There are no specific HIPAA and social media standards because the HIPAA Administrative Simplification Regulations were published years before most people had access to social media. Consequently, healthcare organizations must develop and enforce social media policies that comply with HIPAA based on a risk assessment to identify potential threats to PHI.
Under §164.306(a) of the Security Rule, covered entities and business associates are required to “protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required under subpart E of this part [the Privacy Rule].” The standard also requires covered entities and business associates to “ensure compliance […] by its workforce”.
To identify non-permissible uses and disclosures of PHI, covered entities and business associates are required to implement a security management process that includes risk assessments, system activity reviews, security measures to reduce risks, and a workforce sanctions policy. However, in the context of HIPAA and social media, this may not be enough to prevent impermissible disclosures.
There are dozens of cases in which a member of the workforce has used a personal device to disclose PHI on a social media platform. In all these cases no number of risk assessments, activity reviews, or security measures could have prevented the disclosures. In most, sanctions were applied to members of the workforce; and, in some, criminal charges were brought against the perpetrators.
HIPAA and Social Media Policies
There are circumstances in which disclosures of PHI on social media are well-intended – such as when photographs of recovering patients or new-born infants are publicly shared. However, once a post is published that contains identifying characteristics, members of the workforce have no control over who sees it or how PHI is further used and disclosed – even in private groups.
While it is possible for patients to provide an authorization for PHI to be disclosed on a social media platform, patients have to be told that the post could be forwarded, copied and pasted, or screenshot by anybody who sees the post in order for the authorization to be valid. Consequently, patients also have to be told that it may not be possible to delete the post if they change their mind.
Because of the risk of PHI being misused after being disclosed on a social media platform, covered entities and business associates should develop HIPAA-compliant social media policies that clarify the acceptable use of social media in the workplace and that stipulate no PHI should be disclosed via social media without a valid authorization form signed by the subject of the PHI.
HIPAA Training on Social Media Use
In order for the policies to be effective, HIPAA training on social media use should include an explanation of what is considered PHI under HIPAA, why it must be protected, and the consequences of posting anything on social media. If members of the workforce are allowed to post PHI with a valid authorization, the procedures for obtaining a valid authorization should be included.
Because of the risks of impermissibly publishing PHI, all training on HIPAA and social media policies should highlight the sanctions policy. Covered entities and business associates should also obtain an attestation from members of the workforce to state they have been informed about the social media policy, the procedures for obtaining a valid authorization, and the sanctions for violating HIPAA.
Importantly, training on HIPAA and social media policies needs to be provided to all members of the workforce – not just those with access to PHI. This is because any member of the workforce with a smartphone can take a photo of a celebrity entering or leaving a medical facility and post it on a social media platforms within minutes.
Conclusion – Why Policies are Important
Social media policies, HIPAA training, and a sanctions policy are important because, if a member of the workforce is not trained on social media use, and they disclose PHI impermissibly on a social media platform, the covered entity or business associate is liable for the HIPAA violation if a complaint is made by the subject of the PHI to HHS’ Office for Civil Rights.
Therefore, covered entities and business associates should prioritize HIPAA and social media risk assessments, develop policies for social media use (or amend existing policies where applicable), provide training, and enforce sanctions against members of the workforce that violate the social media policies. If your organization is not sure how to do this – or lacks the resources to do it effectively – you should seek HIPAA compliance advice.