Posting with Caution: The DO’s and DON’Ts of Social Media and HIPAA Compliance

Social Media can be an extremely powerful tool for communicating general healthcare information to the public, creating professional connections, and sharing experiences. However, sharing too much information on social media platforms can have devastating effects on both healthcare organizations and employees if patient-specific information is shared. With over 800 million people on social networks and professional blogs, it is not surprising that HIPAA violations are on the rise and are raising major concerns among medical practices.

If healthcare employees were better educated on potentially hazardous mistakes while using social media and medical blogs, HIPAA violations could be avoided all together. In order to better understand how social media, HIPAA violations and compliance in your medical practice should be handled, we have put together a list of the Do’s and Don’ts of Social Media and HIPAA Compliance.

DO: Understand what is considered a HIPAA violation on social networks.

Under HIPAA, a breach or violation is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).

Common examples of social media HIPAA violations include:

  • Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed.
  • Sharing of photographs, or any form of PHI without written consent from a patient.
  • A mistaken belief that posts are private or have been deleted when they are still visible to the public.
  • Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.

DON’T: Post anything you wouldn’t say in an elevator or coffee shop.

As a general rule of thumb, if you wouldn’t say your comment in public, then don’t put it on social media. If there is any doubt at all about a certain post, picture or comment then check with your compliance officer or even a colleague before publishing.

DO:  Thoroughly train employees on your organization’s HIPAA Privacy and HIPAA Security policies and procedures at the time of hire and at least annually thereafter.  Your organization’s social media policy should be integrated into these policies and procedures.

  • One of the best ways to avoid legal pitfalls with social media HIPAA violations is to have a clear, widely distributed company policy on the use of social networking sites during working and non-working hours.
  • Consider extending your existing polices on HIPAA compliance relating to social media networks.

Healthcare Compliance Pros has created a sample Social Media policy that can be customized based on your organization’s specific social media guidelines.

In addition, Healthcare Compliance Pros’ HIPAA Security Training includes important policies and procedures regarding Workstation Use, Workstation Security, Bring Your Own Device (BYOD) policies, and others.  These policies and procedures are important for ensuring your organization’s employees and the employees of your business associates are properly safeguarding patient information – oral, written or electronic.

DON’T: Overlook the severity of HIPAA Violation Penalties.

According to HHS, the majority of HIPAA violations from recent years have occurred from employees mishandling PHI, many of which stem from inappropriate social sharing. Violations under the HIPAA Privacy Rule include Civil Money Penalties which can result in fines ranging from $100 – $1,500,000 or Criminal Penalties which can result in fines up to $250,000 and up to 10 years in prison.  Other consequences of violating HIPAA include lawsuits, the loss of a medical license or employee termination.

When a HIPAA breach occurs on a social network or professional blog, the following steps should be taken:

  • Report to your compliance officer a brief description of what happened, including the date of the breach, if known, and the date of the discovery of the breach. This will be important when providing notification to the affected individual(s).
  • If it is determined a breach has occurred, covered entities and their business associates are required to provide notification following a breach of unsecured protected health information. Individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.
  • In addition, your compliance officer will ensure appropriate notification procedures are followed including providing notice to the secretary of HHS and to the media if it is a breach involving greater than 500 individuals.
  • Employees involved in the breach should (at a minimum) be re-trained on HIPAA Privacy, HIPAA Security and any additional social media policies and procedures.

Remember that HIPAA compliance is an on-going, vigilant part of your overall compliance program.   By providing ongoing training to employees regarding potentially hazardous mistakes while using social media and medical blogs, your organization will ensure social media a powerful tool for sharing information, sharing experiences, and potentially expanding your organization’s business.

If you have any questions or concerns about implementing social media HIPAA compliance policies, notifying the Secretary about a breach, performing a Security Risk Analysis or for more information about the breach determination and breach mitigation services we provide, please feel free to either comment below, send us an email at [email protected] or reach us toll-free at 855-427-0427.

Return to the Home Page