Social Media Has Huge Potential to Cause HIPAA Violations

Since the introduction of the Health Insurance Portability and Accountability Act in 1996 the healthcare industry has suffered numerous data breaches exposing the personal and medical information of millions of patients.

In the late 1990s when the internet was still in its infancy, the majority of data breaches came from employees snooping and the improper disposal of medical records. Nowadays with protected Health Information of patients now stored electronically, lost or stolen portable devices are one of the most commonly reported HIPAA violations. These losses expose thousands, and in some cases, millions of patient records.

Since PHI can be used to commit medical insurance fraud, obtain medical treatment, prescription drugs and commit identity fraud, the value of medical records is high on the black market. Healthcare organizations have become targets for cybercriminals are those lacking robust security systems can easily have databases compromised and PHI stolen. However there is now a new risk to data security and it has huge potential to cause HIPAA violations: Social media.

Social Media is a Major Risk to Privacy

Social media networks such as Facebook, Twitter, Instagram and YouTube allow people to stay connected and share information with their friends, families, acquaintances, and in some cases, total strangers. Any information posted on social networks is considered to be in the public domain and it potentially becomes accessible by anyone with an internet connection. Posted information can be shared with an extraordinarily large audience in a remarkably short time frame and very little control exists over data once it has been posted. It can easily form a permanent online record.

The potential for an even seemingly innocuous post or status update to cause considerable harm and damage has been highlighted by a recent lawsuit filed by a Chicago ER patient, who alleges her PHGI was exposed when an ER doctor uploaded a photo of her drunk in the ER room to his Facebook account.

his may have been an isolated incident, but social media accounts have considerable potential to expose PHI and these risks should be identified in the risk analyses healthcare organizations are required to conduct under HIPAA regulations.

A HIPAA-compliant social media policy must be adopted and the staff should be advised about what can and cannot be posted on social media accounts under federal Privacy and Security Rules.

Develop and Implement a Social Media Policy

Developing a comprehensive social media policy can demand a lot of resources, although it is possible to adapt the social media policy of a company such as the Mayo Clinic and use that as base and adapt it to sort your organizations needs.

The easiest way to implement the policy is to provide the staff with very clear and precise guidelines on the use of social media channels, both at work and privately. HIPAA compliance does not end when the healthcare center is left as far as social media channels are concerned.

Provide a list of easy to read bullet points which concisely state social media policies and advise the staff not to engage with patients online unless they are sure it is via a HIPAA compliant medium. Whenever possible staff should request a face to face meeting or make a telephone call.

It is forbidden to post any photos of patients online or disclose personal information online without first obtaining consent, and it should be communicated that posts may form a permanent online record.

Social media is an easy and convenient way to engage patients, develop brand image and build up an online profile; however the risks to privacy and security are considerable and it is therefore essential that policies are developed and regularly monitored and updated as appropriate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.