Every physician knows about the Health Insurance Portability and Accountability Act (HIPAA) to protect patient health information. Established in 1996, HIPAA sets national standards for the confidentiality, security, and transmissibility of personal health information. HIPAA violations can damage a practice’s reputation and also result in criminal and civil penalties. The Privacy Rule applies to all personal health information (PHI), including paper and electronic records. This requires physicians to be alert when outsourcing medical transcription and engaging in any activity that involves PHI security risks such as using social media. In fact, there are certain things that physicians should know about staying HIPAA-compliant on social media.
Social Media Use by Physicians
Recent studies indicate that more than 80% of physicians use social media. Physicians use social media for personal communication, to interact with peers and to expand their knowledge. According to a recent report from www.pm360online.com, social media engagement by physicians can be categorized into three:
- Creating and publishing original content such as articles and blogs
- Commenting on posts and participating in online group discussions or chat
- Seeking information relevant to their patients and practice
There are many benefits to social media use by healthcare providers. Platforms like Twitter, Facebook, Instagram, and LinkedIn offer physicians the opportunity to reach a broader audience, build their brand, demonstrate expertise, build referrals, promote positive reviews, and spread health messages.
Research shows that communicating with patients via social media can improve their care and health outcomes. Social media allows physicians to extend their interactions beyond the physical office visit and impact patients’ daily choices. Studies have found that supplemental electronic communication improves adherence for patients with chronic diseases as well as patient satisfaction by having questions answered and increasing the time spent communicating with their physicians. However, when using social media platforms, healthcare providers need to ensure that they do not violate HIPAA rules.
How Physicians can stay HIPAA Compliant on Social Media
- Know what constitutes a HIPAA violation on social media : Many physicians, nurses and other medical staff are not aware of what constitutes a HIPAA violation on social media. Healthcare Compliance Pros provides the following examples of social media behavior that would cause violation of HIPAA:
- Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed
- Sharing photographs, or any form of PHI without written consent from a patient
- A wrong impression that posts are confidential or have been deleted when they are still visible to the public
- Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath.
Beckers Hospital Review cautions that organizations should be careful while posting to their social media sites like Facebook to keep their patients up to date on hospital news. They should ensure that photographs do not have patients in the background or reveal the backs of desks or computer screens as it will lead to HIPAA violations.
- Be cautious when adding patients as friends on social media networks : Physicians should be cautious about interacting with patients using social media. A physician could inadvertently disclose PHI while communicating online with patients who might ask personal health questions publicly. They may accidentally reveal the names of patients they treat, thereby violating a HIPAA regulation. In fact, the Journal of Medical Ethics has issued specific guidelines advising physicians never to invite a patient to become an online friend, or to accept a friend request from a patient.
- Never post anything that violates PHI confidentiality, especially patient photos : Healthcare providers should never post photos of patients or chart, notes or diagnostic images that could identify them. Social media posts tend to get shared and therefore physicians should be very care about what they post, share or retweet. They should never post an image without the patient’s written permission. There have also been cases where medical professionals accidentally photographed patients behind them while taking a ‘selfie’. Physicians should also know that discussing the details of a patient’s condition on social media is considered unprofessional.
- Don’t post negative remarks about patients, co-workers, employers or clients : It is unethical to use social media to complain or rant about the people you are involved with on a daily basis – even if you do not name them. Negative remarks about your organization, coworkers, or patients will show you in a bad light and can even jeopardize your career. A CompHealth article notes that patients who identify themselves in the post may report the physician for a HIPAA violation.
- Never post PHI : PHI includes a wide range of information: the patient’s name and address, date of service, patient record numbers, vehicle license plate numbers, and more. Healthcare professionals need to understand what constitutes PHI and avoid making unintentional unauthorized disclosures on social media. While a physician may discuss a patient’s PHI with another physician treating the patient, posting PHI online is not advised. It may be possible to identify patients through their symptoms or the time that their PHI was posted.
Despite these concerns and risks of HIPAA violation, social media is an important tool for physicians. Many physicians report interaction with peers as one of the greatest benefits of social media. Access to scientific journals, webinars, and video streaming via these online platforms adds to their knowledge base. To take advantage of these benefits, physicians should develop a HIPAA-compliant social media policy to protecting patient PHI. Physicians and their staff should have a clear understanding of HIPAA patient privacy regulations and how they relate to their social media accounts. They should also ensure the confidentiality of electronic health records through measures such as HIPAA compliant medical transcription services and proper archiving in accordance with federal and state mandates.