HIPAA was enacted several years before social media networks such as Facebook and Instagram existed, so there are no specific HIPAA compliance rules for social media. However, organizations subject to HIPAA – and their workforces – must take care how social media is used to avoid violations of HIPAA and the Federal Trade Commission Act.
There are many benefits to be gained from using social media if your organization is a HIPAA Covered Entity or Business Associate. For example, healthcare providers can promote healthy lifestyles, raise awareness of emerging health issues, and make announcements when special clinics or services are available to the public.
Health plans can use social media to market health insurance products, advertise new plans and benefits, and attract new customers; while Business Associates can promote B2B services and quickly answer questions from interested parties. However, all of these uses of social media may be subject to FTC and HIPAA social media rules.
What are the FTC Social Media Rules?
The FTC social media “rules” are the regulations relating to deceptive acts or practices in Section 5 of the Federal Trade Commission Act. The regulations apply to all forms of advertising and marketing, and define an act or practice as deceptive if:
- a representation, omission, or practice misleads or is likely to mislead the consumer;
- a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
- the misleading representation, omission, or practice is material.
This means any claim – whether made by an organization or on behalf of an organization, and regardless of whether Protected Health Information is disclosed to support the claim – must not “seek to gain an advantage while avoiding competing on the merits”.
What are the HIPAA Social Media Rules?
The HIPAA social media “rules” are the standards relating to permissible uses and disclosures of Protected Health Information (PHI) in the Privacy Rule. These effectively prohibit Covered Entities and Business Associates from using or disclosing PHI without an individual´s authorization.
If no PHI is disclosed – and the FTC Rules are complied with – the Privacy Rule does not apply, and Covered Entities and Business Associates can freely use social media networks to promote healthy lifestyles, market health insurance products, and promote B2B services.
However, it is important to understand what is considered PHI under HIPAA. The term PHI does not solely relate to health information, and it could be possible that – due to a lack of knowledge – a member of the workforce inadvertently discloses PHI in violation of the Privacy Rule.
Understanding Patient Authorization Rules
In addition to understanding what is considered PHI under HIPAA, it is also important to understand the patient authorization rules. These can be found in §164.508 of the Privacy Rule and stipulate that valid authorizations must include the following core elements:
- A meaningful description of the information to be used or disclosed
- A meaningful description of the purpose of the use or disclosure
- An explanation that the information may be further disclosed
- The individual´s right to revoke the authorization
- An expiration date for the authorization
With regards to the final core elements, it is important for the individual to be aware that a social media post containing their PHI may be widely shared, screenshot, and republished. Therefore, although the patient may request a revocation, the organization may be unable to comply.
This scenario is covered in the Privacy Rule by a clause that exempts revocations in cases where “the Covered Entity has taken action in reliance thereon”. Nonetheless, these core elements must be included in the authorization in order for it to be considered valid at the time it was signed.
Avoiding HIPAA Social Media Violations
There are several examples of HIPAA social media violations that have resulted in disciplinary action against the offender. For example, in October 2019, a dental practice was fined $10,000 for impermissibly disclosing PHI on a social media review site; while in January 2016, a nursing assistant was fired from her job and sentenced to 30 days in jail for posting a video of a patient online.
Consequently, Covered Entities, Business Associates, and members of their workforces should take steps to avoid HIPAA violations. These include providing training on the organization´s social media policies, enforcing sanctions policies that prohibit impermissible uses and disclosures of PHI on social media, and implementing safeguards to prevent inadvertent disclosures.
For further information on the best ways to avoid HIPAA violations when using social media, seek professional advice from a compliance expert. Alternatively, you are invited to download our HIPAA and Social Media Checklist which contains the key points organizations may wish to consider when developing a social media policy to comply with HIPAA.
HIPAA Social Media Rules – FAQs
What do you need to know about social media and HIPAA?
Posting PHI on social media is only permissible under HIPAA if you have a written authorization from the subject of the PHI. However, once something is posted on social media, you have no control over what happens to it. If the subject of the PHI subsequently wants to revoke their authorization, you cannot comply with the revocation because you have no control over who has seen the post or what copies of it have been made. Therefore, what you need to know about social media and HIPAA is don´t do it.
What is one reason that social media increases the risk for HIPAA violations?
Social media channels make it easy for users to take a quick photo and upload it to a social media channel with the tap of a screen. This increases the risk for HIPAA violations because members of a covered entity´s workforce can unthinkingly take a photo of something or someone they have seen and post it on the Internet within seconds. If the photo reveals any PHI identifier and health information (for example, a celebrity being brought into ER) it is a violation of HIPAA unless the written authorization of the celebrity has been obtained and documented.
What is considered a HIPAA violation with social media?
Posting any health information about an identifiable individual without their written authorization is a HIPAA violation with social media. Importantly, any authorization form has to inform the subject what the disclosure of PHI is for, explain that the subject has the right to revoke the authorization, and give the subject the option of stipulating a time period after which the disclosure must end. As it is impossible to control what happens to a social media post once it has been published, it is likely the Covered Entity will be able to comply with a revocation or expiration request, which is a violation of HIPAA.
If an employee attaches an image of a patient´s injury to a Tweet without any other identifying information, is that a breach of the HIPAA Privacy Rule?
This depends on whether the patient has given their written authorization for the image to be used. If they have, and the image is shared under the conditions of the authorization, there is no violation of the HIPAA Privacy Rule. If the patient has not authorized its use, the image could be used to identify the patient, and therefore the employee is in violation of the HIPAA Privacy Rule.
Do the HIPAA social media rules apply to all accounts or just corporate accounts?
The HIPAA social media rules apply to all accounts. It is also important to be aware that images posted on private social media accounts without patient consent are in double violation of HIPAA, as the individual has not only posted ePHI when they were not supposed to, they have also extracted the image from a corporate source that lacked the protections of the HIPAA Security Rule.
If there are no specific social media rules, can covered entities still be fined for violations of HIPAA on social media?
Absolutely. In most cases, unauthorized disclosures of ePHI on social media are impermissible disclosures – which is a breach of the Privacy Rule. Furthermore, as mentioned above, if an employee has accessed ePHI without authorization, the covered entity would be liable for the likely breach of the Security Rule for not protecting ePHI from unauthorized disclosure.
Do all employees have to be trained on HIPAA social media rules, or just those with access to ePHI?
All members of the workforce should be aware of the organization´s policies relating to social media whether they have access to ePHI or not. Even members of the workforce without access to ePHI can disclose information on social media such a patient´s name and what they are being treated for, so it is important they know not to disclose information without authorization through any media.
How can covered entities and business associates implement controls that flag potential HIPAA violations on social media?
At present, the simplest way to monitor social media for HIPAA violations is to search for specific hashtags relating to a healthcare facility (i.e., #nyp, #mayoclinic, #UPMC, etc.). Although a manual control rather than a technology control, reviewing what is written about a healthcare facility on social media can help facilities improve their services – and their HIPAA policies – in many different ways.
The post HIPAA Social Media Rules appeared first on HIPAA Journal.