Blog Post

Compnedious Med Works

HIPAA Violations on Social Media

HIPAA Violations on Social Media. It would be quite an understatement to say that the medical community has noticed a change in the government's enforcement stance regarding HIPAA violations involving social media. Instances of unprofessional behavior by providers are becoming legion. News reports of doctors discussing patient cases on Facebook, medical personnel "friending" patients, and nurses posting "humorous" X-ray online are disturbingly common. The investigations of the HHS into this type of behavior represent a gulf change in the nature of HIPAA compliance – from one of the handling of paper and education to that of enforcement and the security of electronic media – and a change that should have general counsels, CIOs and compliance directors taking notice. The health system could be landed into perilous waters due to the failure to address these issues proactively. Here are the HIPAA violations on Social Media.

Common examples of HIPAA violations cases on social media include:

  1. Posting to unauthorized individuals, 'verbal' gossip about a patient – even if the name remains undisclosed.
  2. Sharing of photos, or any kind of PHI, without written consent from the patient.
  3. Mistakenly believing that posts are not public or have been deleted while they are still visible publicly.
  4. Sharing of seemingly innocent pictures or comments, such as a workplace lunch, which happens to have patient files visible underneath.

Here is a list of some basic HIPAA social media guidelines that should be followed within your organization to ensure compliance with HIPAA Rules:

  1. Ensure all employees are aware of how HIPAA relates to social media platforms and develop clear policies covering social media use.
  2. Conduct refresher training sessions annually and train all staff on acceptable social media use as part of HIPAA training.
  3. Communicate all possible penalties for HIPAA violations on social media – loss of license, criminal penalties, and termination.
  4. Ensure that your compliance department approves all new uses of social media sites.
  5. Update and review your policies on social media annually.
  6. Develop procedures and policies on social media use for marketing purposes, including standardizing how marketing takes place on social media platforms.
  7. Develop a policy that requires corporate and personal accounts to be completely separated.
  8. Create a policy that requires your legal or compliance department to approve all your social media posts prior to posting.
  9. Monitor your organization's communications and social media accounts and implement controls that can flag potential HIPAA violations.
  10. Encourage your staff to report any potential HIPAA violations.

The HITECH Act dramatically increased civil monetary penalties for unauthorized releases of Patient Health Information (PHI) and significantly added to the Office of Civil Rights' enforcement resources. HITECH's passage seems to have invigorated HHS and OCR and have made it clear through their enforcement actions that unauthorized disclosures via portable electronic devices and technical security are squarely in their crosshairs. Part of this enhanced scrutiny is the Office of Civil Rights' concerns about security breaches through social media platforms, as technology becomes an increasingly popular form of communication. Reports of privacy breaches through social media platforms like Twitter, Facebook, and MySpace are increasing and can only be ignored at a hospital's peril. Few people would argue that the concept of privacy on social –media does not agree with privacy regulations as demanded by HIPAA. HHS has yet to reach a formal decision on its response because these particular violations are so new.

All CEs have been clearly signaled by the HHS to implement a comprehensive policy on social media use, the constant enforcement and application of a sanctions policy, and the employment of reasonable means. However, all indications point to the fact that the CEs are not aggressively attempting to get out in front of unauthorized releases of Patient Health Information through all avenues, including social media, will face stiff penalties, including corrective action plans and fines. To address these concerns, new monitoring tools are being developed. For example, a North Carolina-based mobile solution development company, Novarus Healthcare, is developing a proprietary and confidential mobile technology that proactively monitors social media platforms for HIPAA violations through social media to allow providers to the prevalence and use of social media. The tools to allow providers to meet the developing challenges to identify and correct violations will become an integral part of a coordinated risk-management program as social media continues to grow. It becomes absolutely essential to score the severity of the issue and identify the potential breach and provide reports to the client CE that is actionable and easily understandable so that it may aggressively address improper behavior immediately.