Advice for staying HIPAA compliant when using social media

Social media is an increasingly common presence in healthcare, among providers and consumers alike. For healthcare providers, social media can be an extremely effective marketing tool, acting as a direct line of communication between current and prospective patients. Social media sites, forums and blogs also act as a valuable platform for healthcare professionals to share information and experiences with others who operate in similar environments.

For consumers, social media provides instant access to a wealth of information that can be used to help inform important health decisions; from choosing a new physician, to researching medications.

All considered, social media presents many benefits for both parties, and will continue to serve as a valuable resource for many years to come. But while the benefits may be clear, the potential pitfalls are not always so obvious, and are in many cases overlooked entirely.

Social media and PHI
Healthcare providers have a duty to safeguard their patient’s protected health information (PHI) online, with social media being no exception.

Even a seemingly innocent post on social media could have disastrous repercussions; if a physician were to disclose a patient’s PHI without consent, this would be a direct violation of HIPAA guidelines, and likely state law too.

Breaches of patient confidentiality or privacy, whether intentional or inadvertent, can occur in a number of ways; be that through posting images of the patient, or describing a patient with just enough detail to be identified.

To minimize the risk of disclosing patient PHI, it is important to understand the 18 PHI identifiers, which are:

  1. Names;
  2. Geographic information;
  3. Dates (e.g. birth date, admission date, discharge date, date of death);
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. URLs;
  15. IP address numbers;
  16. Biometric identifiers (e.g. finger and voice prints);
  17. Full-face photographic images and any comparable images; and
  18. Other unique identifying numbers, characteristics, or codes.

While some of these identifiers are more obvious than others (‘Name’ being the most obvious one), even the smallest detail could in theory be tied back to a patient. With this in mind, anyone participating in social media needs to be extra vigilant not to disclose any of the information above, regardless of intent.

Advice for staying HIPAA compliant when using social media

Having acknowledged the potential dangers associated with social media, what can healthcare providers do to help ensure HIPAA privacy and security rules are adhered to when posting online? Here are five tips to avoid disclosing PHI when using social media.

  1. Never post about patients. Ever.  Never post about patients, not even in general terms. As the 18 points outlined above highlight, it is extremely difficult to anonymize patients – even the subtlest identifier could land you and your practice in a lot of trouble.
  1. Don’t mix work and personal life  Healthcare professionals should keep their personal and professional lives separate. Befriending and interacting with a patient online, for example, could result in PHI inadvertently being exchanged in the public domain.
  1. If in doubt, don’t post  It may sound obvious, but if there is any chance at all that the information you are about to post could jeopardize the privacy of a patient, don’t post it. Often people make mistakes in the heat of the moment – be it following a good or bad experience – so always take a minute, read the post back to yourself, and consider the potential consequences before hitting the ‘post’ button.
  1. Don’t trust messaging services The likes of Facebook, Twitter and LinkedIn all have messaging functions, from which users can communicate ‘privately’. However, the privacy of such messages relies on the recipient keeping the information to themselves and not leaving themselves logged into public or office computers. To be safe, avoid private messaging altogether.
  1. Educate yourself and others  Last but by no means least, all staff should be trained and kept up to date with HIPAA compliance best practices and company social media policies. If you are a member of staff, familiarize yourself with company policies to protect yourself from potential fines, or worse.

The immediacy and widespread usage of social media makes it easy to look past the potential dangers it can bring. Whether intentions are good or not, any disclosure of patient PHI could land you and your practice in hot water, so it pays to be smart and approach social media with the utmost caution.

For more information around handling protected health information, check out our Cheat Sheet to the HHS Privacy and Security Rules.