How to Avoid HIPAA Violations on Social Media

In Grand Rapids, Michigan, resident doctors at Spectrum Health took photos of their patients and posted them on their public Instagram account. Some of the pictures show patients on the operating table with procedures going on. Others show internal organs the doctors just removed from their patients.

No one had obtained written authorization from the patient or family members to post these pictures. Even if they got written consent, many of them were very personal pictures not intended for public viewing. 

People could potentially identify one of the patients through these images, violating the HIPAA Privacy Rule.

Elite Dental Associates Discloses PHI on Yelp

Elite Dental Associates was fined by the Office of Civil Rights (OCR) for disclosing protected health information (PHI) on Yelp, a crowd-sourced local business review and social networking site.

On one review, Elite replied with the patient's name, information on their treatment plan, and insurance coverage and costs. An OCR investigation was launched after a patient complaint. The search revealed similar comments made previously by Elite on Yelp. As a result, Elite paid a settlement of $10,000.

If PHI is disclosed either intentionally or due to negligence, this can result in civil or criminal penalties. Fines could run up to $50,000 per violation, depending on intent and prior offenses. 

Since Elite Dental Associates had multiple violations in a relatively short time period, the fine could’ve been up to $1.5 million. In a way, Elite was lucky to receive such a low fine. 

Texan Nurse Posts Patient Info on a Facebook Group

A pediatric nurse at Texas Children's Hospital was fired for posting information about a patient to a Facebook group.

The kid was too young to receive the measles vaccination before contracting the rare disease. He was suffering from a painful rash and a high fever when he went to the hospital. 

The nurse shared some information about the boy's medical condition on an anti-vaccination support Facebook group. She did not mention the child by name, but her Facebook page indicated where she worked. One parent, whose child was treated at the hospital, posted screenshots to the hospital's Facebook page. 

After an investigation, the hospital immediately suspended the nurse. Later, the nurse deleted some of her comments, but the hospital eventually terminated her employment for disclosing PHI.

Tips to Avoid Social Media HIPAA Violations

There are multiple ways information can be disclosed on social media. 

Because of the nature of social media, it is very easy to share information and images. In turn, it's also very easy to violate HIPAA and put your organization and patients at risk. 

Here’s how you and your staff can avoid HIPAA violations on social media:

Keep PHI Private 

In spite of its obvious nature, this is still worth mentioning. Even the most careful healthcare workers make mistakes once in a while. 

PHI should never be shared on social media. It doesn’t matter if you have a private account with limited friends, or are a mommy influencer with thousands of followers.

As mentioned earlier, the HIPAA Privacy Rule prohibits ePHI from being disclosed on social media networks without a patient's express consent. This includes any text, images, and videos about specific patients that could provide information about them.

This is one of the most common social media HIPAA violations and it can result in a hefty fine or even the loss of your license. 

If you see a colleague posting a patient’s information on social media, you should politely let them know that this is against both common and HIPAA regulations. Some of them might not know or may have forgotten the severity of the violation.

Do Not Gossip About Your Patients

Did you know that supposedly harmless social media posts could land you in hot water with the HIPAA guidelines? This is because, under HIPAA, you are responsible for protecting the privacy of patients. 

If you have a case with a patient that seems particularly unusual, the last thing you want to do is make things worse by saying something you don't mean or can't take back! 

It's easy to get swept up in the enthusiasm of simply sharing your thoughts on social media. After all, the whole purpose of what we do here is to share information freely, right? Yet even an innocent-sounding post could lead to content violations for HIPAA. 

Many people have been fired from jobs, shunned from their social circles, left by loved ones, or have been investigated for illegal activity because of information that was originally intended to be private.

Do Not Share Patient Information Even in Private Groups

You might think you're safe if you share patient information in Facebook messenger groups or Slack channels instead. But this is still wrong and downright risky.

Some of the biggest hospital scandals have arisen from employees misusing their access to patient information. These scandals have resulted in damaged reputations, massive fines, and even cases where patients have died. 

Anyone with access to the group can view the patient data. And if data isn't well-protected, it can fall into the wrong hands. With digital media, you never truly know who's reading. Just because you are in private groups doesn't necessarily mean that you are in control of that privacy.

We all have been guilty of sharing too much information with those who don't need it. But as a healthcare provider, you can face a penalty of up to $50,000 per infraction. If you really need to share information with a co-provider, use HIPAA-compliant tools like Google Workspace.

Set Clear Social Media Policies

Just like any other aspect of your practice, it’s important to set guidelines for your staff to follow. Having a social media policy for your organization is crucial to protect it from HIPAA violations.

Make sure your clinic staff knows that sharing patient information with anyone, including friends or family, can be considered a violation of HIPAA. 

Clarify everything and leave no room for misunderstanding. If employees have questions, let them know they can contact you or another member of your management team.

HIPAA violations are no joke. A single violation can cost you millions of dollars in fines. Emphasize that to prevent any serious problems.

Final Thoughts: Preventing HIPAA Violations on Social Media

It's not news that social media is a very useful tool for organizations and professionals to stay in touch with their audience. However, it's possible to go too far and violate personal privacy. 

Patient privacy is of prime importance in the healthcare industry. A breach can lead to lawsuits, loss of customers, and loss of revenue.

As the healthcare industry continues to shift toward a more paperless environment, more and more of our documents are being stored online. With this shift, it is also crucial to ensure the security of your data. 

HIPAA Compliance Made Easy With ER Tech Pros

Being HIPAA compliant is more critical than ever. An IT partner who is focused on healthcare, such as ER Tech Pros, reduces the risks of HIPAA violations. 

Schedule a free consultation with one of our experts to find out how we can help your practice succeed.