It’s easier than you think to violate HIPAA on social media
The HIPAA Privacy Rule prohibits the posting of any text about specific patients as well as images or videos that could result in a patient being identified.
Social media has become one of the most common ways people share news and stay in touch, but USA Health employees, like employees at every health system, have to be diligent to avoid violating laws and policies designed to protect patient privacy.
The primary purpose of the HIPAA Privacy Rule and USA Health policies regarding social media is to ensure that protected health information is never disclosed inappropriately. The HIPAA Privacy Rule prohibits the posting of any text about specific patients as well as images or videos that could result in a patient being identified.
Protected health information can only be included in social media posts if a patient has given his or her consent in writing to allow health information to be used -- and then only for the purpose specifically outlined in the consent form, says Linda Hudson, chief HIPAA compliance officer for USA Health.
Even indirectly mentioning an interaction or an experience can be a violation if it can be used to identify a patient. “Employees know that posting a patient’s name or Social Security number would be an obvious violation, but indirect mentions that can be used to identify a patient are violations, too,” Hudson said. “A happy post congratulating a mother for giving birth to triplets or praising a patient for completing cancer treatment can violate HIPAA, even without including the patient’s name or a photo.”
USA Health employees also should remember that these restrictions apply even if they were friends with someone before that person became a patient of USA Health. “HIPAA has very specific rules about how patients must provide consent. They need to complete and sign the form available from USA Health Marketing & Communications,” she said. “Even if the patient provides verbal consent, USA Health and the employee who shared the information still would face the consequences of a violation without the proper, approved, HIPAA-compliant authorization documentation.”
When in doubt, Hudson advises reaching out to the USA Health Office of HIPAA Compliance at 251-470-5802 before posting.
Lastly, employees should remember that even social media posts unrelated to specific USA Health patients might still violate other policies. For example, employees should not leave comments that criticize any group of patients or that give people reason to question the care they will receive at a USA Health facility.
