If you are linked to an organization dealing with PHI (protected health information), you must remember to stay HIPAA compliant on social media. On the one hand, HIPAA was enacted several years before the promotion of social media such as Instagram or Facebook. There are no specific rules for using such platforms. However, the HIPAA Privacy Rule still impacts what healthcare institutions can and cannot share online.
Nowadays, there are some companies that shy away from using social media due to fear of violating HIPAA rules. They miss plenty of prospects who are looking for their service in the network. Social media platforms enable healthcare providers to interact with their patients as well as attract new ones. It becomes possible to send important messages quickly or advertise new services without any difficulties. Most importantly, healthcare organizations and their staff should not forget about HIPAA privacy rules.
Social Media and HIPAA Compliance
A HIPAA social media policy is a must-have to prevent violations and keep vulnerable data safe. You cannot share ePHI on social platforms without the express consent of your clients in accordance with The HIPAA Privacy Rule. If there is a need to post some texts or images identifying particular patients, they should give their consent for publication in writing form. Moreover, it is allowed to use his PHI only for the purposes agreed and stated in the document.
Certainly, there are no prohibitions for posting news, articles, marketing ads, or health tips without patient data. Many people often search for information about healthcare on social media channels. If you share your professional achievements or awards, your service can get more attention and even attract new clients. It is also permitted to write about your staff and their bios. Social media presence is an extremely efficient way to advertise your business.
Most disclosures of ePHI in the network are unauthorized ones that cause a breach of the HIPAA Privacy Rule. When someone accesses ePHI without authorization, the covered entity would be liable for the likely breach of the Security Rule for not protecting information from unauthorized disclosure. Your organization needs the social media rules for all accounts to avoid HIPAA violations and fines. Even if an account is private, content cannot contain any text or images to identify patients.
Training for Employees on Social Media Rules
The popularity of social media is rapidly increasing. Users share information easily and quickly. If you do not train your employees specifically on HIPAA social media rules, it is highly likely that violations will occur. HIPAA social media training is mandatory for people dealing with PHI. It is much better to guide your staff before starting their work. Besides, you can provide a revision of the main rules for using social networking sites. It will significantly protect the data of your patient and improve the cybersecurity of your organization.
Each worker should be informed of the organization´s policies relating to public information, even though he does not have access to ePHI. Even staff members without access to ePHI can disclose information on their social accounts such as names and treatments of their patients. So, it is crucial for all employees to know how not to disclose information without authorization through any media.
Common Social Media HIPAA Violations
The main point of HIPAA’s social media policy is that posts should never contain any PHI. It includes any information that might allow identifying an individual as well as photographs taken inside a healthcare facility in which patients are visible. Gossiping about clients is also strictly forbidden for sharing online. Written consent is the only way to overcome violations.
For instance, ProPublica made several investigations into HIPAA social media breaches made by care home workers in 2015. The results showed that nurses posted images and videos of patients in compromising positions. The users then widely shared pictures with the abused patients. There were undoubtedly more violations that the ProPublica team discovered and reported. Consequently, a lot of employees were fired and some cases resulted in criminal charges. Their leads and providers also got HIPAA penalties.
How to Stay HIPAA Compliant on Social Media
If you want to avoid HIPAA violations and penalties, you need to have a social medial policy for your organization. We have prepared essential HIPAA guidelines for your and your employees` accounts.
So, HIPAA compliance in the network requires:
- Training all staff on acceptable social media rules with annual revison and updating;
- Development of a clear strict policy covering social media presence;
- Implement of penalties for social media HIPAA violations – termination, loss of license, and criminal charges;
- Approval of all new uses of social media sites by your compliance department;
- Standardization for marketing teams how to use their social media accounts;
- Separation of personal and corporate accounts;
- Moderation of all comments on social media platforms;
- Appropriate access controls in order to prevent unauthorized use of corporate social media accounts;
- Instant monitoring and improving a social medium policy.
HIPAA policies and procedures are vital to protect your practice against HIPAA violations. These policies and procedures should be unique to the needs of your practice and address each of the HIPAA regulatory standards. Moreover, you should review them and update them under new changes.
