– Guest Post –
There is no doubt about it, social media has become a huge part of our day-to-day lives, with social media platforms such as Facebook, Instagram, and Twitter, making it possible for us to interact and engage like never before. Like many organizations, healthcare professionals have realized the potential of social media to advertise and market their business, enhance patient engagement, and support professional networking. Social media can help to successfully grow your healthcare business and increase patient interaction and reach.
Social Media and HIPAA Compliance
HIPAA governs the use and disclosure of protected health information (PHI), but how do HIPAA regulations apply to the use of social media? As HIPAA was enacted before the boom of social media platforms, the act lacks clear social media guidance, leaving health professionals confused about how to keep their social media presence HIPAA-compliant.
As HIPAA standards still protect the privacy and security of PHI in social media posts, healthcare employees must familiarize themselves with the necessary guidelines to avoid costly HIPAA violations that can result in legal action against a healthcare provider and their employing organization. The high cost of HIPAA breaches has been highlighted in a recent case, in which a Texas pediatric nurse was fired for breaching HIPAA Privacy Rule and posting PHI on a social media platform. It is worth remembering that content posted on social media platforms is available for the general public to see and reflects on your organization’s reputation.
How Can Social Media Posts Violate HIPAA Regulations?
As a healthcare provider posting on social media, the most important point to remember is that you must not include any PHI in your posts. PHI includes any health information that can be used to individually identify a patient, such as a name, date of birth, address, and medical data. Posts that do not identify a patient by name but provide enough information to enable a patient to be identified may also be considered a breach of HIPAA regulations.
In certain circumstances, healthcare organizations may be able to disclose PHI on social media platforms, only after obtaining the relevant patient authorization. When obtaining authorization, healthcare professionals should ensure that the patient has a full understanding of how their data will be used and disclosed and any subsequent social media posts should adhere to these predefined guidelines.
Healthcare practices must also be aware of unwittingly disclosing PHI, for example, by responding to social media posts created by patients or other organizations that may lead to the disclosure of protected information.
How to Make Social Media Communications HIPAA-Compliant
There have been several well-publicized breaches of HIPAA compliance involving social media and the ease of information exchange, combined with the informality of social media posts, makes the occurrence of HIPAA violations likely.
There are a number of guidelines that healthcare providers should follow to ensure that their social media interactions remain HIPAA-compliant:
- Given the increasing use of social media platforms in the healthcare industry, it is becoming essential for healthcare professionals to receive mandatory training that specifically covers HIPAA social media regulations. All staff should undertake annual refresher training courses to ensure that they stay up-to-date with the current policy.
- In the absence of any specific HIPAA social media guidelines, healthcare organizations must ensure that they devise and implement their own specific social media policies and procedures and that their use is enforced. These policies should be reviewed and updated annually as social media progresses. Healthcare facilities may wish to construct a best practice guide, discussing the intended content and tone of the practice’s social media posts. Worryingly, research conducted by the Institute for Health reports that only 31% of healthcare institutions provide their employees with social media guidelines.
- Cast a critical eye over your posts before sharing them to check for any PHI. You should also scan any images to make sure there is no identifiable information disguised in the background – this has caught out healthcare professionals in the past. Ensure that you obtain consent to use any photographic images for either educational or marketing purposes.
- Some healthcare organizations find it helpful to create a template or even a repository of standard HIPAA-compliant responses to simplify social media interaction with patients.
- Many users wrongly assume that an account set up as “private” enables the secure sharing of information. However, as social media interactions are not adequately encrypted to HIPAA standards, any sensitive information shared through these means presents a HIPAA violation. The same is true for social messenger services, such as Facebook Messenger, which are inherently insecure and, as such, should not be used to discuss sensitive patient information.
- Access to professional social media accounts should be limited to staff who are well-versed in the intricacies of HIPAA compliance.
Are AI and Machine Learning Paving the Way?
Manually reviewing social media posts to identify the presence of PHI is time-consuming and costly. Healthcare provider’s time is precious and best spent caring for their patients, therefore technological advances to improve this process are welcome. In recent years, Amazon Web Services (AWS) have announced two machine learning services to help streamline the process of de-identification.
The year 2017 brought the announcement of Amazon Rekognition, allowing text to be easily identified and extracted from medical images. Hot on the heels came the announcement of Amazon Comprehend Medical in 2018, a natural language processing service that allows the detection of PHI in unstructured sections of text. The healthcare technology trends indicate that the future will bring countless advancements in technology, now it’s all up to us how we get ahead of the technology curve and be prepared.
Related article: Protecting Patient Data as Call Center Fraud Rises.