How to stay HIPAA-compliant on social media

Social media networks can be used by healthcare organizations to advertise their services as well as communicate with patients and get them more involved in their own healthcare. However, there’s always a risk that Health Insurance Portability and Accountability Act (HIPAA) rules and patient privacy will be violated on social media networks. To ensure HIPAA compliance, healthcare organizations must implement social media-related security protocols that adhere to the regulation. Here are some important tips to ensure that your healthcare business complies with HIPAA regulations on social media use.

What social media actions violate HIPAA rules?

Posting patients’ protected health information (PHI) on social media without the patients’ permission or authority, even if it’s accidentally, is a violation of HIPAA regulations. This includes actions like:

• Sharing pictures with patient information visible in the background
• Sharing any form of PHI (such as images or videos)
• Posting any information that could identify an individual
• Sharing gossip about a patient, even if the patient’s name is not mentioned

What are the consequences of violating HIPAA?

The healthcare industry should never treat HIPAA violations lightly. If an employee is found guilty of breaking a HIPAA rule, they could face fines between $100 and $1.8 million depending on the severity of the violation. They could also face a 10-year jail sentence, lawsuits, job termination, and revocation of their medical license.

How can healthcare organizations prevent violations?

There are simple ways to avoid HIPAA violations while using social media:

• Don’t post stories about patients on social media. Even if a patient’s name is omitted, they could still be identified by their diagnosis or treatment.
• Check the background of your photos before posting. This ensures that you don’t violate policies prohibiting the posting photos of a patient or their information, whether intentional or not.
• Prohibit employees from offering medical advice on social media. It’s best to refrain from posting diagnoses or treatment plans on social media, even if a patient asks for medical advice.
• Always get written permission. Sometimes, a patient’s story is too great not to share. Maybe they made an astonishing recovery or exhibited great strength in the face of adversity and you want to share their accomplishment. In cases like these, ask for written permission from the patient before posting their story or anything that pertains to them on social media.
• Train employees on HIPAA security and HIPAA privacy procedures and policies. Make sure to cover topics such as workstation use, workstation security, and personal device usage for work. This ensures that employees comply with HIPAA rules and are protecting patient information, whether it be electronic, written, or oral.

By taking the steps outlined in this article, you can create a safe and confidential environment for all patients. Feel free to call us today if you need help in creating policies and procedures to ensure your staff’s compliance with HIPAA social media rules, or if you need help managing the IT and privacy of your healthcare organization.