HIPAA Violations Involving Social Media are on the Rise

Key Points:

• Action taken for disclosing PHI in response to negative online reviews
• OCR action includes fines and mandated actions
• Critical to have and train employees on a HIPAA Social Media Policy
• Many individuals use their smartphones to access social media
• Privacy tips for social media

Although the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, many years before the advent of today’s social media platforms and does not contain any explicit rules regarding its usage, the rule’s privacy protections still apply. Nearly everyone has a smartphone these days, and many are accessing and using LinkedIn, Twitter, Facebook, YouTube, and other social media sites. This has created unique challenges and increases the risk for healthcare professionals to violate a patient’s privacy and HIPAA through transmitting PHI, even without ever mentioning that patient’s name. Sharing too much information on social media platforms can have serious adverse consequences for healthcare organizations and employees if PHI is involved, including fines, penalties, loss of jobs, lawsuits by patients, and damaged reputations. Everyone needs to know how information can be easily compromised. The most common mistakes involve (a) sharing photos of patients, medical documents, or other personal information without written consent (e.g., visible documents in photos of employees); (b) failure to fully de-identify a picture or text before posting; (c) posting “gossip” about a patient even if the name is not disclosed; and (d) believing posts are private or deleted when they are still visible to the public.

Recent OCR Enforcement Involving Social Media

OCR has reported receiving many complaints about PHI violations involving health information on social media or the internet in response to negative business reviews. A recent OCR settlement with a health care provider provides a good example of the consequences for privacy violations via social media. The enforcement action included monetary penalties and mandated actions of a health care provider for impermissibly disclosing the PHI of a patient when the entity posted a reply to the patient’s negative online review. OCR found that posting a response to a patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition violated HIPAA. The mandated actions included (1) developing, maintaining, and revising its written policies and procedures to comply with the HIPAA Privacy Rule; (2) training all members of the workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules; (3) within 30 calendar days of the agreement, issue breach notices to all individuals, or their representatives, whose protected health information is disclosed on any internet platform without a valid authorization; and (4) within 30 calendar days of the agreement, submit a breach report to HHS concerning individuals whose PHI is disclosed on any internet platform without valid authorization.

Privacy Tips for Navigating Social Media

Consider the following tips to navigate social media and to ensure compliance with HIPAA privacy.

1. Develop and implement easily accessible clear, strict social media policies that address HIPAA and state privacy laws.
2. Define correct procedures for social media posts and what is not acceptable.
3. Perform a Security Risk Analysis (SRA) that includes the company social media.
4. Mandate HIPAA training at the time of hire and annually thereafter that includes social media expectations and policies for employees.
5. Emphasize not posting something on social media that you would not say in public.
6. Make it clear that violating HIPAA has serious consequences that includes discipline up to and including termination.
7. Periodically update HIPAA, privacy and HR policies to stay current with changes in industry standards, rules and technology.

You can keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.