HIPAA stands for the Health Insurance Portability and Accountability Act. It’s an overarching piece of laws referring to well being data in america.
In case you manage social media for a healthcare organization, you’ve come to the best place. On this article, we clarify what HIPAA says about social media, go over widespread HIPAA violations, and share ideas for constructing a HIPAA-compliant social media technique.
Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.
HIPAA does not explicitly say anything about social media. That’s because the standards were created before social media platforms existed. However, social media is subject to the Privacy Rule. The standards on disclosures of protected health information are particularly relevant.
Which means organizations coated by HIPAA can’t publish or share any protected well being data on social media with out the related particular person’s particular, written authorization.
Let’s dive somewhat deeper right here. First, who is roofed by HIPAA on social media?
Covered entities are:
- Healthcare suppliers, like medical doctors, dentists, and pharmacies.
- Well being plans, like HMOs and employer well being plans.
- Healthcare clearinghouses, which course of well being data.
HIPAA additionally covers business associates of those coated entities. These are companions that require entry to well being data to carry out sure companies.
So, what’s a HIPAA violation on social media? First, let’s have a look at some definitions from the Code of Federal Regulations. They make clear what sorts of data are protected:
- Well being data: “Pertains to the previous, current, or future bodily or psychological well being or situation of a person; the supply of well being care to a person; or the previous, current, or future cost for the supply of well being care to a person.”
- Protected well being data is: “individually identifiable well being data … transmitted or maintained in any … kind or medium,” with a couple of exceptions for schooling and employment data and individuals who died greater than 50 years in the past.
- And a designated record set consists of: “any merchandise, assortment, or grouping of data that features protected well being data.”
That’s quite a bit to parse. Let’s have a look at a less complicated definition of protected well being data (PHI) from the Medicare Learning Network. (MLN is a part of the Division of Well being and Human Companies.)
PHI consists of:
- “Widespread identifiers, comparable to identify, tackle, delivery date, and SSN
- The affected person’s previous, current, or future bodily or psychological well being situation
- Well being care you present to the affected person, and
- The previous, current, or future cost for well being care you present to the affected person.”
Nearly something identifiable to a affected person in your data is protected by HIPAA. Importantly for social media, this consists of images through which a affected person’s identify, face, or different identifiable particulars are seen.
There are 18 particular identifiers “that might be used to establish the person or the person’s family, employers, or family members.” None of those will be included on social media.
Well being data will be “de-identified.” This course of makes use of both skilled willpower or the secure harbor technique. The secure harbor technique (removing of identifiers) is one of the best strategy to stop social media HIPAA violations.
You could find the total particulars of the identifiers on the HHS website.
You’ll by no means submit a affected person’s private well being data on social media. However you would possibly need to share a affected person testimonial. Or possibly a case research that features a affected person’s identify for credibility.
To adjust to HIPAA, you want express written authorization from the related affected person. The problem is that HIPAA authorizations should give the affected person the right to revoke their authorization.
If a affected person revokes their authorization, you may take away the social media submit from your personal channels. However what if another person has captured a screenshot and shared it elsewhere? When you submit affected person data on public social channels, you lose management of how that data will unfold.
Any time you share a photograph of your office or facility on social media, HIPAA violations ought to be entrance of thoughts.
The foreground would possibly present a few your smiling staff or a brand new piece of kit. However what’s within the background? Are the faces of any sufferers or their relations seen? What about affected person charts, medical data, names, or different particulars on partitions or desks?
In case you’re sharing an instance of your work, or of a situation or damage, it’s apparent to keep away from revealing the affected person’s face. However have you ever captured some other identifiable marks (e.g. tattoos or uncommon birthmarks)?
Restaurant homeowners have gone viral with cheeky replies to individuals who left undeserved unfavourable suggestions. However this isn’t a viable possibility for these working in healthcare.
For instance, in 2022, the HHS Workplace for Civil Rights issued a $50,000 fine in opposition to a dental apply. They’d used a affected person’s full identify in response to a grievance on the corporate’s Google business page. The unique grievance used a pseudonym.
Later that very same yr, HHS fined one other dental apply $23,000 and issued a corrective motion plan for related violations on Yelp.
Within the press launch for the latter case, OCR Director Melanie Fontes acknowledged:
“This newest enforcement motion demonstrates the significance of following the legislation even when you find yourself utilizing social media. Suppliers can’t disclose protected well being data of their sufferers when responding to unfavourable on-line critiques.”
Damaging critiques might sting, however a serious nice stings extra. Stay skilled. Preserve affected person data confidential, regardless of how tempting it might be to name them out.
Do you’re employed with a third-party advertising and marketing company that can assist you with social media? You might want to contemplate what data they’ve entry to. If they’ve entry to any private well being data, together with affected person images, you want them to signal a business associate agreement.
Paid social is one other potential supply of social media HIPAA violations. For instance, you can not signal a enterprise affiliate settlement with Fb. Which means you can not add a listing of affected person emails to create a custom audience for Facebook ads.
That doesn’t imply it’s a must to keep away from all focusing on on social. In case you understand the characteristics of your target market, you should utilize these focusing on choices to succeed in the best audiences with social advertisements. You simply can’t use identifiable data from present sufferers within the course of.
Throughout the COVID-19 pandemic, HHS supplied flexibility on well being care communication channels. Nonetheless, that flexibility is scheduled to end on May 11, 2023.
In case you have been utilizing channels like Fb Messenger or WhatsApp to speak with sufferers, your technique wants to vary. You may nonetheless talk just about with sufferers, however you might want to use HIPAA-compliant solutions.
If you wish to use SMS, WhatsApp, or social messaging companies to ship appointment reminders, you might want to ship them with none PHI included.
Which means it is best to embody solely your apply identify and the time of the appointment. You can not embody the affected person identify or the character of the appointment within the message. You additionally must get affected person authorization to speak utilizing textual content channels earlier than doing so. Even for appointment reminders.
The implications for a HIPAA violation rely upon the character of the violation and who dedicated it. For instance, the results are harsher for a violation on a hospital’s company account. A violation on the private account of a nurse who works at that hospital will probably be much less extreme.
Each group coated by HIPAA ought to have a sanctions coverage for violations. These would apply to a violation made by somebody who works on the group.
And for the group itself? A violation case that goes to the Well being and Human Companies Workplace for Civil Rights might end in a serious monetary penalty. The utmost nice is $1.5 million.
HIPAA social media guidelines are tough to grasp particularly as a result of there are not any express HIPAA safety rules for social media. Instad, you might want to take your understanding of the HIPAA Privateness Rule and apply it to social media.
Briefly, MLN specifies that it’s essential to:
- “Notify sufferers about their privateness rights and the way you utilize their data
- Undertake privateness procedures and prepare staff to observe them
- Assign a person to be sure you’re adopting and following privateness procedures, and
- Safe affected person data containing PHI in order that they aren’t available to those that don’t must see them.”
As famous above, coaching your group is a required element of HIPAA compliance for social media. Which means your complete group, not simply your social group.
Nearly all staff inside a well being care setting have entry to some extent of PHI. Which means any worker may expose your group to social media HIPAA violations.
Unintentional social media HIPAA violation examples by your group would possibly embody:
- a workers Instagram photograph that reveals a affected person’s face within the background, or
- a submit in a Fb group a few movie star session or troublesome case.
Limiting entry to your social accounts protects your group in opposition to posting content material that violates HIPAA social media guidelines. Everybody in your group ought to perceive the fundamentals. However you might want to assign one or two key people who find themselves HIPAA social media consultants. They need to log out on content material earlier than posting.
Nonetheless, these consultants are seemingly at too excessive of a stage in your group to be chargeable for creating all of the social content material. Which means you want a system of workflows and approvals. Applicable members of your social group can create content material that’s then queued for approval by your HIPAA consultants.
Hootsuite has a built-in content material creation and approval process. You may assign particular permissions for particular person group members. You can too arrange approvals on responses to social feedback, which is a key space the place potential HIPAA violations can happen.
Hootsuite lets you revoke entry to your social accounts when somebody leaves your group or adjustments roles. This helps guarantee compliance with HIPAA entry guidelines.
It’s essential for any healthcare organization using social media to have a strong social media policy. The coverage wants to obviously define how HIPAA impacts social media. Embody some social media HIPAA violation examples to make the coverage clear.
Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.
The policy should have detailed requirements for posts made from your corporate social accounts. But you also need to create HIPAA social media guidelines for workers private accounts. HIPAA guidelines apply to the private accounts of healthcare staff.
Construct a system of HIPAA violation social media sanctions into the rules. This ensures staff perceive the repercussions of breaking the foundations.
Implement a social media monitoring program to watch for hashtags and key phrases related to your group. This is a crucial approach of understanding what’s being stated about your group on social media.
Most of the posts mentioning your group might come from sufferers or different people who find themselves not topic to HIPAA rules. However additionally it is a very good early-warning system for workers posts that by accident violate the foundations.
You’re in a significantly better place in case you catch and resolve a disclosure of PHI on social media earlier than a grievance is filed.
It’s not strictly talking a HIPAA violation to be Fb mates with a affected person. Nonetheless, it’s not a beneficial apply. As a substitute, create a Facebook business page that your sufferers can observe for updates out of your apply.
Searching for out a affected person on social media utilizing their PHI (together with their identify) could also be a HIPAA violation. It’s higher to keep away from private connections with sufferers on social media.
You may share “de-identified” data on social media with out violating HIPAA. Following the “secure harbor” technique, it’s essential to take away all 18 identifiers from the knowledge.
You can too share data not related to any affected person on social media. For instance, you could possibly share:
- wholesome dwelling ideas
- workers profiles, or
- updates about how your group helps the group.
Main healthcare suppliers, insurers, and life science corporations worldwide use Hootsuite to enhance their buyer expertise, unify their social message, and guarantee compliance with trade rules. See for your self why we’re the healthcare trade’s main social media administration platform.
Guide a personalised, no-pressure demo to see why Hootsuite is the well being care trade’s main social media administration platform.