HIPAA Journal

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook and Instagram were launched, so there are no specific HIPAA social media rules. However, as with all healthcare-related communications, the HIPAA Privacy Rule still applies whenever covered entities or business associates – or employees of either – use social media networks.

There are many benefits to be gained from using social media. Social media networks allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media networks. However, there is also considerable potential for HIPAA rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?

HIPAA and Social Media

Healthcare organizations must implement a HIPAA social media policy to reduce the risk of privacy violations. The HIPAA Privacy Rule prohibits the disclosure of ePHI on social media networks without the express consent of patients. This includes any text about specific patients as well as images or videos that could result in a patient being identified.

With regards to patient consent, PHI can only be included in social media posts if a patient has given their consent, in writing, to allow the publication of their personal information. In such circumstances, PHI can only be used for the purpose specifically mentioned in the consent form.

    HIPAA
    Compliance
    Checklist

    Simple Guidelines
    Immediate PDF Download
    Written by HIPAA Journal

    Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

    Employees Must be Trained on HIPAA Social Media Rules

    In 2020, 83% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

    Training on HIPAA should be provided before an employee starts working for an organization or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.

    HIPAA Violations on Social Media

    In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

    In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.

    In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

    It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

    Common Social Media HIPAA Violations

    HIPAA Social Media Guidelines

    Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.

    HIPAA Social Media Rules – FAQs

    If an employee attaches an image of a patient´s injury to a Tweet without any other identifying information, is that a breach of the HIPAA Privacy Rule?

    This depends on whether the patient has given their consent for the image to be used. If they have, and the image is shared under the conditions of the consent, there is no violation of the HIPAA Privacy Rule. If the patient has not given their consent, the image could be used to identify the patient, and therefore the employee is in violation of the HIPAA Privacy Rule.

    Do the HIPAA social media rules apply to all accounts or just corporate accounts?

    The HIPAA social media rules apply to all accounts. It is also important to be aware that images posted on private social media accounts without patient consent are in double violation of HIPAA, as the individual has not only posted ePHI when they were not supposed to, they have also extracted the image from a corporate source that lacked the protections of the HIPAA Security Rule.

    If there are no specific social media rules, can covered entities still be fined for violations of HIPAA on social media?

    Absolutely. In most cases, disclosures of ePHI on social media are unauthorized disclosures – which is a breach of the Privacy Rule. Furthermore, as mentioned above, if an employee has accessed ePHI without authorization, the covered entity would be liable for the likely breach of the Security Rule for not protecting ePHI from unauthorized disclosure.

    Do all employees have to be trained on HIPAA social media rules, or just those with access to ePHI?

    All employees should be aware of the organization´s policies relating to social media whether they have access to ePHI or not. Even employees without access to ePHI can disclose information on social media such a patient´s name and what they are being treated for, so it is important employees know not to disclose information without authorization through any media.

    How can covered entities and business associates implement controls that flag potential HIPAA violations on social media?

    At present, the simplest way to monitor social media for HIPAA violations is to search for specific hashtags relating to a healthcare facility (i.e., #nyp, #mayoclinic, #UPMC, etc.). Although a manual control rather than a technology control, reviewing what is written about a healthcare facility on social media can help facilities improve their services – and their HIPAA policies – in many different ways.