Social media has become an integral part of our personal and professional lives. But, for healthcare providers, understanding the complexities of social media usage is important to avoid potential Health Insurance Portability and Accountability Act (HIPAA) violations.
The ubiquity of social media platforms has transformed how healthcare professionals communicate and share information. While these digital tools offer numerous benefits, such as enhanced patient engagement and efficient information-sharing, they also present a challenge: the potential for accidental or intentional breaches.
In the first half of 2018 alone, more than 56% of the 4.5 billion compromised data records were attributed to social media incidents. These breaches can range from employees accidentally posting protected health information (PHI) in the background of a social media post to deliberate attempts to share sensitive patient details for personal gain.
Many healthcare professionals don’t fully comprehend the extent of HIPAA regulations for social media. Even seemingly innocuous comments or images can constitute a violation, as patient privacy can be compromised without explicitly mentioning the patient's name.
Read more: HIPAA and social media rules
In June 2021, former nurse Kelly Morris faced suspension from her employer, Citadel Winston-Salem, for posting videos on TikTok that involved jokes about mistreating patients. While Morris claimed the videos were mere comedy skits and did not harm anyone, her employer deemed the content a violation of their core values and took disciplinary action.
In October 2020, employees at Ballad Health in Tennessee posted a photo of an individual undergoing surgery while the surgeons wore a racing helmet. Although the post did not include identifiable features, Ballad Health deemed the actions unacceptable and a violation of internal policies.
In April 2020, nurse Lillian Udell shared a video with the online publication The Intercept, interviewing her coworkers about working during the COVID-19 pandemic. While the video did not explicitly mention patient names, one of Udell's coworkers made a statement that could be seen as a potential HIPAA violation, leading to an investigation by the hospital.
In November 2019, a news investigation uncovered an online EMS Facebook group with over 23,000 members, most of whom were emergency responders. The group regularly posted uncensored videos and pictures of the scenes they encountered while on the job, a violation of patient privacy. The owner of the group, who worked as a paramedic at Grady Hospital, was disciplined for the second time in six months for posting about patients on social media.
In October 2019, the Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp, a social media platform for reviewing businesses. The organization responded to a patient's review with details about their treatment plan, insurance, and cost, leading to a HIPAA violation investigation and a $10,000 settlement.
In August 2019, an employee from MUSC Health posted a photo of an infant patient with words printed across the child's face, without obtaining permission from the parent. This incident marked MUSC Health's sixth social media-related HIPAA violation in three years, despite the organization's zero-tolerance policy and past disciplinary actions.
In August 2019, a lawsuit was filed against Glenview Nursing Home for violating the Nursing Home Care Act, HIPAA, and other state privacy laws. The case stemmed from a Snapchat video that showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her.
In May 2019, Texas Children's Hospital fired a nurse who posted details of a pediatric patient's measles condition to an anti-vaccination support group on Facebook. While the nurse did not include the child's name, her Facebook profile listed her workplace, potentially compromising the patient's privacy.
In March 2019, Northwestern Medical Regional Group failed to inform a patient, Gina Graziano, about the privacy breach of her medical records. Graziano's ex-boyfriend's girlfriend, Jessica Wagner, had accessed Graziano's records without authorization and then posted the information on Twitter, leading to the hospital's termination of Wagner's employment.
One of the takeaways from these case studies is the need for more thorough and frequent HIPAA training for healthcare employees. Lack of understanding or disregard for HIPAA regulations is a common thread in many reported incidents, indicating the necessity for regular educational programs about patient privacy and social media usage.
In addition to enhanced training, healthcare organizations must establish clear and detailed social media policies that outline acceptable and prohibited practices for employees. These policies should address the use of social media platforms, the sharing of patient information, and the potential disciplinary actions for noncompliance.
Beyond training and policy development, healthcare organizations must cultivate a culture of accountability and responsible social media usage. Employees should be empowered to report potential violations, and leadership should demonstrate a strong commitment to HIPAA compliance through consistent enforcement and swift disciplinary measures.
Healthcare organizations can also use technological solutions to mitigate the risks of social media-related HIPAA breaches, including data access controls, content monitoring systems, and secure communication platforms that prioritize patient privacy.
Related: The importance of social media literacy among healthcare staff
Healthcare organizations should refrain from discussing specific patient health details on social media. Encourage patients to use secure communication channels or contact their healthcare provider directly for personalized inquiries.
Yes, sharing general health information is fine, but avoid examples that might inadvertently reveal patient-specific details.
Use social media to share general health information and educational content. Encourage patients to seek personalized advice through secure channels to ensure privacy.
See also: HIPAA Compliant Email: The Definitive Guide