As the Health Insurance Portability and Accountability Act, more widely known as HIPAA, was first introduced in 1996, long before the widespread use of social media platforms, these platforms were not directly addressed in the law and many are wondering whether the use of social media is allowed under HIPAA. Even though these tools were not specifically mentioned, there are rules in HIPAA that can be applied to social media networks and how they are used by HIPAA covered entities and their staff. It is therefore vital that covered entities and business associates introduce and enforce strict social media policies to ensure that HIPAA rules and patient privacy is respected across all media.
The use of social media can bring about a number of positive effects; for example, it allows healthcare organizations the ability to engage directly with their patients and stakeholders, offering an interactive way to encourage better health practices and creating greater engagement with health topics. It also offers an avenue to highlight important information, raise awareness of changes in service, or advertise existing services to potential new clients. This increased reach, however, comes with increased risk: any system where information can be shared could result in private information being inappropriately transferred or intercepted. With this in mind, what should healthcare organizations do to encourage judicious and HIPAA compliant use of social media networks?
HIPAA and Social Media
The easiest and only sure way to avoid breaking HIPAA rules on social media is to entirely avoid the use of social media for transmitting or discussing Protected Health Information (PHI). Indeed, elements of the HIPAA Privacy Rule can be said to prohibit the use of PHI with social media. Given the highly visual nature of social media posts it is important to remember that videos and photographs can be deemed PHI – as are text posts that could lead to a patient being identified. For PHI to be included in a social media post or message in a compliant fashion, the poster must receive written permission from the patient that authorizes them to disclose their PHI in the specific manner of the post before the post is published.
General information that cannot be linked to any particular person or which cannot lead to any particular patients being identified is allowed, but PHI is strictly controlled.
Social Media Training for Employees
Given the ubiquitous use of various social media platforms among internet users, it is in the interest of covered entities and business associates to train their staff on how HIPAA applies to social media. Ideally, all employees would receive their appropriate training before or shortly after commencing the duties of their position. It would be good practice for employers to offer refresher courses as changes in HIPAA rules or social media platforms and use arise.
By introducing and adapting a comprehensive training program, as well as a thorough social media policy, covered entities can protect themselves, their staff members, and patents from the potential damages that can result from improper treatment of PHI.