HIPAA Compliant Social Media
Social media is used by 74% of Internet users and 80% of people using social media actually use it to research doctors, hospitals, and medical news and information. Social Media can be an extremely powerful tool for communicating general healthcare information to the public, creating professional connections, and sharing experiences. However, sharing too much information on social media platforms can have devastating effects on both healthcare organizations and employees if patient-specific information is shared. With over 800 million people on social networks and professional blogs, it is not surprising that HIPAA violations are on the rise and are raising major concerns among medical practices.
If healthcare employees were better educated on HIPAA-compliant social media policies, potentially hazardous mistakes while using social media and medical blogs, HIPAA violations could be avoided altogether. In order to better understand how social media, HIPAA violations, and compliance in your medical practice should be handled, we have put together a list of the Do's and Don'ts of Social Media and HIPAA Compliance.
DO understand what is considered a HIPAA violation on social networks.
Under HIPAA, a breach or violation is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).
Common examples of social media HIPAA compliance violations include:
- Posting verbal "gossip" about a patient to unauthorized individuals, even if the name is not disclosed.
- Sharing of photographs, or any form of PHI without written consent from a patient.
- A mistaken belief that posts are private or have been deleted when they are still visible to the public.
- Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.
AVOID posting anything you wouldn't say in an elevator or coffee shop.
As a general rule of thumb, if you wouldn't say your comment in public, then don't put it on social media. If there is any doubt at all about a certain post, picture or comment then check with your compliance officer or even a colleague before publishing.
DO Thorough Employee Training on HIPAA compliancy
Train your employees on your organization's HIPAA Privacy and HIPAA Security policies and procedures at the time of hire and at least annually thereafter. Your organization's social media policy should be integrated into these policies and procedures.
- One of the best ways to avoid legal pitfalls with social media HIPAA violations is to have a clear, widely distributed company policy on the use of social networking sites during working and non-working hours.
- Consider extending your existing policies on HIPAA compliance relating to social media networks.
Healthcare Compliance Pros has created a sample Social Media policy that can be customized based on your organization's specific social media guidelines.
In addition, Healthcare Compliance Pros' HIPAA Security Training includes important policies and procedures regarding Workstation Use, Workstation Security, Bring Your Own Device (BYOD) policies, and others. These policies and procedures are important for ensuring your organization's employees and the employees of your business associates are properly safeguarding patient information - oral, written or electronic.
AVOID overlooking the severity of HIPAA Violation Penalties.
According to HHS, the majority of HIPAA compliance violations from recent years have occurred from employees mishandling PHI, many of which stem from inappropriate social sharing. Violations under the HIPAA Privacy Rule include Civil Money Penalties which can result in fines ranging from $100 - $1,500,000 or Criminal Penalties which can result in fines up to $250,000 and up to 10 years in prison. Other consequences of violating HIPAA include lawsuits, the loss of a medical license, or employee termination.
When a HIPAA breach occurs on a social network or professional blog, the following steps should be taken:
- Report to your compliance officer a brief description of what happened, including the date of the breach, if known, and the date of the discovery of the breach. This will be important when providing notification to the affected individual(s).
- If it is determined a breach has occurred, covered entities and their business associates are required to provide notification following a breach of unsecured protected health information. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.
- In addition, your compliance officer will ensure appropriate notification procedures are followed including providing notice to the secretary of HHS and to the media if it is a breach involving greater than 500 individuals.
- Employees involved in the breach should (at a minimum) be re-trained on HIPAA Privacy, HIPAA Security, and any additional social media policies and procedures.
An Effective HIPAA Compliance Program is Consistent and Vigilant
Remember that a HIPAA compliance program is ongoing, so vigilance must be part of your overall program. By providing ongoing training to employees regarding potentially hazardous mistakes while using social media and medical blogs, your organization will ensure social media is a powerful tool for sharing information, sharing experiences, and potentially expanding your organization's business.
You have access to HIPAA compliance resources:
- Generate social media HIPAA compliance policies (customize our sample for your organization)
- Perform a Security Risk Analysis (SRA), breach determination, or learn how to notify the Secretary about a breach
- Discover breach mitigation services available to you
For more information about implementing social media HIPAA compliance policies, performing a Security Risk Analysis, or breach mitigation services you can access, contact HCP today with your questions and concerns. Furthermore, your Support Team is available by emailing firstname.lastname@example.org or toll-free calling 855-427-0427.