Is Your Social Media HIPAA Compliant?
By Gil Vidals, , HIPAA Blog, Resources

With over 2.8 billion users worldwide – over a third of the world’s population – social media is fast changing the way we communicate. In the U.S. alone, the percentage of adults using some form of social media, such as Facebook, Twitter, YouTube, or LinkedIn, has risen dramatically, from 8% in 2005 to nearly 70% in 2018.

Increasingly, healthcare workers and their patients are among those realizing the benefits: sharing articles on the latest medical research, networking and making referrals, marketing their practices to new and existing clients, and even communicating directly with patients about their care.

Staying Compliant with Social Media
Yet even with the best of intentions, disclosures can happen. Not long ago, an enthusiastic healthcare worker felt they were posting a helpful tip on Facebook, and cited one of their recent cases as an example. Unfortunately, the details shared were clear enough to identify the patient and violate their privacy.

It behooves us therefore to bear in mind the following rules when using social media, and make them an explicit part of our HIPAA training – not only because of the risk of costly HIPAA fines, but to safeguard the privacy and reputation of our patients:

  • Social media sites are not safe channels for communicating personal PHI (protected health information) – unless there is written permission from a patient to use it as they’ve specified.
  • Be mindful of photos taken in or near the health facility. It’s possible to inadvertently capture someone or even some detail of PHI in the background that discloses personal information.
  • Avoid posting gossip about patients. Even posts you thought were private or that were deleted can easily end up becoming public. Remember, gossip travels fast; social media only accelerates the process, and to a much wider audience.

Update Your Policies
While HIPAA regulations went into effect years before many of the popular social media sites existed or became marketing tools, the principles regarding PHI disclosures do apply. Be sure to update your policies and training, highlighting appropriate use, and the possible ways that PHI can be violated through social media, keeping the following guidleines in mind:

  • Establish clear social media policies, including access controls for approved sites, and the kinds of content that can go on them. Review these regularly, as new sites are springing up all the time.
  • Clarify the potential penalties for a HIPAA breach – including damaged reputations, and hundreds of thousands of dollars or more in fines.
  • Review all marketing materials before they are released, being alert to any patient photos or verbiage that could possibly disclose someone’s identity.
  • Maintain careful monitoring, and keep a record of all social media posts.
  • Reinforce the importance for staff to report possible violations.

Social media is indeed revolutionizing the ways in which we communicate, broadening our networks and rapidly increasing the flow of communication. While these realities can greatly enhance and promote the spread of helpful information, we must always remember to “post with caution” – and especially so when PHI can be disclosed.