Publishing information about a patient’s diagnosis online is a growing conundrum for those who control the privacy and security rules outlined in HIPAA. In 2018, a pediatric nurse at Texas Children’s Hospital lost her job after posting details of a toddler’s measles diagnosis on an Anti-Vaxxer Facebook page. Since then, dozens of clinicians and nurses have lost their permission to post private information on social media. Often, these cases result in lawsuits and settlements by health care providers.
“In some cases, clinicians have faced criminal charges. But it happens in the worst cases, like a nurse or aide posting videos to social media, showing older people taking a shower, or even having sex, ”said Diane Evans, editor of MyHIPAA Guide, a service consulting and subscription for HIPAA compliance management.
While these are the worst-case scenarios, she added, even seemingly innocuous social media posts by employees with protected health information could lead to breaches. Evans said she would like the federal government to release guidelines on social media, just as it has for other HIPAA-related issues, such as managing business associates. It’s important for all healthcare providers to have a social media policy with clearly defined requirements, according to Evans.
Be careful what you post
Evans recognized the potential benefits of using social media. For example, healthcare providers can attract new patients through social media websites. Posting reviews, however, can be a mistake. In 2016, Dallas-based Elite Dental Associates agreed to pay the US Department of Health and Human Services Office for Civil Rights (OCR) $ 10,000 and adopt a corrective action plan to resolve the possible HIPAA violations. The OCR received a complaint from an Elite patient alleging that the practice responded to a social media review by disclosing the patient’s last name and details of his medical condition. OCR’s investigation found that Elite inadmissibly disclosed the protected health information (PHI) of several patients in response to patient reviews on the Elite Yelp review page. Elite, a private dental practice that provided general dental, implant and cosmetic dental care, did not have a policy or procedure regarding the disclosure of PHI.
The issue of HIPAA social media compliance is particularly prevalent in the residential care industry, Evans said. To combat the problem, it is recommended that all clinicians ensure that their employees undergo refresher training at least once a year to ensure that HIPAA rules for social media are strictly adhered to. However, this is not commonly practiced. “This is in large part due to a lack of quality training programs and a general lack of knowledge about all of HIPAA compliance,” Evans said. “A training exercise checked off once a year is not enough. Remedy is a social media policy that prohibits any work-related posting to social media by any staff member without written permission. A sanctions policy is also essential. And it must be well communicated, so that employees know the consequences of violating an organization’s policies as well as the privacy of those served.
James A. McGurk, social media manager at the University of North Carolina (UNC) Health in Chapel Hill, NC, said the HIPAA privacy guidelines are intended to apply to all forms of communication, including verbal, written and electronic. The handling of information on social media is particularly critical in terms of protecting privacy rights due to the wide reach of social media.
“UNC Health has a formal social media policy, which covers all teammates. The 13 hospitals affiliated with UNC Health have social media leaders who provide basic advice to employees and leaders on the appropriate use of social media channels, ”said McGurk.
This information is provided during employee orientation and onboarding and is covered in the UNC HIPAA online training required by all teammates. Managers interested in exploring the use of social media are required to contact the UNC communications and marketing team before launching new social media channels. They are then informed about privacy and HIPAA considerations.
Avoid personalized medical advice
“Our doctors and colleagues are advised never to offer individual medical advice via social media. However, doctors and nurses could potentially answer questions on social media in very general terms, in order to navigate the platforms properly, ”McGurk said. As a social media manager, he uses various social listening tools to actively monitor all of UNC’s social media channels and consults with a management team when issues arise.