In 2018, a Texas nurse published a post on her personal Facebook account about a case of a young boy who was battling measles at her hospital. Though she didn’t actually name the patient, she did provide descriptive information about him, and her Facebook profile also listed her job title and the name of the hospital where she worked. On top of all that, there hadn’t been many cases of measles in this particular city; in fact, there’d been fewer than 10 cases in 10 years. For these reasons, hospital administrators were concerned that the boy could be identified from the nurse’s posts, so they eventually decided to fire her.
This jarring incident illustrates the trouble that some healthcare professionals experience when navigating HIPAA and social media. Like most adults, healthcare providers may maintain personal social media accounts. And, of course, they have a right to post their vacation photos on Facebook or Instagram just like anyone else. But providers can quickly run afoul of HIPAA regulations if they discuss patient care, vent about difficult clients, or interact on a personal level with a patient on a social media platform.
“Managers and clinicians at all levels need to understand how privacy breaches commonly happen because in understanding what can go wrong, they will be equipped to prevent breaches,” says Diane Evans, publisher of MyHIPAA Guide, a consultancy and subscription service for HIPAA compliance management.
What Is a HIPAA Violation?
Stated simply, one way that a HIPAA violation can occur is if an individual’s protected health information (PHI) is used or disclosed without their permission.
Evans cites three common types of HIPAA violations that healthcare professionals commit on social media:
- Staff members sharing photos of patients with friends: Sharing patient information — in any form — with unauthorized individuals is a HIPAA violation in and of itself. Even if you trust your friends, you’re legally prohibited from sharing anything about your patients with anyone who isn’t part of their care team. On top of that, consider that once those images make it onto someone’s phone or device, they can end up anywhere. That, in turn, will make the violation even worse.
- Adding patients as friends or liking their personal posts on social media: If you do this, you run the risk of onlookers inferring that those individuals are patients of a particular doctor or healthcare organization.
- Publishing images, text, and videos of patients without their express consent: This would include situations like publishing patient testimonials on your clinic’s website without getting their specific consent for publicizing it.
These types of gaffes can lead to fines, sanctions, and potentially even the revocation of your license to practice.
3 Examples of HIPAA Breaches on Social Media
Unfortunately, the internet is overflowing with similar stories of HIPAA social media blunders with less-than-ideal results for those involved:
A patient published a social media post in which she expressed her satisfaction regarding a procedure her dermatologist performed for her. After seeing her post, the dermatologist then shared the patients’ unofficial testimonials on his own social media pages and website, but without obtaining her permission first. The patient discovered what he’d done and sued him for violating HIPAA.
Two Ohio medical center employees posted to a Facebook group a picture of the medical record of a woman diagnosed with an STD. The woman sued both employees, the boyfriend of one of the employees, and the hospital.
A Michigan nurse vented on her Facebook account about her on-the-job encounter with a man who allegedly killed a police officer in a shootout and received treatment for his wounds at the hospital where she worked. Though she never mentioned the suspect’s name or his medical condition, nor specifically identified the hospital where he received care, administrators were concerned that the amount of publicity surrounding the incident would make it too easy for people to know which patient she was referring to. Consequently, they fired her.
What Are the Consequences of Inappropriate Social Media Use?
The National Council of State Boards of Nursing lays out the potential consequences for nurses who misuse social media, but these penalties could apply to any healthcare professional:
- Disciplinary action by the licensing board, such as the Board of Nursing or Medicine
- Professional reprimand or sanction
- Monetary fine
- Loss of licensure on a temporary or permanent basis
Beyond the state licensing board, the U.S. Department of Health and Human Services also investigates HIPAA violations, and the fines can be substantial if you’re found to have disclosed PHI on social media. Depending on the nature and severity of the violation, HIPAA fines can range from $100 to $50,000 per incident.
Basic HIPAA Social Media Guidelines to Keep in Mind
“[HIPAA] training is required for every employee, outside contractor, or even volunteers who, in providing services, may have potential access to private information,” says Evans.
However, organizations need to promote a culture of vigilance to help avoid issues regarding HIPAA and social media.
The American Medical Association (AMA) offers specific guidelines for doctors regarding their use of social media, but any practitioner or organization can use a similar framework to develop some commonsense policies about how to protect patient confidentiality on social media. Here are a few examples of such guidelines:
- Don’t post about patients on any social media platform without their explicit consent.
- Maintain separate personal and professional social media profiles.
- Do not use social media platforms to communicate with patients. Use only applications certified for HIPAA compliance.
- Don’t vent work frustrations online, even in social media groups that are supposedly “private,” including those that are membership-based or password-protected.
HIPAA Marketing Guidelines for Healthcare Business Owners
When Pew Research Center last surveyed Americans regarding technology and healthcare, they found that large numbers of people seek medical information on the internet, including via social media channels. To effectively market your organization on social media without violating HIPAA, avoid sharing any information that could be used to identify a patient without his or her consent. Don’t share patient stories or photos unless the individuals have signed consent forms.
To avoid violating HIPAA, use social media channels only for:
- Posting links to your own webpages that contain disease-specific information, such as explaining what shingles is, without using an identifiable case study or image.
- Linking to your organization’s treatment information pages. For example: You can share a link to a page that explains how your organization uses the latest robotic technology to perform minimally invasive procedures.
- Offering profiles of your organization’s doctors, nurse practitioners, and other providers.
- Sharing news about your organization, including facility expansion, special events, and other newsworthy items.
- Providing crisis communication, such as where the public should seek shelter during a natural disaster like a hurricane.
- Disseminating public health information, such as influenza statistics, for your local community.
- Recruiting patients for your organization’s clinical trials.
While social media is a fun way to keep up with friends and news during the day, as well as a good marketing tool, it also poses plenty of risks at work. You must be careful to avoid the penalties that come with HIPAA violations. And, if you work on a team, you should train your staff on best practices for using social media responsibly.