While HIPAA isn't that old of a law, it does predate the rise of social media. Still, social media isn't immune to the effects of HIPAA. HIPAA violations associated with social media are just as important as other violations, and you should take them seriously. That way, you can provide professional, good care. Read on to learn more about HIPAA and social media.
Don't Disclose PHI
The biggest thing you and your employees need to remember is that you should never use or disclose protected health information (PHI) on social media. Disclosing PHI is one of the biggest HIPAA violations associated with social media and in general. It doesn't matter if you use Facebook or Instagram or if you have a private or public account. Social media is a place to be social, not to talk about patients. You should never talk about patient names, addresses, or medical records. While you can talk about what you do at work, you should keep patient information vague. Instead of talking about a specific case, talk about your work more generally, such as your specialty.
Social Media HIPAA Violations
When considering HIPAA and social media, you should consider some common ways you can violate HIPAA. These violations could happen accidentally or on purpose. Either way, you and your employees should avoid these violations. While there are other HIPAA violations on social media, you should know how to spot and avoid the most popular ones.
Sharing Patient Gossip
If you have a unique patient case, it can be tempting to share it with others online. You can ask if others have had a similar situation, or you can share your experience. But sharing patient gossip can be an easy way to violate HIPAA on social media. Even if a post's purpose isn't to gossip, sharing too much is a problem. It's one thing to share a health tip based on a condition. However, sharing details about the patient's history or treatment isn't okay.
Photos or Videos With Patients or PHI
One thin line you also have to walk when posting on social media is with photos and videos. You can share a picture or video of you at your desk or otherwise working. However, you can't post a photo or video if it includes a patient. If someone can identify the patient, you should delete the content or edit the patient out. You also need to avoid posting photos or videos where PHI is visible. A picture at your desk may be okay if you have your desktop open. But if you're looking at a patient file, you should adjust your camera angle.
Photos or Videos Without Written Consent
Now, there is one exception regarding posting photos and videos of patients. If you have written consent from a patient, you can share a photo or video with that person in it. Photos and videos can be a good way to share social proof for your medical practice. You can ask for patients to record video testimonials of their experience with you. Or you can share before and after photos of something like weight loss or improving acne. Testimonials and patient stories can be a great marketing tool. However, you have to get consent if such tools require disclosing individuals.
Including Identifiable Information
It's especially important that you don't post photos or videos that can identify patients. Avoid posting anything with patients in view, even if they're facing away from the camera. You should also avoid posting about patients and sharing identifiable information in a text post or video. For example, sharing your favorite healthy eating tip can be a great way to interact with others online. However, you can't share how that tip has helped your 45-year old female patient lose 20 pounds. Make sure you keep any tips or health information as vague as you can. If you aren't sure if something is okay, don't post it.
Posting to a Private Group
Another one of the most common HIPAA violations associated with social media is sharing photos, videos, or text within a private group on social media. Just like posting to a more public platform, sharing information here is risky. If you wouldn't post it on a public feed, you shouldn't share it in a group. Perhaps you have a private group with your coworkers. Move the conversation to a secure messaging system so that you can make sure the messages are encrypted. You can't control the privacy or security breaches that social networks experience. By using a different system, you can make sure your messages are secure.
How to Avoid HIPAA Violations on Social Media
When ensuring HIPAA compliance on social media, you can take a few steps to protect your organization and employees. You should follow HIPAA guidelines when posting to any company accounts as well as your personal social media. Whether you have a new health care organization or need to update your policies, you can do so. That way, you can avoid HIPAA violations on social media now and in the future. Consider what you can do to ensure everyone in your organization understands social media and HIPAA compliance within that.
Set Social Media Policies
The first thing you should do is to create social media use policies. You should allow people to use social media, but you can set guidelines for what they can post. Your policy should cover using social media during work and after hours. That way, you can make sure employees don't engage in patient gossip or share photos with visible PHI. Make your social media policies as clear as you can. Consider your organization's code of ethics as well as HIPAA. Your policy should also outline discipline when someone doesn't follow it so that you can take the right steps to prevent a recurrence.
Give Examples
When setting your policies, you should give examples of what is okay to post. You can answer questions that your employees have and share in more detail what is off-limits. Take photos and videos in your office, some of which have PHI and others that don't. Then, your employees can review and compare the footage. That way, they will know what they can photograph or not. If employees still have questions, you can have them take a HIPAA course. That way, they can understand what HIPAA protects, and they can know what information to avoid posting online.
Set Violation Penalties
To reinforce the importance of HIPAA, you need to have a strong discipline policy. That way, you can take the right steps when someone happens to violate HIPAA on their social media. While the federal and state governments have penalties for violating HIPAA, setting your own policies lets you take immediate action. As soon as you learn of a HIPAA-violating post, you can talk to the employee who posted it. You can set your policies to be as strict as you want. So you may decide that one offense is enough to fire someone. Or you may give one warning before terminating someone's employment. Of course, you should also follow governmental penalties. Make sure whoever violates HIPAA pays any fines necessary. When someone does violate HIPAA, don't be afraid to remind everyone of your organization's policies.
Ask for Reports
If you have a lot of employees, you probably can't monitor all of their personal accounts. Instead, you can ask for help from employees and have them report any violations they see. Consider using an anonymous report form. That way, you can encourage employees to speak up when they see something bad. No one will feel pressured to stay quiet if their best work friend is the one guilty. And you can catch and resolve HIPAA violations more quickly.
Separate Personal and Professional Accounts
Creating a social media presence for your organization can be a great marketing and engagement tool. You can share health tips and promote your medical practice. But you should keep your professional accounts separate from your personal profiles. Avoid using one Instagram account for both your personal life and your medical practice. Then, don't post medical stuff on your personal account. Instead, you can post health tips and other information on your company account. As always, follow HIPAA guidelines and avoid identifying patients and PHI.
Create a Social Media Marketing Policy
You should also create a social media marketing policy to follow when posting to your company accounts. A policy is especially helpful if you will have other people help you run the account. Your policies can be similar to those you provide individual employees. But you can also include details about what you want to post to market your organization. If you will be hiring a social media marketer, you can require that your legal or compliance department approves the post before publishing. That way, you can make sure you maintain a good, professional image for the account and your office.
Monitor Company Accounts
While you should be able to approve what your team posts to your social media, you should also monitor the accounts. That way, you can take down anything questionable or that didn't get a review. You can also remove comments from users who are sharing PHI or are otherwise violating HIPAA. Be sure to monitor your account regularly. When you first start, you may only need to monitor the account once or twice a week. As you have more posts and get more followers, you may want to check things once a day so that you can delete stuff more quickly.
Record Content
You should also keep a record of everything that you post on your company accounts. That way, you can preserve earlier versions if you decide to edit a post later. Keeping a record can also include who posts what on your page. If you notice that one admin tends to post the same content that violates HIPAA, you can talk to that person. Follow your discipline policy, so do anything from giving a warning to firing the employee in question. Make a record of any disciplinary action you take as well so that you can do the same when similar situations happen later.
Don't Communicate With Patients
As your patients find you or your office page, they may want to use it to communicate with you about their concerns. While they can message you about things like office hours, you shouldn't use social media to discuss their medical records. Instead, direct them to your company email address. If you use an online patient portal, you can use that to communicate with patients. That way, you have a secure tool that will protect patient data. And you can avoid potential HIPAA violations associated with social media.
Don't Offer Individual Advice
If you post about your favorite health tips, you may get questions in the comments with more details. You can answer general questions, like about the symptoms of dehydration. However, you should never answer individual questions, such as if someone is experiencing dehydration. For one, you should only answer those individual questions for your patients, not anyone who finds your page. But answering questions for patients in the public puts their PHI at risk. If you need to use someone's medical records to answer their question, you should have them book an appointment.
Review Your Policies
Another thing you should do to avoid HIPAA violations on social media is to review your social media policies. You can review your policies each year to make sure you stay in compliance with HIPAA and social media networks. If a new social platform gains popularity, you should also review your policies when that happens. That way, you can edit or add a social media policy for that network. That way, people can use Facebook, Instagram, and TikTok individually without compromising patient records.
HIPAA Violations Associated With Social Media
Violating HIPAA is something every health care professional should consider each day. With social media growing in popularity, so have HIPAA violations associated with social media. That means you and your employees need to take extra precautions to protect patient information. Having the right policies can help you avoid violations and take action when they do occur. Do you your employees to brush up on HIPAA? Enroll your team in our HIPAA courses today.
For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.
FAQs
How could HIPAA be violated on social media? ›
The posting of any PHI, without patient authorization, on social media may constitute a HIPAA violation. This includes any text, image, video, or other media identifying the individual as a patient of the practice as well as any media in which patients of a practice or PHI are visible.
Is it a HIPAA violation to look up a patient on social media? ›Is following a patient on social media a HIPAA violation? Seeking out a patient on social media using their PHI (including their name) may be a HIPAA violation. It is better to avoid personal connections with patients on social media.
How can nurses ensure they do not violate HIPAA when using social media? ›Don't post any photos or videos of patients. Never mention patients by name. Don't complain about patients online, even vaguely. Don't post photos of healthcare facilities showing patients or any information.
How often is HIPAA violated on social media? ›In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. Some of these were HIPAA violations from employees posting a patient's protected health information (PHI) the social web. Some of these were accidental. Maybe PHI was in the background unknowingly.
What is the social media policy for healthcare workers? ›“Employees may not post any content that is personal health information including patient images on any social media site. You may not use the social media site to provide medical advice.”
How can social media violate ethical nursing practices? ›Nurses may breach confidentiality or privacy with information they post via social media sites. Examples may include comments in which patients are described with enough sufficient detail to be identified, referring to patients in a degrading or demeaning manner, or posting videos or photos of patients.
Do HIPAA laws apply to media? ›The HIPAA Privacy Rule does not permit a covered entity to give the media access to such patient PHI unless it obtains a valid HIPAA authorization from the patient before giving such access.
What are three types of HIPAA privacy violations? ›The 3 most common HIPAA violations according to HHS´ Enforcement Highlights report are impermissible uses and disclosures of PHI, a lack of safeguards for PHI, and the lack of patient access to PHI.
Can you add your patients on social media? ›While patient friend requests do not violate HIPAA, they are not recommended. Before deciding whether or not to connect to patients through social media, healthcare workers must look at their organizations policies in regards to social media.
Is sharing a picture of a patient a HIPAA violation? ›The only times taking a picture of a patient is a HIPAA violation is when a picture is taken by a member of a Covered Entity's workforce without the authorization of the patient and/or for a use or disclosure not permitted by the Privacy Rule.
What social media guidelines should exist for nurses? ›
Share credible information only. The dissemination of credible and reliable information protects the health and well-being of the public. Engage with respectful content. Do not share content that is harmful, disparaging, racist, homophobic, or derogatory.
What not to post on social media as a nurse? ›Do not post inappropriate photos, or negative comments about colleagues or employers. Never discuss drug and alcohol use. Use social media to post positive comments about your workplace and its staff. Share educational information that may benefit others, such as safety notices and medical news.
What are the confidentiality practices related to social media in healthcare? ›Don't post pictures or other patient information without patients' express consent. (The fact that patients or their family members have already posted something about the situation does not constitute valid consent.) Don't gossip about patients.
What are three 3 dangers of using social media with examples? ›- cyberbullying (bullying using digital technology)
- invasion of privacy.
- identity theft.
- your child seeing offensive images and messages.
- the presence of strangers who may be there to 'groom' other members.
The more time spent on social media can lead to cyberbullying, social anxiety, depression, and exposure to content that is not age appropriate.
What is an example of ethical issues in social media? ›Examples of such violations include (a) posting distinctive personal information about your clients or research subjects that breaches confidentiality and (b) misrepresenting to the public the services you provide, the products you sell, or your level of expertise.
What are the 5 most common violations to the HIPAA privacy Rule? ›- Losing Devices. In the last decade, over 800 device loss or theft incidents have been reported. ...
- Getting Hacked. ...
- Employees Dishonestly Accessing Files. ...
- Improper Filing and Disposing of Documents. ...
- Releasing Patient Information After the Authorization Period Expires.
Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned.
What are some of the Board of Nursing consequences for social media violations? ›Such violations may result in both civil and criminal penalties, including fines and possible jail time. A nurse may face personal liability and be individually sued for defamation, invasion of privacy, or harassment.
What is the ethical issue of social media in healthcare? ›Most relevant issues in social-media applications are confidence and privacy that need to be carefully preserved. The patient-physician relationship can suffer from the new information gain on both sides since private information of both healthcare provider and consumer may be accessible through the Internet.
What are three risk of the use of social media in healthcare? ›
Social Media Risks
Violations of patient privacy and/or confidentiality. Breaches of patient privacy/confidentially can be intentional or inadvertent, with inappropriate postings including patient photos, negative comments about patients, or details that might identify patients. Unprofessional behavior.
Breaches of Patient Privacy
One of the greatest risks of physician social media use is the potential for the breach of patient confidentiality. Any healthcare provider is liable under state privacy federal HIPAA laws for infractions.
In relation to news coverage it includes issues such as impartiality, objectivity, balance, bias, privacy, and the public interest. More generally, it also includes stereotyping, taste and decency, obscenity, freedom of speech, advertising practices such as product placement, and legal issues such as defamation.
What are the problems associated with social media use in nursing practice? ›Negative Ways Nurses Use Social Media
Many of the ways social media and nursing don't work well together have to do with breaking confidentiality and patient privacy. Any patient information may only be disclosed to other health care team members to provide further patient care.
Examples of research using only RHI and thus not subject to HIPAA include: use of aggregated (non-individual) data; diagnostic tests from which results are not entered into the medical record and are not disclosed to the subject; and testing conducted without any PHI identifiers.
What can you share without violating HIPAA? ›What information can be shared without violating HIPAA? All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information.
What is not allowed under HIPAA? ›Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot: Give your information to your employer. Use or share your information for marketing or advertising purposes or sell your information.
Which is the most serious type of HIPAA violation? ›HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device
One of the most common HIPAA violations is that a lost or stolen device can easily result in theft or unauthorized access to PHI. Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist.
- Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal.
- Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules.
HIPAA-covered entities report many violations of the HIPPA Rules through internal audits. Often employers will identify employees who have caused HIPAA violations. Employees who realize they may have violated HIPAA Rules will often self-report. They will also report potential violations made by their coworkers.
Is it against HIPAA to add a patient on Facebook? ›
Accepting or requesting a Facebook request from a patient does not violate HIPAA requirements as long as you don't share any of the patient's personal information in any of your communications. Where you can get into trouble is when you break patient privacy laws by sharing personal private information.
Is it illegal to give medical advice on social media? ›Right to privacy
One important guideline is regarding protected health information, or PHI. Whenever a professional shares personal information, text, photos, or videos of a patient online to the public, they are violating this privacy rule. If the patient gives his or her permission to do so, then it can be legal.
Sharing any identifiable information about a patient is a violation of HIPAA. This includes patient stories, medical images, or photos of patients—even if they are in the background or you cannot see their faces.
What is an example of a HIPAA violation with social media? ›One thing considered a HIPAA violation with social media is posting any individually identifiable health information without a written authorization. Importantly, an authorization form has to inform the subject what the disclosure is for and explain that the subject has the right to revoke the authorization.
Is it against HIPAA to look up a patient on social media? ›Is following a patient on social media a HIPAA violation? Seeking out a patient on social media using their PHI (including their name) may be a HIPAA violation. It is better to avoid personal connections with patients on social media.
How can social media violate HIPAA? ›The posting of any PHI, without patient authorization, on social media may constitute a HIPAA violation. This includes any text, image, video, or other media identifying the individual as a patient of the practice as well as any media in which patients of a practice or PHI are visible.
Can nurses add patients on social media? ›It's crucial that nurses remember that social media is a public forum. If you post negative comments about coworkers or your workplace, your employer may see it and the post could be grounds for getting fired. Many health organizations also discourage nurses from connecting with or “friending” patients on social media.
What are ethical guidelines in social media? ›The three main principles of social media ethics and etiquette are. Authenticity—people will respond positively if you are sincere. Transparency—having hidden agendas will only count against you. Communication—getting to know people as people and letting them get to know you.
How nurses can avoid HIPAA violations on social media? ›- Don't post any photos or videos of patients.
- Never mention patients by name.
- Don't complain about patients online, even vaguely.
- Don't post photos of healthcare facilities showing patients or any information.
Maintain a positive tone and attitude: Negativity, complaints and condescending messages often reflect poorly on the poster. Since social networks are shared venues enjoyed in mixed company, always avoid using vulgar language and making derogatory remarks.
What personal information should you not post on social media? ›
Identification and financial information like your Social security number (SSN), driver's license number, bank account numbers, and passport number should never make it to a social media site. These can be used immediately for identity theft and more.
What kinds of things should you not post on your professional social media pages? ›DON'T post anything too personal
Too often you hear horror stories from professionals who post a bathing suit or after-hours picture and get reprimanded by the others within their network. Never post these pictures on your professional accounts. They can damage reputation and make others question your credibility.
Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and. Ensure compliance by their workforce.
What are three 3 specific ways that HIPAA protects the privacy and confidentiality of healthcare information? ›- The Privacy Rule.
- The Security Rule.
- The Breach Notification Rule.
- Use a secure file-sharing and messaging platform. ...
- Store Physical Documents in an Environment with Controlled Access. ...
- Comply with Industry Regulations (SOC-2, HIPAA, PIPEDA) ...
- Host Routine Security Training for Staff. ...
- Stay Alert of New Security Threats.
Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations can result in termination of employment but could also result in criminal charges for the employee concerned.
What qualifies as a HIPAA violation? ›A criminal HIPAA violation is when a covered entity, business associate, or a member of either´s workforce has wrongfully and knowingly accessed, obtained, or transmitted Protected Health Information without authorization for a purpose prohibited by §1320d-6 of the Social Security Act.
What are the 3 patient rights under the HIPAA privacy Rule? ›The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request ...
Which of the following is the most common HIPAA violation? ›Failing to Secure and Encrypt Data
Perhaps the most common of all HIPAA violations is the failure to properly secure and encrypt data.
| Culpability | Minimum Penalty per Violation 1 | Annual Cap |
|---|---|---|
| 1. No Knowledge3 | $100 | $25,000 |
| 2. Reasonable cause4 | $1,000 | $100,000 |
| 3. Willful neglect, timely corrected5 | $10,000 | $250,000 |
| 4. Willful neglect, not timely corrected6 | $50,000 | $1,500,000 |
What are the 5 most common violations to the HIPAA privacy rule quizlet? ›
The five most common HIPAA privacy rule violations include losing devices with information, getting hacked, employees dishonestly accessing files, improper disposal and organization of documents. These violations can come with severe penalties but are easily avoidable.