How to Avoid HIPAA Violations on Social Media
HIPAA, or the Health Insurance Portability and Accountability Act, was passed in 1996 to streamline the U.S. healthcare system. It also protects patient privacy and manages how electronic data is handled. The revisions passed in 2013 known as the Omnibus Rule updated the legislation and also added significant penalties to organizations who fail to adhere to the laws or encounter incidents. Currently, The Office for Civil Rights is also regularly posting guidance on specific areas of HIPAA to further clarify how the laws are being interpreted and enforced.
This legislation affects nearly every aspect of doctors’ and nurses’ professional lives, including their use of social media.
If you’re a healthcare professional, you need to know how to avoid HIPAA violations on social media. Here’s how.
What Happens If You Violate HIPAA
HIPAA violations are serious offenses. If you unknowingly share personal information about a patient, you could face fines of anywhere from $100 to $50,000. Particularly egregious cases can see fines up to $1.5 million.
You could also lose your professional license. A violation — even on social media — could end your career in the medical field.
That’s why you and your staff need to avoid HIPAA violations whenever possible.
How to Avoid HIPAA Violations on Social Media
Sharing a post with the express purpose of mocking a patient is a clear violation of HIPAA. These types of posts carry severe consequences.
That was obvious in a case where a Chicago-area doctor posted photos of a patient seeking treatment for alcohol poisoning. In this case, the patient filed a lawsuit against the doctor. She claimed the photos had the potential to damage her career prospects for years to come. She is seeking $20 million in damages.
Not every case is as obvious as this one. There are plenty of ways employees and administrators can accidentally violate HIPAA on social media.
Here’s how to avoid it.
Don’t Post Your Stories on Social Media
Every healthcare professional has plenty of unbelievable stories. After a particularly grueling day, it can be tempting to vent on social media about the patients you helped during your shift.
Don’t do this. Even if you omit the patient’s name, you could still identify them by discussing their diagnosis or treatment online. This is especially true in small communities.
Remember, you never know who is reading your social media posts. The patient may even be the one to spot your post and report it to the authorities.
Check the Backgrounds of Your Photos Before You Post
It’s easy to overlook the background in your latest selfie. Even the smallest details can reveal identifying information about patients.
Charts, medical files, and even car license plates can all reveal personal information about patients. If you accidentally snap a photo of a patient and post it, you’re facing a big HIPAA violation.
As a general rule, it’s not a good idea to take personal photos at work. If you do want to post a picture, check it with your administrator first.
Don’t Offer Medical Advice on Social Media
It’s never a good idea to dispense medical advice anywhere outside of a doctor’s office. That’s because, without a proper medical exam, it can difficult or impossible to tell exactly what is ailing a patient. Offering a misguided or ill-informed diagnosis can be dangerous to their health.
On social media, offering medical advice can also violate HIPAA. If a patient reveals personal health information and you offer a diagnosis or repost it, you have shared medical information without their consent.
If anyone asks for your medical advice on social media, refer them to their doctor for a diagnosis.
Always Get Written Permission
Sometimes, a patient’s story is too great not to share. Maybe they made an amazing recovery or showed great strength in the face of adversity and you want to share their accomplishment.
Even in cases like these, you need written permission from the patient before posting anything about them on social media.
That permission can protect you if your patient later claims your post violated their privacy.
Create a Social Media Policy at Work
Deciding what is and what isn’t appropriate to post can be a difficult process. If you’re the head doctor or administrator of your practice, you can help guide your employees by creating a social media policy for them to follow.
Include specific guidelines about when your employees can post at work — if at all. Make sure your employees understand what constitutes a HIPAA violation. Go over the penalties of a violation, too.
You can download a free copy of our social media policy by clicking here.
Establish Professional Social Media Accounts
Never post information about your employer or business through your personal account. There are several reasons for this and not all relate to HIPAA.
Posting information from your personal account ties the hospital or facility to every post you’ve ever made. That means a prospective patient may see your personal political views or photos from your college days along with information about the hospital.
If incorrect information appears on your personal account, it can also confuse patients.
A professional account can put your best foot forward online — while protecting you from violating HIPAA. Assign a staff member to review and vet every post before it goes live. They should triple-check everything to make sure the post doesn’t violate the law.
Always Defer to Your Dedicated Communications Staff
Large hospitals and healthcare facilities almost always have a communications staff managing social media accounts. They write posts, vet the wording with administrators, consult the legal department, and share it across the facility’s official channels.
They likely know HIPAA laws backward and forward. They are the people to talk to if you ever have questions about avoiding HIPAA violations on social media.
Even smaller practices often have one employee who handles communications. This employee should be the resident expert on HIPAA and any questions about social media posting should go through them.
If you don’t have a communications department or a resident HIPAA expert, call the team at HIPAA Security Suite and one of our HIPAA experts can help you avoid trouble.
Jeff Mongelli | CEO