Let’s talk about HIPAA compliance.
It’s one little acronym, one enormous can of worms to get your head around.
This blog will drill into one area where medical businesses may inadvertently run into trouble: HIPAA compliance and social media. Because while private practices will typically have stringent processes in place regarding data security and patient confidentiality in other areas of the business, social media can sometimes be where things slip through the cracks.
Today, we’ll walk you through some of the common pitfalls and knowledge gaps that practitioners may experience when it comes to HIPAA compliance and social media.
Because you 100% do not want to end up breaking the trust of your clients, losing your hard-won reputation that you’ve spent years building, and being slapped with a massive fine. You could even end up on the HIPAA wall of shame – a real thing, by the way.
Here’s our guide to HIPAA compliance and social media.
What is HIPAA compliance?
HIPAA stands for the Health Insurance Portability and Accountability Act.
HIPAA is a law that safeguards personal health information. It ensures that medical providers like doctors and hospitals keep patients’ health details private and only share them with authorized personnel. If someone doesn’t follow these rules and shares confidential information, they can face serious consequences – we’re talking big fines and even imprisonment.
What do HIPAA guidelines say about social media?
That’s a good question. HIPAA guidelines were enacted in 1996. That’s in the very early days of the internet and long before Facebook, Instagram, or Tik Tok were a thing.
While HIPAA rules don’t mention social media directly, privacy protections regarding personal health information (PHI) apply to – and can be breached by – your social media content.
Key principles of HIPAA related to social media
The crux of the matter is PHI: protected health information. According to the US Department of Health and Human Service, PHI is any information that relates to an:
- Individual’s past, present, or future physical or mental health or condition
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual
- Common identifiers such as name, address, birth date, and Social Security Number, when they can be associated with the health information listed above.
Sharing patients’ protected health information is strictly prohibited and healthcare employees need to be vigilant of potential breaches – on social media and more broadly.
Examples of social media mistakes leading to HIPAA breaches
There are numerous ways that social media mistakes can lead to HIPAA breaches.
For example, imagine a hospital employee posting something about a patient they treated at work that day on their personal social media account. You might think it’s OK because the post is generic and they haven’t named the patient. However, the patient may be still identifiable if, say, the employee has the name of the hospital they work at on their profile.
Here are a few other examples of HIPAA breaches on social media:
- Sharing photos of the patient without their consent
- Venting about a patient online, even if you don’t identify them
- Responding to comments or reviews and revealing patient information
- Sharing patient information in a post without realising
Consequences of HIPAA breaches on social media
Here are just some examples of HIPAA breaches and the consequences…
- A nurse at a children’s hospital in Texas was fired after she posted on social media about a child who had a rare case of measles at the hospital she worked at. The nurse was an anti-vaxxer but posted on Facebook about how it was “rough” seeing the boy suffering from measles, a disease which would be preventable through vaccination.
- A dental practice was hit with a HIPAA violation for disclosing PHI on a social media review site. The practice breached HIPAA because of how they responded to reviews on Yelp. While the patients had posted under a Yelp moniker, the responder used full names and also disclosed information about patient visits and insurance.
- One patient in Michigan was threatened with jail for filming an interaction between another patient and a member of staff in a hospital – which was documented in a series of videos uploaded to Tik Tok – an example of a newer platform to be aware of.
💡Did you know?
It’s not just healthcare businesses that can run into trouble with HIPAA compliance and social media. Meta has had a lawsuit filed against them for violating patient privacy.
This followed an investigation which found that 33 of the top 100 hospitals in the US use the Meta Pixel on their website. At seven hospitals, it was sending confidential patient information to Facebook and the patients were then being served advertisements related to this information.
Jennifer Ellis-Wilson, FACMPE
Consultant, trainer, and speaker
Practical Management and Leadership Consulting
👉As a former HIPAA Privacy Officer, consultant and speaker Jennifer Ellis-Wilson, FACMPE, was responsible for both safeguarding protected information and training all employees on best practices for compliance. She shares some of the biggest red flags she sees in clinics regarding HIPAA and social media…
“The biggest mistake I see is that organizations do not conduct appropriate privacy law training for the people responsible for social media engagement.
“Whether they’re using interns, existing staff, or hiring social media or marketing staff specifically – or outsourcing to social media management companies – there is often a disconnect regarding these folks’ understanding of HIPAA and other applicable privacy laws and what they believe to be best practices for marketing and engagement.
“It’s great to have a robust social media presence – it allows for more organic engagement with patients and potential patients, and can be used to educate and inform your audience about important health-related issues in a non-identifiable way.
“However, it’s easy to cross the line into impermissible activities. If a patient comments or asks a question on one of your social media posts, for example, you have to be certain that answering them does not violate HIPAA or other privacy regulations.
Jennifer’s tips on how NOT to breach HIPAA violations on social media
- Be careful of photography errors: “If you’re posting photos of your office/employees/clinicians, obviously you need a photo release if patients are being shown. But it’s easy to snap a couple pictures of smiling staff, and forget to zoom in on every area of the picture to ensure no patient information is visible!”
- Have clear policies you communicate to staff: “Make sure you have clear HIPAA and privacy policies that are communicated to your staff, and be sure that they include things like a cell phone policy, voice and image recording policies, content policies for company and personal social media, etc.”
- Don’t forget personal social media accounts: “An employee who posts a picture of their newly-cleaned desk to their own social media account may be unwittingly violating HIPAA if you can zoom in and read the display on their computer monitor, or patient information on a sticky note. Double and triple-check that you’ve de-identified any information or graphic that you want to post!”
- Check your software: “With the rise of telehealth since the onset of the COVID-19 pandemic, many practices have adopted virtual teleconferencing, email, texting, and private/direct messaging systems. Not every system is HIPAA compliant in terms of its encryption or other security features, and even fewer systems are compliant with some of the stricter state-level privacy and security regulations. Double-check that the messaging and connection platforms you’ve adopted are compliant!”
Dos and don’ts for avoiding HIPAA violations on social media
Do consider your personal accounts
It’s not just about your official social media accounts. Possibly even more critical is what you – and your staff – post from your personal accounts. People may feel more relaxed posting on a personal social media account, but that’s often where you run into issues.
Don’t post ‘gossip’ online
There have been various instances of individuals posting about patient cases in Facebook groups or simply on their news feed. But just because you’re posting in a closed group, your settings are set to ‘private’, or you don’t name the patient, it doesn’t make it OK.
Do always seek consent first
If a client is delighted with their treatment results, it makes sense that you may want to include photos in your marketing – on your social media or even on your website. If you want to share photos of a patient then always, always, always seek permission first – make sure you have written consent before you hit publish.
Don’t respond to comments carelessly
This is an interesting one because it highlights that it’s not just about what you post on social media, but also how you respond. For example, a patient may tag you on social media because they’re happy with their treatment, but if you acknowledge that post you could be in breach of HIPAA.
Do be careful with reviews
Be careful about how you respond to online reviews. We mentioned an example above where a practice shared personal information when they responded to reviews. Make sure your team are briefed on how they should and shouldn’t respond to reviews.
How to build a HIPAA-compliant social media presence
It’s crucial to educate your teams about what is HIPAA compliant… and isn’t. Here are five tips to empower your teams so you can feel confident about your social media content.
1. Establish roles and responsibilities
Your social media accounts shouldn’t be a free-for-all where everyone has login details and there’s no clear chain of command. Put someone in charge of your social media accounts, such as your practice manager, and ensure a clear approval process for content.
2. Create documented processes and policies
Documentation is everything. There’s no point in having a social media policy that lives in your head – if you ever have a breach you need to be able to show that you have policies in place. Detail your policies and processes with examples, channels, and do’s and don’ts.
3. Ensure your team is fully trained
You shouldn’t hand over the keys to your accounts without appropriate training. Make sure you train all new staff and run refresher training sessions at regular intervals so everyone knows what is appropriate and what isn’t – across professional and personal accounts.
4. Stay on top of trends and channels
There are always new social media channels popping up and so it’s important to update your policies and processes accordingly. While platforms like Tik Tok are often where brands and businesses loosen up on the formality, this can pose a risk. Be ready for that.
5. Always be prepared for audits
If you ever require an audit of your social media accounts you need to be prepared. Instead of having to pull data from multiple sources, using a social media management tool, where you’ll be able to track and export your previous posts, will be helpful.
One last thing
So if it doesn’t violate HIPAA then it’s OK, right? It’s not quite as clear-cut as that.
Even if you don’t directly break HIPAA rules, there’s still a fine line to walk. A social media video might not break federal law, but that still doesn’t mean you should post it.
There’s been a lot of discussion lately about the ethics of doctors and nurses turned TikTok influencers. While the content can be captivating – “a new medium of med drama” – it’s not without controversy. What can be intended to be a playful or comedic post might simply not translate to a wider audience. And that can have potentially serious consequences.
So, even beyond the HIPAA conversation, it’s worth erring on the side of caution. If you’re ever in any doubt about whether to post something or not, sense check it first. If you think it could offend your clients or have a negative impact on your brand, don’t post.
The key takeaway
When it comes to HIPAA compliance, it’s important to take a holistic approach.
Perhaps because it’s a more informal mode of communication, social media often inadvertently trips people up – and they post without even realising they may be breaching the regulations. That’s why robust measures are non-negotiable for healthcare businesses.
Anything else simply isn’t worth the risk.
