Protecting Patient Privacy on Social Media: Must-Read HIPAA Guide

The main rule that governs healthcare privacy is derived from a 1996 Federal Law called the Health Insurance Portability and Accountability Act, or HIPAA.

It was fleshed out by the Department of Health and Human Services, which began enforcing it as a regulation in 2002 and although the rule predates the rise of social media, its provision applies to what the regulations call “protected health information” in either digital or paper form.

The rule applies to all so-called “covered entities” — which includes individual and group health plans, health care clearinghouses or really any health care provider who transmits health information — and its implications extend to the worlds digital and social media.

A major goal of the Privacy Rule is to assure that an individuals’ health information is properly protected without restricting the flow of that information needed to facilitate high-quality health care.

The rule permits important uses and disclosures of information, while protecting the privacy of patients. Given that the health care marketplace is diverse, the rule is designed to be flexible and comprehensive in order to cover a variety of uses and disclosures.

Generally speaking, a covered entity can't use or disclose protected health information, except either:

• As the Privacy Rule permits or requires; or
• As the individual who is the subject of the information (or the individual’s personal representative) authorizes, in writing.

All other uses or disclosures are prohibited. When it comes to required disclosures, a covered entity must disclose protected health information in only two situations:

• To individuals (or their personal representatives) when they request access to, or an accounting of disclosures of, their protected health information; and
• To the Department of Health and Human Services when it is undertaking a compliance investigation or review or enforcement action.

Since social networks provide a way to connect with friends, colleagues and acquaintances, here are some suggestions about how to safely and responsibly for employees of covered entities to use social media at or for work.

This first suggestion isn't related to HIPAA, but it's equally important, so let's get it out of the way first.

Don’t initiate friend requests to employees you directly manage, because doing so gives you access to information about that person’s race, age, religion and national origin, and possibly become the basis of a discrimination claim if you decide to take disciplinary action against the employee at some future date. If you’re confident it won’t negatively impact your professional relationship in the future, it's probably okay to accept friend requests that your employees you manage send you.

Friending patients is a little trickier, because the mere connection itself could be a violation of patient privacy. For instance, if you work at an HIV clinic, friending a patent could be an indication he or she has HIV, which is private information. So unless you have a personal friendship with the patient that predates his or her medical treatment, staff in patient care roles shouldn't initiate or accept friend requests from patients.

And when it comes to friending or establishing an online relationship with vendors, consider any potential conflicts of interest first. Since many covered entities have policies against endorsing people, products or organizations, on websites like Linkedin, where your affiliation is known, you should hide your Linkedin connections (Account > Settings & Privacy > Profile Privacy > Who can see your connections > Only you), and unfortunately, you should refrain from giving or accepting Linkedin recommendations too.

Never comment on a patient's medical status on social media, even if you receive requests on social media channels from concerned friends or family members asking for information on medical status.

General comments about patients are equally dangerous, because you don’t need to disclose someone’s name to reveal information that could lead to the disclosure of his or her identity. And don’t try to share anonymous patient information on social networks either, because the time frame or geography of your comment, coupled with the patient’s condition or procedure, could be enough to inadvertently disclose protected health information that could lead to a HIPAA violation.

Even if the patient, his or her friends or family has disclosed the information already themselves online, covered entities providing health care services are prevented by law from publicly providing any information, so never like, comment, retweet or share a message from a patient or their family, even if they’re posting to says thanks for excellent treatment.

In June 2014, Health and Human Services announced that Parkview Health Systems agreed to settle potential HIPAA violations for $800,000. HHS opened its investigation after receiving a complaint from a retiring physician, alleging that Parkview had violated the HIPAA Privacy Rule.

Parkview previously took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Later, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

As a covered entity under the HIPAA Privacy Rule, Parkview did not appropriately and reasonably safeguard protected health information in its possession, from the time it was acquired through its disposition.