The challenge with social media and HIPAA compliance is that covered entities and business associates cannot disclose Protected Health Information unless the disclosure is permitted by the Privacy Rule. This restriction should apply to members of the workforce. Yet it is difficult to monitor what members of the workforce post on social media outside the workplace.
Permitted disclosures of Protected Health Information (PHI) are generally limited to disclosures for treatment, payment, and healthcare operations, disclosures to the individual and HHS’ Office for Civil Rights, disclosures required by law, and disclosures supported by a patient authorization. In most of these cases, disclosures of PHI must be limited to the minimum necessary to achieve the purpose of the disclosure.
If a disclosure of PHI is not permitted by the Privacy Rule or authorized by the patient – or it consists of more than the minimum necessary information – the disclosure is a violation of HIPAA. Because of this, covered entities are required to implement policies governing disclosures of PHI, provide training on the policies, and enforce sanctions on members of the workforce who violate the policies.
Examples of PHI Disclosed on Social Media
Because there are no circumstances in which an unauthorized disclosure of PHI on social media and HIPAA compliance align, members of the workforce should be prohibited – and should know they are prohibited – from posting individually identifiable health information on social media platforms. However, there are many examples of workforce members violating employers’ social media policies:
- Between 2012 and 2017, ProPublica sourced sixty-five inappropriate social media posts by nursing home workers.
- In 2019, Live5 WCSC reported on a social media HIPAA violation at MUSC Health – noting it was the sixth such violation in three years.
- Also in 2019, 11alive.com reported on a Facebook page on which images of patients were posted by a subsequently sacked EMS professional.
- When the COVID-19 pandemic started in 2020 multiple healthcare professionals were disciplined for allegedly sharing PHI on social media.
In the majority of cases, the individuals responsible for the disclosures are disciplined by the covered entity for whom they work. If cases are prosecuted, it is usually for breaches of elder abuse or privacy laws rather than for violations of HIPAA. However, there have been cases in which lawsuits have been filed against covered entities for failing to protect the privacy of patients. These are in addition to Office for Civil Rights’ inspections and corrective action plans.
Corporate Social Media and HIPAA Compliance
Social media can be a very useful communications and marketing tool for HIPAA covered entities and business associates. Healthcare organizations can use social media to help patients make healthy life choices, provide practical advice when new health issues emerge, and raise awareness of targeted clinics or events. Provided unauthorized PHI is not used in any corporate messaging, there is no conflict between social media and HIPAA compliance.
However, in addition to being subject to the HIPAA Privacy Rule, covered entities and business associates are also required to FTC Social Media Rules which prohibit deceptive and misleading messaging. Particularly relevant to healthcare organizations is guidance provided by the Federal Trade Commission which warns social media messages must not make up claims that cannot be proven “such as scientific proof that a product can treat a health condition”.
To mitigate the risks of misleading marketing messages and/or impermissible disclosures of PHI, covered entities are advised to implement a FTC/HIPAA compliant social media policy which stipulates the conditions under which social media can be used by members of the workforce. The policy should also contain information on how to anonymously report a social media post that may violate the policy and escalate the report to HHS’ Office for Civil Rights.
Because some state laws have more stringent privacy protections than HIPAA, it is possible that some disclosures of individually identifiable non-health information permitted by HIPAA violate state laws. Covered entities and business associates that require further clarity on state laws, social media and HIPAA compliance are advised to speak with a healthcare compliance specialist with knowledge of the state privacy laws in the area(s) in which they operate.
Photo Credit: defensorum / stock.adobe.com