HIPAA stands for the Well being Insurance coverage Portability and Accountability Act. It’s an overarching piece of laws relating to well being info in america.
In case you handle social media for a healthcare group, you’ve come to the proper place. On this article, we clarify what HIPAA says about social media, go over widespread HIPAA violations, and share suggestions for constructing a HIPAA-compliant social media technique.
HIPAA doesn’t explicitly say something about social media. That’s as a result of the requirements had been created earlier than social media platforms existed. Nevertheless, social media is topic to the Privateness Rule. The requirements on disclosures of protected well being info are notably related.
Meaning organizations coated by HIPAA can not publish or share any protected well being info on social media with out the related particular person’s particular, written authorization.
Who is roofed by HIPAA social media guidelines?
Let’s dive a bit of deeper right here. First, who is roofed by HIPAA on social media?
Lined entities are:
- Healthcare suppliers, like docs, dentists, and pharmacies.
- Well being plans, like HMOs and employer well being plans.
- Healthcare clearinghouses, which course of well being info.
HIPAA additionally covers enterprise associates of those coated entities. These are companions that require entry to well being info to carry out sure providers.
What info is roofed by HIPAA social media guidelines?
So, what’s a HIPAA violation on social media? First, let’s take a look at some definitions from the Code of Federal Laws. They make clear what varieties of info are protected:
- Well being info: “Relates to the previous, current, or future bodily or psychological well being or situation of a person; the availability of well being care to a person; or the previous, current, or future fee for the availability of well being care to a person.”
- Protected well being info is: “individually identifiable well being info … transmitted or maintained in any … type or medium,” with a number of exceptions for schooling and employment information and individuals who died greater than 50 years in the past.
- And a designated file set consists of: “any merchandise, assortment, or grouping of data that features protected well being info.”
That’s quite a bit to parse. Let’s take a look at an easier definition of protected well being info (PHI) from the Medicare Studying Community. (MLN is a part of the Division of Well being and Human Providers.)
PHI consists of:
- “Frequent identifiers, corresponding to identify, deal with, beginning date, and SSN
- The affected person’s previous, current, or future bodily or psychological well being situation
- Well being care you present to the affected person, and
- The previous, current, or future fee for well being care you present to the affected person.”
Virtually something identifiable to a affected person in your information is protected by HIPAA. Importantly for social media, this consists of photographs during which a affected person’s identify, face, or different identifiable particulars are seen.
There are 18 particular identifiers “that might be used to determine the person or the person’s kin, employers, or family members.” None of those could be included on social media.
Well being info could be “de-identified.” This course of makes use of both professional dedication or the secure harbor technique. The secure harbor technique (removing of identifiers) is the most effective strategy to stop social media HIPAA violations.
You will discover the total particulars of the identifiers on the HHS web site.
Posting affected person info with out authorization
You’ll by no means publish a affected person’s private well being information on social media. However you may want to share a affected person testimonial. Or perhaps a case research that features a affected person’s identify for credibility.
To adjust to HIPAA, you want express written authorization from the related affected person. The problem is that HIPAA authorizations should give the affected person the proper to revoke their authorization.
If a affected person revokes their authorization, you’ll be able to take away the social media publish from your individual channels. However what if another person has captured a screenshot and shared it elsewhere? When you publish affected person info on public social channels, you lose management of how that info will unfold.
Sharing affected person photographs or paperwork
Any time you share a photograph of your office or facility on social media, HIPAA violations ought to be entrance of thoughts.
The foreground would possibly present a few your smiling staff or a brand new piece of kit. However what’s within the background? Are the faces of any sufferers or their members of the family seen? What about affected person charts, medical information, names, or different particulars on partitions or desks?
In case you’re sharing an instance of your work, or of a situation or damage, it’s apparent to keep away from revealing the affected person’s face. However have you ever captured every other identifiable marks (e.g. tattoos or uncommon birthmarks)?
Responding to complaints or damaging evaluations
Restaurant house owners have gone viral with cheeky replies to individuals who left undeserved damaging suggestions. However this isn’t a viable possibility for these working in healthcare.
For instance, in 2022, the HHS Workplace for Civil Rights issued a $50,000 high-quality in opposition to a dental observe. That they had used a affected person’s full identify in response to a grievance on the corporate’s Google enterprise web page. The unique grievance used a pseudonym.
Later that very same 12 months, HHS fined one other dental observe $23,000 and issued a corrective motion plan for related violations on Yelp.
Within the press launch for the latter case, OCR Director Melanie Fontes said:
“This newest enforcement motion demonstrates the significance of following the legislation even if you end up utilizing social media. Suppliers can not disclose protected well being info of their sufferers when responding to damaging on-line evaluations.”
Unfavorable evaluations might sting, however a serious high-quality stings extra. Stay skilled. Maintain affected person info confidential, irrespective of how tempting it could be to name them out.
Sharing affected person info with an company
Do you’re employed with a third-party advertising and marketing company to make it easier to with social media? You want to think about what info they’ve entry to. If they’ve entry to any private well being info, together with affected person photographs, you want them to signal a enterprise affiliate settlement.
Creating customized audiences for social adverts
Paid social is one other potential supply of social media HIPAA violations. For instance, you can’t signal a enterprise affiliate settlement with Fb. Meaning you can’t add an inventory of affected person emails to create a customized viewers for Fb adverts.
That doesn’t imply you may have to keep away from all focusing on on social. In case you perceive the traits of your goal market, you need to use these focusing on choices to attain the proper audiences with social adverts. You simply can’t use identifiable info from current sufferers within the course of.
Speaking by means of social messaging platforms
Throughout the COVID-19 pandemic, HHS supplied flexibility on well being care communication channels. Nevertheless, that flexibility is scheduled to finish on Might 11, 2023.
If in case you have been utilizing channels like Fb Messenger or WhatsApp to talk with sufferers, your technique wants to change. You’ll be able to nonetheless talk just about with sufferers, however you want to use HIPAA-compliant options.
If you’d like to use SMS, WhatsApp, or social messaging providers to ship appointment reminders, you want to ship them with none PHI included.
Meaning you must embody solely your observe identify and the time of the appointment. You can’t embody the affected person identify or the character of the appointment within the message. You additionally want to get affected person authorization to talk utilizing textual content channels earlier than doing so. Even for appointment reminders.
The implications for a HIPAA violation rely upon the character of the violation and who dedicated it. For instance, the implications are harsher for a violation on a hospital’s company account. A violation on the private account of a nurse who works at that hospital will likely be much less extreme.
Each group coated by HIPAA ought to have a sanctions coverage for violations. These would apply to a violation made by somebody who works on the group.
And for the group itself? A violation case that goes to the Well being and Human Providers Workplace for Civil Rights might end in a serious monetary penalty. The utmost high-quality is $1.5 million.
Supply: Nationwide Consortium of Telehealth Useful resource Facilities
1. Perceive the rules
HIPAA social media guidelines are tough to perceive particularly as a result of there are not any express HIPAA safety rules for social media. Instad, you want to take your understanding of the HIPAA Privateness Rule and apply it to social media.
Briefly, MLN specifies that you should:
- “Notify sufferers about their privateness rights and how you utilize their info
- Undertake privateness procedures and practice staff to observe them
- Assign a person to be sure you’re adopting and following privateness procedures, and
- Safe affected person information containing PHI so that they aren’t available to those that don’t want to see them.”
2. Practice your crew
As famous above, coaching your crew is a required part of HIPAA compliance for social media. Meaning your entire crew, not simply your social crew.
Virtually all staff inside a well being care setting have entry to some extent of PHI. Meaning any worker might expose your group to social media HIPAA violations.
Unintended social media HIPAA violation examples by your crew would possibly embody:
- a workers Instagram photograph that reveals a affected person’s face within the background, or
- a publish in a Fb group a couple of movie star session or tough case.
3. Restrict entry to your social accounts
Limiting entry to your social accounts protects your group in opposition to posting content material that violates HIPAA social media guidelines. Everybody in your crew ought to perceive the fundamentals. However you want to assign one or two key people who find themselves HIPAA social media consultants. They need to log out on content material earlier than posting.
Nevertheless, these consultants are seemingly at too excessive of a stage in your group to be chargeable for creating all of the social content material. Meaning you want a system of workflows and approvals. Acceptable members of your social crew can create content material that’s then queued for approval by your HIPAA consultants.
Hootsuite has a built-in content material creation and approval course of. You’ll be able to assign particular permissions for particular person crew members. You may also arrange approvals on responses to social feedback, which is a key space the place potential HIPAA violations can happen.
Hootsuite permits you to revoke entry to your social accounts when somebody leaves your group or modifications roles. This helps guarantee compliance with HIPAA entry guidelines.
4. Create clear social media pointers
It’s vital for any healthcare group utilizing social media to have a sturdy social media coverage. The coverage wants to clearly define how HIPAA impacts social media. Embrace some social media HIPAA violation examples to make the coverage clear.
The coverage ought to have detailed necessities for posts produced from your company social accounts. However you additionally want to create HIPAA social media pointers for workers private accounts. HIPAA guidelines apply to the private accounts of healthcare staff.
Construct a system of HIPAA violation social media sanctions into the rules. This ensures staff perceive the repercussions of breaking the foundations.
5. Implement a social monitoring program
Implement a social media monitoring program to monitor for hashtags and key phrases related to your group. This is a vital approach of understanding what’s being mentioned about your group on social media.
Most of the posts mentioning your group might come from sufferers or different people who find themselves not topic to HIPAA rules. However it is usually early-warning system for workers posts that by accident violate the foundations.
You’re in a a lot better place in case you catch and resolve a disclosure of PHI on social media earlier than a grievance is filed.
Is turning into Fb mates with sufferers a violation of HIPAA?
It’s not strictly talking a HIPAA violation to be Fb mates with a affected person. Nevertheless, it isn’t a really helpful observe. As an alternative, create a Fb enterprise web page that your sufferers can observe for updates out of your observe.
Is following a affected person on social media a HIPAA violation?
Looking for out a affected person on social media utilizing their PHI (together with their identify) could also be a HIPAA violation. It’s higher to keep away from private connections with sufferers on social media.
What info could be shared with out violating HIPAA?
You’ll be able to share “de-identified” info on social media with out violating HIPAA. Following the “secure harbor” technique, you should take away all 18 identifiers from the knowledge.
You may also share info not related to any affected person on social media. For instance, you may share:
- wholesome dwelling suggestions
- workers profiles, or
- updates about how your group helps the group.
Main healthcare suppliers, insurers, and life science firms worldwide use Hootsuite to enhance their buyer expertise, unify their social message, and guarantee compliance with business rules. See for your self why we’re the healthcare business’s main social media administration platform.
Guide a customized, no-pressure demo to see why Hootsuite is the well being care business’s main social media administration platform.