HIPAA stands for the Well being Insurance coverage Portability and Accountability Act. It’s an overarching piece of laws regarding well being data in america.
In case you handle social media for a healthcare group, you’ve come to the suitable place. On this article, we clarify what HIPAA says about social media, go over widespread HIPAA violations, and share ideas for constructing a HIPAA-compliant social media technique.
Bonus: Get a free, customizable social media coverage template to shortly and simply create tips to your firm and workers.
HIPAA doesn’t explicitly say something about social media. That’s as a result of the requirements have been created earlier than social media platforms existed. Nonetheless, social media is topic to the Privateness Rule. The requirements on disclosures of protected well being data are significantly related.
Supply: CDC
Which means organizations lined by HIPAA can not publish or share any protected well being data on social media with out the related particular person’s particular, written authorization.
Who is roofed by HIPAA social media guidelines?
Let’s dive a bit of deeper right here. First, who is roofed by HIPAA on social media?
Coated entities are:
- Healthcare suppliers, like medical doctors, dentists, and pharmacies.
- Well being plans, like HMOs and employer well being plans.
- Healthcare clearinghouses, which course of well being data.
HIPAA additionally covers enterprise associates of those lined entities. These are companions that require entry to well being data to carry out sure companies.
What data is roofed by HIPAA social media guidelines?
So, what’s a HIPAA violation on social media? First, let’s take a look at some definitions from the Code of Federal Laws. They make clear what kinds of data are protected:
- Well being data: “Pertains to the previous, current, or future bodily or psychological well being or situation of a person; the availability of well being care to a person; or the previous, current, or future cost for the availability of well being care to a person.”
- Protected well being data is: “individually identifiable well being data … transmitted or maintained in any … type or medium,” with a number of exceptions for schooling and employment information and individuals who died greater than 50 years in the past.
- And a designated file set consists of: “any merchandise, assortment, or grouping of data that features protected well being data.”
That’s rather a lot to parse. Let’s take a look at a less complicated definition of protected well being data (PHI) from the Medicare Studying Community. (MLN is a part of the Division of Well being and Human Providers.)
PHI consists of:
- “Frequent identifiers, akin to identify, handle, start date, and SSN
- The affected person’s previous, current, or future bodily or psychological well being situation
- Well being care you present to the affected person, and
- The previous, current, or future cost for well being care you present to the affected person.”
Nearly something identifiable to a affected person in your information is protected by HIPAA. Importantly for social media, this consists of pictures through which a affected person’s identify, face, or different identifiable particulars are seen.
There are 18 particular identifiers “that might be used to determine the person or the person’s kin, employers, or family members.” None of those may be included on social media.
Well being data may be “de-identified.” This course of makes use of both knowledgeable willpower or the secure harbor technique. The secure harbor technique (removing of identifiers) is the most effective strategy to forestall social media HIPAA violations.
Supply: HHS
You could find the complete particulars of the identifiers on the HHS web site.
Posting affected person data with out authorization
You’ll by no means put up a affected person’s private well being information on social media. However you may wish to share a affected person testimonial. Or perhaps a case examine that features a affected person’s identify for credibility.
To adjust to HIPAA, you want express written authorization from the related affected person. The problem is that HIPAA authorizations should give the affected person the proper to revoke their authorization.
If a affected person revokes their authorization, you possibly can take away the social media put up from your personal channels. However what if another person has captured a screenshot and shared it elsewhere? When you put up affected person data on public social channels, you lose management of how that data will unfold.
Sharing affected person pictures or paperwork
Any time you share a photograph of your office or facility on social media, HIPAA violations must be entrance of thoughts.
The foreground may present a few your smiling workers or a brand new piece of apparatus. However what’s within the background? Are the faces of any sufferers or their relations seen? What about affected person charts, medical information, names, or different particulars on partitions or desks?
In case you’re sharing an instance of your work, or of a situation or harm, it’s apparent to keep away from revealing the affected person’s face. However have you ever captured some other identifiable marks (e.g. tattoos or uncommon birthmarks)?
Responding to complaints or destructive critiques
Restaurant homeowners have gone viral with cheeky replies to individuals who left undeserved destructive suggestions. However this isn’t a viable possibility for these working in healthcare.
For instance, in 2022, the HHS Workplace for Civil Rights issued a $50,000 high quality in opposition to a dental apply. They’d used a affected person’s full identify in response to a criticism on the corporate’s Google enterprise web page. The unique criticism used a pseudonym.
Later that very same yr, HHS fined one other dental apply $23,000 and issued a corrective motion plan for comparable violations on Yelp.
Within the press launch for the latter case, OCR Director Melanie Fontes acknowledged:
“This newest enforcement motion demonstrates the significance of following the legislation even if you end up utilizing social media. Suppliers can not disclose protected well being data of their sufferers when responding to destructive on-line critiques.”
Unfavourable critiques could sting, however a significant high quality stings extra. Stay skilled. Maintain affected person data confidential, regardless of how tempting it might be to name them out.
Sharing affected person data with an company
Do you’re employed with a third-party advertising company that will help you with social media? It’s worthwhile to contemplate what data they’ve entry to. If they’ve entry to any private well being data, together with affected person pictures, you want them to signal a enterprise affiliate settlement.
Creating customized audiences for social adverts
Paid social is one other potential supply of social media HIPAA violations. For instance, you can’t signal a enterprise affiliate settlement with Fb. Which means you can’t add a listing of affected person emails to create a customized viewers for Fb adverts.
That doesn’t imply it’s important to keep away from all concentrating on on social. In case you perceive the traits of your goal market, you should use these concentrating on choices to succeed in the suitable audiences with social adverts. You simply can’t use identifiable data from present sufferers within the course of.
Speaking by means of social messaging platforms
In the course of the COVID-19 pandemic, HHS supplied flexibility on well being care communication channels. Nonetheless, that flexibility is scheduled to finish on Might 11, 2023.
You probably have been utilizing channels like Fb Messenger or WhatsApp to speak with sufferers, your technique wants to vary. You’ll be able to nonetheless talk just about with sufferers, however it is advisable to use HIPAA-compliant options.
If you wish to use SMS, WhatsApp, or social messaging companies to ship appointment reminders, it is advisable to ship them with none PHI included.
Which means it is best to embrace solely your apply identify and the time of the appointment. You can not embrace the affected person identify or the character of the appointment within the message. You additionally must get affected person authorization to speak utilizing textual content channels earlier than doing so. Even for appointment reminders.
The results for a HIPAA violation rely upon the character of the violation and who dedicated it. For instance, the results are harsher for a violation on a hospital’s company account. A violation on the private account of a nurse who works at that hospital can be much less extreme.
Each group lined by HIPAA ought to have a sanctions coverage for violations. These would apply to a violation made by somebody who works on the group.
And for the group itself? A violation case that goes to the Well being and Human Providers Workplace for Civil Rights could lead to a significant monetary penalty. The utmost high quality is $1.5 million.
Supply: Nationwide Consortium of Telehealth Useful resource Facilities
1. Perceive the rules
HIPAA social media guidelines are difficult to know particularly as a result of there are not any express HIPAA safety rules for social media. Instad, it is advisable to take your understanding of the HIPAA Privateness Rule and apply it to social media.
In brief, MLN specifies that it’s essential to:
- “Notify sufferers about their privateness rights and the way you utilize their data
- Undertake privateness procedures and prepare workers to observe them
- Assign a person to be sure to’re adopting and following privateness procedures, and
- Safe affected person information containing PHI in order that they aren’t available to those that don’t must see them.”
2. Prepare your group
As famous above, coaching your group is a required element of HIPAA compliance for social media. Which means your complete group, not simply your social group.
Nearly all workers inside a well being care setting have entry to a point of PHI. Which means any worker may expose your group to social media HIPAA violations.
Unintended social media HIPAA violation examples by your group may embrace:
- a workers Instagram picture that reveals a affected person’s face within the background, or
- a put up in a Fb group a couple of movie star session or troublesome case.
3. Restrict entry to your social accounts
Limiting entry to your social accounts protects your group in opposition to posting content material that violates HIPAA social media guidelines. Everybody in your group ought to perceive the fundamentals. However it is advisable to assign one or two key people who find themselves HIPAA social media consultants. They need to log out on content material earlier than posting.
Nonetheless, these consultants are probably at too excessive of a degree in your group to be answerable for creating all of the social content material. Which means you want a system of workflows and approvals. Applicable members of your social group can create content material that’s then queued for approval by your HIPAA consultants.
Hootsuite has a built-in content material creation and approval course of. You’ll be able to assign particular permissions for particular person group members. It’s also possible to arrange approvals on responses to social feedback, which is a key space the place potential HIPAA violations can happen.
Hootsuite lets you revoke entry to your social accounts when somebody leaves your group or modifications roles. This helps guarantee compliance with HIPAA entry guidelines.
4. Create clear social media tips
It’s crucial for any healthcare group utilizing social media to have a strong social media coverage. The coverage wants to obviously define how HIPAA impacts social media. Embrace some social media HIPAA violation examples to make the coverage clear.
Bonus: Get a free, customizable social media coverage template to shortly and simply create tips to your firm and workers.
The coverage ought to have detailed necessities for posts made out of your company social accounts. However you additionally must create HIPAA social media tips for employees private accounts. HIPAA guidelines apply to the private accounts of healthcare workers.
Construct a system of HIPAA violation social media sanctions into the rules. This ensures workers perceive the repercussions of breaking the principles.
5. Implement a social monitoring program
Implement a social media monitoring program to watch for hashtags and key phrases related to your group. This is a crucial method of understanding what’s being stated about your group on social media.
Most of the posts mentioning your group could come from sufferers or different people who find themselves not topic to HIPAA rules. However additionally it is a superb early-warning system for employees posts that by chance violate the principles.
You’re in a a lot better place for those who catch and resolve a disclosure of PHI on social media earlier than a criticism is filed.
Is changing into Fb buddies with sufferers a violation of HIPAA?
It isn’t strictly talking a HIPAA violation to be Fb buddies with a affected person. Nonetheless, it isn’t a really useful apply. As a substitute, create a Fb enterprise web page that your sufferers can observe for updates out of your apply.
Is following a affected person on social media a HIPAA violation?
Searching for out a affected person on social media utilizing their PHI (together with their identify) could also be a HIPAA violation. It’s higher to keep away from private connections with sufferers on social media.
What data may be shared with out violating HIPAA?
You’ll be able to share “de-identified” data on social media with out violating HIPAA. Following the “secure harbor” technique, it’s essential to take away all 18 identifiers from the knowledge.
It’s also possible to share data not related to any affected person on social media. For instance, you could possibly share:
- wholesome dwelling ideas
- workers profiles, or
- updates about how your group helps the group.
Main healthcare suppliers, insurers, and life science firms worldwide use Hootsuite to enhance their buyer expertise, unify their social message, and guarantee compliance with business rules. See for your self why we’re the healthcare business’s main social media administration platform.
E book a customized, no-pressure demo to see why Hootsuite is the well being care business’s main social media administration platform.
