There are no one-size-fits-all HIPAA and social media policies because the Administrative Simplification Regulations were published years before most people had access to social media. Different people use social media in different ways, so healthcare organizations must develop and enforce their own HIPAA compliant social media policies.
Because of the way in which the HIPAA Administrative Simplification Regulations are published, it is not always clear that standards of the Security Rule cover individually identifiable health information protected by the Privacy Rule. One such example is the requirement to mitigate the risk of Protected Health Information (PHI) being impermissibly disclosed electronically – including by members of the workforce.
To identify non-permissible uses and disclosures of PHI, covered entities and business associates are required to implement a security management process that includes risk assessments, system activity reviews, security measures to reduce risks, and a workforce sanctions policy. However, in the context of HIPAA compliance and social media, this may not be enough to prevent impermissible disclosures.
There are dozens of cases in which a member of the workforce has used a personal device to impermissibly disclose PHI electronically on a social media platform. In all these cases no number of risk assessments, activity reviews, or security measures could have prevented the disclosures. In most, sanctions were applied to members of the workforce; and, in some, criminal charges were brought against the perpetrators.
HIPAA and Social Media Policies
Because impermissible disclosures of PHI on social media are “reasonably anticipated” threats to the privacy of individually identifiable health information, covered entities and business associates must develop policies prohibiting disclosures of PHI on social media. The only exception to this policy would be if a patient signed a valid HIPAA authorization form consenting to the disclosure of their PHI.
However, while this exception makes it permissible to disclose PHI on social media, it should not be encouraged. Posts on social media can be forwarded, copied, screenshot, or amended by anybody who sees the post. This means covered entities, business associates, and members of their workforces have no control over what happens to the content of the post – or even that it will remain in its original format.
This means that, in order for a patient’s authorization to be valid, the patient must be told that it may not be possible to delete the post if they change their mind or if an image is altered and causes offense. This condition must be included in HIPAA social media policies because the “right to revoke” is one of the rights that has to be included in a Notice of Privacy Practices, but it may not be possible to comply with it.
HIPAA Training on Social Media Use
HIPAA training on social media use should be included in initial training and repeated if a policy changes or when a risk assessment identifies a need for further training on HIPAA and social media. Repeat HIPAA training on social media use can also be used as a sanction for minor violations of workplace policies. More serious violations of HIPAA may require more severe sanctions to be administered.
Because of the risks of impermissibly publishing PHI, all training on HIPAA and social media policies should highlight the sanctions policy. Covered entities and business associates should also obtain an attestation from members of the workforce to state they have been informed about the social media policy, the procedures for obtaining a valid authorization, and the sanctions for violating HIPAA policies.
Depending on the organization’s corporate social media activities, it may be necessary to extend a HIPAA social media policy or develop a secondary policy. The reason for this is that the Federal Trade Commission (FTC) prohibits deceptive and misleading messaging. For example, it is a violation of Section 5 of the FTC Act to claim a certain product can treat a health condition unless there is scientific evidence to support the claim.
Covered entities and business associates who are unsure about how to develop a HIPAA social media policy, what to include in the policy, or how best to explain the policy to members of the workforce should speak with a compliance expert. In many cases, a compliance expert will be able to talk you through any state privacy laws that preempt HIPAA and federal laws such as the FTC Act that you may need to be aware of before using social media as a messaging tool.