not give you permission to re-post it without authorized consent
  • If a patient tweets you a thank you for something you did for them, it is ok to simply acknowledge the thanks with a “thank you for your comments/feedback” but do not elaborate any further context that could confirm they were a patient and/or give a hint as to their condition or reason for your service
  • Regarding your business social media sites, specify who can post (by name or title), what can be posted, and the review process needed prior to posting. The Privacy Officer, Security Officer, Legal and Marketing may all need to be in the loop on the review process
  • Restrictions on confidential/proprietary information, intellectual property rights, etc.
  • Rules about pictures being taken should be clear. With the pixel density of today’s smart phones and cameras anything in the background (faces/paperwork) can easily be isolated and blown up to see amazing detail
  • How will social media be included in your risk management process (remember risk management is a required part of HIPAA compliance)

Make sure your training materials cover the social media policy and rules for your facility.

Seems like a lot of work and effort with a potentially high risk so why bother?

  • If you are not active on social media, you will lose business to your competitors. People looking for your services are going to turn to the internet to not only find your organization, but also to research your organization (e.g. what you do and how well you do it).
  • Your organization needs to monitor what your patients are saying. There is no ‘fact checking’ on internet posts and entry are very difficult to permanently delete so, there is already information about your organization out there. Your obligation as a business is to locate these opinions and determine if they are good or bad

When you decide to take on the social media, make sure it remains a focus for someone in your organization to regularly review and monitor not only your specific Facebook or LinkedIn, blog, or twitter feeds but, also search these sites for anyone else talking about you. Remember to never respond with or to any postings that would confirm/disclose any PHI about the person posting the comment. Also, be sure the person responsible for your social media accounts is familiar with HIPAA. Being a “great social media person” is not enough. They must also be fully connected with your marketing and legal teams to present a HIPAA-safe and marketing-consistent profile of who you are and what you do.