Healthcare providers that use social media platforms like Facebook and Twitter can interact with their patients, advertise new services, and communicate urgent announcements. Even though there’s immense potential for social media to improve healthcare, it can also expose patient-specific information when used irresponsibly.
What social media actions violate HIPAA rules?
Posting patients' protected health information on social media, even if it's accidentally, without the patients' permission or authority is a violation of HIPAA regulations. This includes actions like:
- Sharing pictures (like a team lunch in the workplace) with patient information visible in the background
- Sharing any form of PHI (such as images or videos)
- Posting any information that could identify an individual
- Sharing gossip about a patient, even if the patient’s name is not mentioned
What are the consequences of violating HIPAA?
People in the healthcare industry should not treat HIPAA violations lightly. If an employee is found guilty of breaking a HIPAA rule, they could face fines between $100 and $1,500,000 depending on the severity of the violation. They could also face a 10-year jail sentence, lawsuits, job termination, and revocation of their medical license.
How can healthcare organizations prevent violations?
There are simple ways to avoid HIPAA violations while using social media:
- Don’t post stories about patients on social media. Even if the patient’s name is omitted, the patient could still be identified by their diagnosis or treatment.
- Check the background of photos before posting. Make sure there are policies that prohibit employees from posting photos of a patient or their information.
- Prohibit employees from offering medical advice on social media. It's best practice to refrain from posting diagnosis or treatment plans on social media, even if a patient asks for medical advice.
- Always get written permission. Sometimes, a patient’s story is too great not to share. Maybe they made an astonishing recovery or exhibited great strength in the face of adversity and you want to share their accomplishment. In cases like these, ask for written permission from the patient before posting anything on social media.
- Undergo training on HIPAA security and HIPAA privacy procedures and policies. Make sure to discuss topics such as workstation use, workstation security, and using personal devices for work. These procedures ensure that employees comply with HIPAA rules and are protecting patient information, whether it be electronic, written, or oral.
Do you work in the healthcare industry and need help managing IT and privacy issues? Feel free to call us today!