The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established with the goal of protecting the privacy of medical providers and their patients. The act sets standards for how healthcare organizations must protect patient information, including what kind of security measures must be in place to keep data safe. In this blog post, we'll take a look at some best practices for social media use in HIPAA-compliant organizations.
What social media actions violate HIPAA rules?
Posting patients’ protected health information (PHI) on social media without the patients’ permission or authority, even if it’s accidentally, is a violation of HIPAA regulations. This includes actions like:
- Sharing pictures with patient information visible in the background
- Sharing any form of PHI (such as images or videos)
- Posting any information that could identify an individual
- Sharing gossip about a patient, even if the patient’s name is not mentioned
What are the consequences of violating HIPAA?
The healthcare industry should never treat HIPAA violations lightly. If an employee is found guilty of breaking a HIPAA rule, they could face fines between $100 and $1.8 million depending on the severity of the violation. They could also face a 10-year jail sentence, lawsuits, job termination, and revocation of their medical license.
How can healthcare organizations prevent violations?
There are simple ways to avoid HIPAA violations while using social media:
- Don’t post stories about patients on social media. Even if a patient’s name is omitted, they could still be identified by their diagnosis or treatment.
- Check the background of your photos before posting. This ensures that you don't violate policies prohibiting the posting photos of a patient or their information, whether intentional or not.
- Prohibit employees from offering medical advice on social media. It’s best to refrain from posting diagnoses or treatment plans on social media, even if a patient asks for medical advice.
- Always get written permission. Sometimes, a patient’s story is too great not to share. Maybe they made an astonishing recovery or exhibited great strength in the face of adversity and you want to share their accomplishment. In cases like these, ask for written permission from the patient before posting their story or anything that pertains to them on social media.
- Train employees on HIPAA security and HIPAA privacy procedures and policies. Make sure to cover topics such as workstation use, workstation security, and personal device usage for work. This ensures that employees comply with HIPAA rules and are protecting patient information, whether it be electronic, written, or oral.
By taking the steps outlined in this article, you can create a safe and confidential environment for all patients. Feel free to call us today if you need help in creating policies and procedures to ensure your staff’s compliance with HIPAA social media rules, or if you need help managing the IT and privacy of your healthcare organization.