The Health Insurance Portability and Accountability Act (HIPAA) was first introduced to simplify the administrative process, prevent fraud, and maintain employee benefits between jobs. But it went beyond protecting patient information and safeguarding their privacy.
The HIPAA Privacy Rule addresses the use and disclosure of one’s health information by medical entities. These entities include healthcare plans, providers, and clearinghouses. The entities covered business associates too,
The Privacy Rule granted individuals the right to understand and control the use of their medical information. Its goal is to find a balance between an individual’s privacy and the flow of medical knowledge,
List of HIPAA Violations
HIPAA violation is the inability to comply with the act by an organization or an individual. HIPAA violations can occur in any way including but not limited to:
- Unauthorized disclosure of patient health information (PHI)
- Neglectful and improper disposal of health information
- Unauthorized internal or external access to PHI
- Failing to secure the networks. Risking confidentiality
- Failure to monitor PHI logs
- Failure to availability. Patients are unable to access their data
- Failing to create a business associate contract before handing over PHI
- Disclosing more PHI than required for a particular operation
- Sharing PHI online or through social media without authorization
- Failure to implement access control
How Social Media Fuels HIPAA Violations
If you are considering HIPAA compliance, you should consider the common ways that you or your employees can violate HIPAA compliance through social media by sharing PHI on purpose or accidentally.
As social media tempts us to share things that are confidential and ripple the platform, it’s comprehensible why many HIPAA violations occur through social media.
1. Interesting Patient Information
Having an interesting case can tempt you to share it with others to gather knowledge or for entertainment purposes. Even if your intentions are pristine, without written consent, this can be potential ground for HIPAA violation.
If you’ve encountered a social media post from a patient seeking help, and you’ve had experience with such cases, you’re welcome to share a tip or two as per the HIPAA compliance manual. But, initiating gossip that can jeopardize the patient’s quality of life is considered a violation.
2. Personal Photos or Videos
When it comes to personal photo or video sharing while working, there are no certain rules stopping you from that. But if your photo contains any information or trace of PHI, that can be considered a HIPAA violation.
Posting photos or videos with a patient who’s being treated can also be grounds for HIPAA violations if written consent wasn’t issued or someone can identify the patient. Before sharing such media, be mindful to edit the patients out.
Having your work desktop on the photo or videos may not be considered a violation if not PHI is visible. But if it does, consider changing the frame.
3. Social Promotion
Social media can be a great way of promoting your services to interested individuals. But without a written form of consent, sharing treatment photos that have been effective can be a HIPAA violation.
Body enhancement procedures like skin rejuvenation are often made subject to social media attention. Most of the practitioners that live demonstrate the procedure acquire written consent from the patients. If you don’t, these can be considered serious cases of HIPAA violations.
You can ask the patients to share their views about your services on social media. Or ask them to share before and after photos of the procedures. That way, you don’t need to get written consent from them if they are deliberately doing so.
4. Sharing Case Studies
Just as we discussed, sharing a vague tip or two may not be a HIPAA violation, but sharing a recognizable example about the suggestion that general individuals went through the procedure–even if they weren’t treated in your facility–can be considered a HIPAA violation.
Sharing a weight loss procedure that your facility offers is fine. But, associating that with a case of a 30-year-old male who went from being 250 pounds to 150, is not. Even if you don’t include the patient’s information or photos, as the case is relatable, offended parties can charge you for a HIPAA violation
5. Sharing in Private Groups
Specific private groups that are encrypted and consist of parties that are required to access, modify, or distribute information can be shared PHI with. But having even an individual or vendor in the group who have no use for the PHI can be a cause of HIPAA violation.
Generally, PHI should be shared within the means of encrypted mediums to ensure that no third party can read the data. And as you can’t control the breaches in social media platforms, it’s wise to not share the PHI in a group that exists on those platforms.
How to Counter the Issues
Apart from training your employees to not use personal social media profiles to share PHI, there are certain measures that you can take to ensure more protection.
1. Develop Social Media Policies
Take account of the above-mentioned vulnerabilities and develop a policy that ensures that you and your employees are well aware of the mediums of violations possible through social media. If you are insistent, you can set rules about using social media during office hours and sharing patient gossip with social media groups.
2. Show Examples
When developing the policies, consider giving examples about what can and can’t be posted. Include FAQs that may help the employees get a more clear picture about it. Take some pictures in your office that violate HIPAA and some that don’t.
3. Set Penalties
A strong policy should mention the penalties associated with HIPAA violations. Set your own violation penalties that discourage the employees from posting photos containing PHI. Remind the employees about the state-imposed penalty and if you want, impose those onto your employees too to stop them from violating.
4. Monitor Social Media Content
It’s not only your employees that handle the PHI that hold responsibility. You are also responsible for monitoring the social media accounts for vetting content that can violate HIPAA. Consider reviewing the social media content with your HR team to deter any possible violation claims.
5. Curtail Communication
Don’t communicate with patients on social media about their PHI even if you have access to it or even if they have asked you about it. Although communicating with patients asking about general information like office hours is fine, it’s wise to not do that. Direct them to your official email address instead.
The Bottom Line
HIPAA violation through social media is quite common and can be considered a serious violation if sensitive information about patients goes public. It’s your duty to set up policies and implement them throughout your organization to ensure that no employee can share PHI to fuel gossip on social media.