Social Media Rules: Think Before You Share — or Risk a HIPAA Violation

Recent Case with Financial Payout Underscores Risks of Noncompliance

// By Lisa D. Ellis //

How can you make sure your organization’s formal social media sharing doesn’t violate HIPAA regulations? A privacy expert offers advice on how to avoid shooting yourself in the foot when marketing via social channels. He also points to a new ruling that reminds groups of the consequences—and potential costs—of losing control of the information you share digitally.

You go to great lengths to protect patient privacy in your day-to-day operations and social media efforts. But with the breadth of social media channels marketers use to interact with your target audience and the rapid dissemination path of information as it travels through the internet, it’s all too easy for your patients’ protected health information to be broadcast through the array of social media channels without obtaining proper consent. In fact, with cell phones, tablets, and laptops so pervasive in the health care setting, there’s lots to worry about when it comes to potential Health Insurance Portability and Accountability Act (HIPAA) breaches that can occur—and the risk exists both in your organization’s formal digital communications efforts, as well as through employees’ personal social media sharing. This makes it important to take steps to protect your brand on both fronts.

Costly Privacy Breach

A physical therapy group called Complete P.T., Pool & Land Physical Therapy, Inc. in Los Angeles recently found out the hard way that violating HIPAA through digital communications is grounds for serious penalties. The violation, which occurred in 2012, centered around including patient testimonials with their names and accompanying photos on the group’s website. But the group had not obtained written HIPAA-compliant authorizations from the patients granting permission to use their information in this way. The oversight ultimately was resolved in 2016 with the group paying a settlement of $25,000 to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

While the financial damage was relatively low in the grand scheme of things (settlements and other repercussions from violating HIPAA can run into hundreds of thousands or even multimillions), the message this fine sends should still cause other groups to take notice.

Deciphering the Message

Jay Hodes, founder and president of Colington Consulting

“This was the smallest settlement ever when it comes to a HIPAA violation,” says Jay Hodes, founder and president of Colington Consulting, in Virginia, which specializes in assisting groups on HIPAA compliance and other related issues. Hodes is also a former assistant inspector general for investigations at the US Department of Health and Human Services (HHS).

He believes the penalty is meant to send a loud message to other organizations to take all of the right steps to protect their patients’ information, or be prepared to face serious consequences.

Further, he emphasizes that a similar situation can easily happen to other groups, if they don’t have a written organizational social media policy, and if they don’t have lots of checks in place to ensure that staff is trained to follow HIPAA guidelines and rules so no mistakes are made.

Exploring Risks in Formal Communications

Given the rapid pace in which communication specialists today often develop and write their e-newsletters, create blog posts, and share content on social media, it’s easy to understand why health care organizations are at constant risk of sharing revealing details about a patient in a public digital broadcast of some kind.

Examples of Common Violations You Might Overlook

Some of the common mistakes that have occurred with health care organizations’ communications efforts include capturing the profile of a patient or family member in the background of a staff photo without permission, providing recognizable details in an article or blog that could make a patient feel his or her privacy has been compromised, and posting a video that shows a computer screen that happens to have patient records pulled up where the names can be identified.

Personal Social Media Accounts Also Pose HIPAA Violation Risks

While organizational communications should be monitored for potential breaches before they go live, groups also need to think about employees’ personal messages and the potential they hold for sharing protected health information.

Some of the ways employees have been known to violate HIPAA include talking through their own social media posts about someone they saw on-site, including commenting on a case or situation that can be recognized (such as a famous singer who came to the hospital today, or a neighbor or former classmate, since any of these individuals may be possible for others to identify); offering medical advice or opinions on personal accounts that can be construed as medical advice from your health system; and sharing posts or updates that in some way refer to specific situations faced throughout their day. Posting photos or videos taken in the hospital, clinic, or even on the property also can constitute a HIPAA violation if there is a glimpse of any patient or patient information included in the media.

In addition, even a physician talking to colleagues on professional groups through social media websites like LinkedIn can be a HIPAA violation if the physician shares the patient’s unique details to get opinions to help make a diagnosis.

Further, keep in mind that once a tweet or update is out there, even if it is shared only with your limited personal network, it can easily be retweeted or shared so before you know it, it’s gone viral. Complicating matters is that once the information is out there, there’s often no way to completely erase the trail. This means that many health care organizations can be left very vulnerable—often without even knowing it until it’s too late.

Be Vigilant About What to Share—Here’s How

With so many potential problems to worry about, you may wonder if there’s any way to safely navigate the challenges while taking advantage of social media’s many advantages. Hodes says the answer is “a resounding yes,” but he adds that the key is staying on top of things by creating and enforcing formal policies, training staff on how to follow them properly, and constantly monitoring your organization’s posts to be sure they are HIPAA compliant.

“There are some clear challenges when it comes to meeting the requirements of the HIPAA Privacy Rule. But those challenges do not need to be obstacles, as long as there is proper guidance on what can or cannot be posted. In a health care organization, my advice is to have a comprehensive written policy and procedure,” Hodes says. “The less discretion the better—meaning there is always structured guidance to follow, with little to no wiggle room. You can be social but be safe.”

Steps to Protect Personal Patient Health Information

Some of the types of steps you can take to protect your patients’ personal health information include:

1. Create both a formal social media policy to guide your organization’s posting, blogging, and website content, and also create a separate policy (or section if you prefer to have policy cover both ends of the spectrum) to guide employees’ personal social media. Be sure to include key details for each focus, including whom it refers to, how you define social media, and what your organizational philosophies are on this front. Keep in mind that such policies are required by HIPAA. Therefore, it’s a good idea to consult with a legal expert specializing in HIPAA compliance who can lead your efforts. (See sample language for such a policy in the box below.)

2. Require employees to have their own personal accounts to use for social media rather than posting through their work accounts. Staff should not “friend” patients, since such a move can ultimately drive your organization to the edge of a dangerous cliff.

3. Train social media managers, clinical staff who might use social media platforms to talk about work, and anyone else who could inadvertently share protected health information about the full scope of the rules and how to identify what a violation is. If your organization works with a marketing agency that handles social media campaigns, make sure the marketing company understands HIPAA compliance and patient privacy requirements.

4. Have a process in place for all information to go through your communication department so content can be approved before posting. Also consider a review process that may involve your legal department or a privacy attorney so that any potential breaches can be identified and corrected as quickly as possible.

5. Keep archives of all digital content and posts so if there is ever a question about a privacy breach, you have a record of the issue and can determine how best to proceed.

Social Media Opportunities

“The diversity of social media platforms and post types—including simple text, article shares, images, and videos–enables a new level of connection between the public, patients, and health care professionals. However, while social media continues to grow in importance in health care marketing, the challenges associated for noncompliance with HIPAA rules and regulations continue to increase,” Hodes says. This makes it essential that groups continue to talk about this issue (with guidance from legal counsel or other trained HIPAA-compliance experts, of course) to find creative ways to strike the perfect balance to have a strong and engaging presence online while keeping patients’ personal information safe.

Lisa D. Ellis is the editor of Strategic Health Care Marketing. She is a journalist and content development specialist who helps hospitals and other health care providers and organizations shape strategic messages and communicate them to their target audiences. You can reach her at editor@strategicHCmarketing.com.