It is possible to develop guidelines for HIPAA and social media use that mitigate the risk of impermissible disclosures of PHI in violation of HIPAA while still enabling covered entities and business associates to use social media to promote healthy lifestyles and provide valuable health information.
The HIPAA Privacy Rule was published some years before social media platforms became popular, and there are no specific HIPAA and social media guidelines However, because of the way in which the Privacy Rule governs disclosures of PHI, it is possible to develop HIPAA guidelines for social media use by covered entities, business associates, and their workforces.
Importantly, there are no one-size-fits-all HIPAA guidelines for social media use (*). Covered entities and business associates must develop their own HIPAA social media guidelines based on a risk assessment, develop policies to safeguard the privacy of PHI, and train all members of the workforce on the policies – not just those with access to PHI. The reason why is explained below.
(*) Some sources claim the Department of Health & Human Services (HHS) has provided guidance on HIPAA and social media use. However, the resource these sources link to relates to the social media policies in use within the Department. They provide no guidance for HIPAA and social media use.
HIPAA and Social Media Risk Assessments
Although the requirement to conduct a risk assessment appears in the Security Rule, it is important to be aware of the Security Rule’s General Requirements (§164.306(a)). These require covered entities and business associates to “protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required under subpart E of this part [the Privacy Rule].”
Therefore, when assessing “potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI” (§164.308(a)(1)(ii)), covered entities and business associates must also consider which uses and disclosures of PHI are permitted by the Privacy Rule, and how the confidentiality of PHI in any format could be compromised by an impermissible disclosure on social media.
In the context of HIPAA and social media, the most likely potential risks to the confidentiality of PHI are members of the workforce sharing identifiable information about patients on social media platforms. Although such posts may be well-intended, once a post is published, users have no control over who sees it or how PHI is further used and disclosed – even in private groups.
HIPAA-Compliant Social Media Policies
Advanced web and Wi-Fi filters can be configured to prevent members of the workforce accessing social media platforms via an organization’s Internet service, while still allowing marketing teams and visitors to remain connected. However, a blanket ban on social media use by the workforce is unlikely to be an effective way to prevent impermissible disclosures of PHI on social media.
Once connected to a different Internet service (i.e., at home), any member of the workforce could post a comment disclosing the identity of a celebrity they have seen at their workplace, or share a photograph they have taken on a personal device. The purpose of the disclosure does not have to be malicious. Nonetheless, a disclosure of this nature – without authorization – is a violation of HIPAA.
Therefore, covered entities and business associates should develop HIPAA-compliant social media policies that clarify the acceptable use of social media in the workplace and that stipulate no PHI should be disclosed via social media without a valid authorization form signed by the individual who is the subject of the PHI. Thereafter, it may be necessary to train all members of the workforce on what is considered PHI under HIPAA, and the procedures for obtaining a valid authorization.
HIPAA Training about Social Media Use
In order to be effective, HIPAA training about social media use should explain what PHI is, why it needs to be protected, and the consequences of posting anything on social media (i.e., copies of a post can remain indefinitely on servers, can be screenshot and doctored using AI, or can be used to blackmail the account holder if the post is considered to be a privacy or security violation).
Training on HIPAA and social media policies also needs to be provided to all members of the workforce – not just those with access to PHI. This is because, whereas workforce members with access to PHI will have more opportunities to violate HIPAA by snooping, any member of the workforce can recognize a celebrity in the workplace or share a rumor about why they are there.
With regards to obtaining valid authorizations, there are many conditions that have to be fulfilled in order to validate a HIPAA authorization form. Additionally, because it is not possible to absolutely delete social media posts, it is unlikely most patients will agree to PHI being disclosed over personal social media accounts. It is important members of the workforce are aware of this – and warned of the consequences of faking or coercing authorizations in order to effectively violate HIPAA.
FTC Guidelines for Social Media
For healthcare marketing teams, social media can be a valuable communication channel for promoting healthy lifestyles, raising awareness of common health issues, and alerting the community to fundraising events. In most cases, corporate social media marketing teams are conscious of HIPAA compliance and it is much rarer to read about a corporate HIPAA violation on social media than it is to read about workforce members violating HIPAA on social media.
However, several healthcare-related organizations have been sanctioned by the Federal Trade Commission (FTC) for breach notification violations and for violations of Section 5 of the Federal Trade Commission Act which governs deceptive acts or practices which require organizations to abstain from a representation – or a reasonable interpretation of the representation – which seeks to gain an advantage while avoiding competing on the merits [of the representation]”.
In 2019, the FTC published guidelines for social media influencers which are equally relevant for HIPAA covered entities and business associates. This is because the guidelines cover issues such as making unjustifiable health claims, advertising on character-limited platforms, and ensuring that endorsements or sponsored posts are clearly marked as endorsements and sponsored posts.
Conclusion – Overcoming the HIPAA and Social Media Challenge
It was mentioned in the opening to this article that the relationship between HIPAA and social media can be challenging, and this is definitely the case for covered entities and business associates that make a good faith effort to prevent social media HIPAA violations, but who may not have the resources to provide much HIPAA training about social media use.
The challenge is that, if a member of the workforce is not trained on an organization’s HIPAA-compliant social media policies, and they subsequently impermissibly disclosed PHI on a social media platform, the organization would be liable for the HIPAA violation if a complaint is made by the subject of the PHI to HHS’ Office for Civil Rights.
Therefore, covered entities and business associates should prioritize HIPAA and social media risk assessments, policies, and training to overcome the HIPAA and social media challenge. If your organization is not sure how to do this – or lacks the resources to do it effectively – you should seek professional compliance advice.