Guidelines on Using Social Media to Avoid HIPAA Violations
ProPublica released a study in 2015 that showed the reality of HIPAA social media violations involving healthcare employees in 2015. If not addressed, there will likely be more cases of HIPAA violation occurring via the social media. Posting the following on social media are the common HIPAA violations committed via social media:
- Images and videos of patients without a consent in writing
- Gossip about the patients
- Any information that identifies a person or patient
- Photos taken inside a healthcare facility that allows the identification of patients or disclosure of PHI
- Text, photo or video within a private group
The Department of Health and Human Services’ Office for Civil Rights issued guidance that tackles HIPAA social media regulations that healthcare organizations can follow. The following will help make sure that the use of social media complies with HIPAA rules.
- Healthcare organizations must develop clear social media policies and make sure that employees know and follow them.
- Healthcare organizations must include social media training as part of HIPAA employee training. A refresher training program is also recommended annually.
- Staff must have concrete examples of acceptable and unacceptable uses of PHI in social media for better understanding.
- Everyone in the organization must know that HIPAA violations on social media can lead to termination, criminal charges and loss of license.
- All social media sites must be approved by your compliance department before usage.
- All social media policies must be reviewed and updated every year.
- Have policies and procedures specifically detailing allowable marketing strategies on social media.
- There must be a clear policy on the separation of personal and corporate social media accounts.
- It is recommended to submit social media posts for approval by your organization’s legal or compliance department before posting.
- Organizations must monitor their social media accounts and set controls that could flag potential HIPAA violations.
- Keep a log of social media posts that your organization can use for the editing and formatting of social media messages.
- Do not engage in any discussion on social media that disclosed patient’s PHI.
- Encourage employees to report any potential issue of HIPAA violations on social media.
- Conduct a risk assessment of your organization’s social media accounts.
- Secure access to your organization’s social media accounts to prevent unauthorized posting.
- Turn on comment moderation on all social media platforms.