HIPAA stands for the Health Insurance Portability and Accountability Act. It is an overarching piece of legislation relating to health information in the United States.
If you manage social media for a healthcare organization, you’ve come to the right place. In this article, we explain what HIPAA says about social media, go over common HIPAA violations, and share tips for building a HIPAA-compliant social media strategy.
Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.
HIPAA does not explicitly say anything about social media. That’s because the standards were created before social media platforms existed. However, social media is subject to the Privacy Rule. The standards on disclosures of protected health information are particularly relevant.
That means organizations covered by HIPAA cannot publish or share any protected health information on social media without the relevant individual’s specific, written authorization.
Who is covered by HIPAA social media rules?
Let’s dive a little deeper here. First, who is covered by HIPAA on social media?
Covered entities are:
- Healthcare providers, like doctors, dentists, and pharmacies.
- Health plans, like HMOs and employer health plans.
- Healthcare clearinghouses, which process health information.
HIPAA also covers business associates of these covered entities. These are partners that require access to health information to perform certain services.
What information is covered by HIPAA social media rules?
So, what is a HIPAA violation on social media? First, let’s look at some definitions from the Code of Federal Regulations. They clarify what types of information are protected:
- Health information: “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.”
- Protected health information is: “individually identifiable health information … transmitted or maintained in any … form or medium,” with a few exceptions for education and employment records and people who died more than 50 years ago.
- And a designated record set includes: “any item, collection, or grouping of information that includes protected health information.”
That’s quite a lot to parse. Let’s look at a simpler definition of protected health information (PHI) from the Medicare Learning Network. (MLN is part of the Department of Health and Human Services.)
- “Common identifiers, such as name, address, birth date, and SSN
- The patient’s past, present, or future physical or mental health condition
- Health care you provide to the patient, and
- The past, present, or future payment for health care you provide to the patient.”
Almost anything identifiable to a patient in your records is protected by HIPAA. Importantly for social media, this includes photos in which a patient’s name, face, or other identifiable details are visible.
There are 18 specific identifiers “that could be used to identify the individual or the individual’s relatives, employers, or household members.” None of these can be included on social media.
Health information can be “de-identified.” This process uses either expert determination or the safe harbor method. The safe harbor method (removal of identifiers) is the best approach to prevent social media HIPAA violations.
You can find the full details of the identifiers on the HHS website.
Posting patient information without authorization
You would never post a patient’s personal health records on social media. But you might want to share a patient testimonial. Or maybe a case study that includes a patient’s name for credibility.
To comply with HIPAA, you need explicit written authorization from the relevant patient. The challenge is that HIPAA authorizations must give the patient the right to revoke their authorization.
If a patient revokes their authorization, you can remove the social media post from your own channels. But what if someone else has captured a screenshot and shared it elsewhere? Once you post patient information on public social channels, you lose control of how that information will spread.
Sharing patient photos or documents
Any time you share a photo of your workplace or facility on social media, HIPAA violations should be front of mind.
The foreground might show a couple of your smiling employees or a new piece of equipment. But what’s in the background? Are the faces of any patients or their family members visible? What about patient charts, medical records, names, or other details on walls or desks?
If you’re sharing an example of your work, or of a condition or injury, it’s obvious to avoid revealing the patient’s face. But have you captured any other identifiable marks (e.g. tattoos or unusual birthmarks)?
Responding to complaints or negative reviews
Restaurant owners have gone viral with cheeky replies to people who left undeserved negative feedback. But this is not a viable option for those working in healthcare.
For example, in 2022, the HHS Office for Civil Rights issued a $50,000 fine against a dental practice. They had used a patient’s full name in response to a complaint on the company’s Google business page. The original complaint used a pseudonym.
Later that same year, HHS fined another dental practice $23,000 and issued a corrective action plan for similar violations on Yelp.
In the press release for the latter case, OCR Director Melanie Fontes stated:
“This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.”
Negative reviews may sting, but a major fine stings more. Remain professional. Keep patient information confidential, no matter how tempting it may be to call them out.
Sharing patient information with an agency
Do you work with a third-party marketing agency to help you with social media? You need to consider what information they have access to. If they have access to any personal health information, including patient photos, you need them to sign a business associate agreement.
Creating custom audiences for social ads
Paid social is another potential source of social media HIPAA violations. For example, you cannot sign a business associate agreement with Facebook. That means you cannot upload a list of patient emails to create a custom audience for Facebook ads.
That doesn’t mean you have to avoid all targeting on social. If you understand the characteristics of your target market, you can use those targeting options to reach the right audiences with social ads. You just can’t use identifiable information from existing patients in the process.
Communicating through social messaging platforms
During the COVID-19 pandemic, HHS offered flexibility on health care communication channels. However, that flexibility is scheduled to end on May 11, 2023.
If you have been using channels like Facebook Messenger or WhatsApp to communicate with patients, your strategy needs to change. You can still communicate virtually with patients, but you need to use HIPAA-compliant solutions.
If you want to use SMS, WhatsApp, or social messaging services to send appointment reminders, you need to send them without any PHI included.
That means you should include only your practice name and the time of the appointment. You cannot include the patient name or the nature of the appointment in the message. You also need to get patient authorization to communicate using text channels before doing so. Even for appointment reminders.
The consequences for a HIPAA violation depend on the nature of the violation and who committed it. For example, the consequences are harsher for a violation on a hospital’s corporate account. A violation on the personal account of a nurse who works at that hospital will be less severe.
Every organization covered by HIPAA should have a sanctions policy for violations. These would apply to a violation made by someone who works at the organization.
And for the organization itself? A violation case that goes to the Health and Human Services Office for Civil Rights may result in a major financial penalty. The maximum fine is $1.5 million.
Source: National Consortium of Telehealth Resource Centers
1. Understand the regulations
HIPAA social media rules are tricky to understand specifically because there are no explicit HIPAA security regulations for social media. Instad, you need to take your understanding of the HIPAA Privacy Rule and apply it to social media.
In short, MLN specifies that you must:
- “Notify patients about their privacy rights and how you use their information
- Adopt privacy procedures and train employees to follow them
- Assign an individual to make sure you’re adopting and following privacy procedures, and
- Secure patient records containing PHI so they aren’t readily available to those who don’t need to see them.”
2. Train your team
As noted above, training your team is a required component of HIPAA compliance for social media. That means your whole team, not just your social team.
Almost all employees within a health care setting have access to some degree of PHI. That means any employee could expose your organization to social media HIPAA violations.
Accidental social media HIPAA violation examples by your team might include:
- a staff Instagram photo that reveals a patient’s face in the background, or
- a post in a Facebook group about a celebrity consultation or difficult case.
3. Limit access to your social accounts
Limiting access to your social accounts protects your organization against posting content that violates HIPAA social media rules. Everyone on your team should understand the basics. But you need to assign one or two key people who are HIPAA social media experts. They should sign off on content before posting.
However, those experts are likely at too high of a level in your organization to be responsible for creating all the social content. That means you need a system of workflows and approvals. Appropriate members of your social team can create content that is then queued for approval by your HIPAA experts.
Hootsuite has a built-in content creation and approval process. You can assign specific permissions for individual team members. You can also set up approvals on responses to social comments, which is a key area where potential HIPAA violations can occur.
Hootsuite allows you to revoke access to your social accounts when someone leaves your organization or changes roles. This helps ensure compliance with HIPAA access rules.
4. Create clear social media guidelines
It is critical for any healthcare organization using social media to have a robust social media policy. The policy needs to clearly outline how HIPAA affects social media. Include some social media HIPAA violation examples to make the policy clear.
Bonus: Get a free, customizable social media policy template to quickly and easily create guidelines for your company and employees.
The policy should have detailed requirements for posts made from your corporate social accounts. But you also need to create HIPAA social media guidelines for staff personal accounts. HIPAA rules apply to the personal accounts of healthcare employees.
Build a system of HIPAA violation social media sanctions into the guidelines. This ensures employees understand the repercussions of breaking the rules.
5. Implement a social monitoring program
Implement a social media monitoring program to monitor for hashtags and keywords relevant to your organization. This is an important way of understanding what’s being said about your organization on social media.
Many of the posts mentioning your organization may come from patients or other people who are not subject to HIPAA regulations. But it is also a good early-warning system for staff posts that accidentally violate the rules.
You’re in a much better position if you catch and resolve a disclosure of PHI on social media before a complaint is filed.
Is becoming Facebook friends with patients a violation of HIPAA?
It is not strictly speaking a HIPAA violation to be Facebook friends with a patient. However, it is not a recommended practice. Instead, create a Facebook business page that your patients can follow for updates from your practice.
Is following a patient on social media a HIPAA violation?
Seeking out a patient on social media using their PHI (including their name) may be a HIPAA violation. It is better to avoid personal connections with patients on social media.
What information can be shared without violating HIPAA?
You can share “de-identified” information on social media without violating HIPAA. Following the “safe harbor” method, you must remove all 18 identifiers from the information.
You can also share information not connected to any patient on social media. For example, you could share:
- healthy living tips
- staff profiles, or
- updates about how your organization supports the community.
Leading healthcare providers, insurers, and life science companies worldwide use Hootsuite to improve their customer experience, unify their social message, and ensure compliance with industry regulations. See for yourself why we are the healthcare industry’s leading social media management platform.
Book a personalized, no-pressure demo to see why Hootsuite is the health care industry’s leading social media management platform.