Warning Against PHI Disclosure on Social Media
Using social media such as Facebook and Twitter can help healthcare organizations in several ways. It helps them to interact with patients and be more involved in their healthcare. It is a user-friendly tool for communicating important messages and information about new services. New patients can be easily attracted via social media channels. However, there should be restrictions in social media use to ensure that HIPAA rules and patient privacy are not violated. How should healthcare organizations and their employees use social media and remain compliant with HIPAA privacy rules?
Though there are no particular HIPAA social media rules, there are HIPAA laws that apply to using social media in healthcare. The most important rule to remember is “Do not disclose protected health information (PHI) on social media networks.” The HIPAA Privacy Rule prohibits using PHI including text, images or videos about patients that could result in identifying them on social media. The only allowed use of PHI in social media is when the patient has given a written consent to use it for a specific purpose. Health tips, medical events, new research information, marketing messages and bios of staff may be posted on social media without any PHI.
Healthcare employees must be specifically trained on the use of social media. Otherwise, it is very likely that HIPAA violations will happen. It must be provided as soon as an employee is hired. There should also be refresher training programs provided regularly to remind employees their responsibility regarding HIPAA social media rules.
ProPublica published a study in 2015 that investigated the nurses and healthcare home workers involved in HIPAA social media violations. Photos and videos of patients being abused or in compromising positions were shared in public social media, some in private groups. ProPublica found 47 HIPAA violations on social media since 2012 and many others were not reported.
Most of the HIPAA social media violations resulted in taking action against the guilty employees. Some were terminated for patient privacy violations, while others faced criminal charges. One nursing assistant was terminated from work and was jailed for 30 days for sharing a video of a patient in underwear on Snapchat. Healthcare organizations may also be severely punished for violating HIPAA rules. Hence, they must develop a HIPAA social media policy for their organization and strictly implement it.