Understand the rules of HIPAA compliance and social media to avoid violations and fines
Does your practice use social media? A social media post containing protected health information (PHI) can compromise HIPAA compliance. Staying HIPAA compliant on social media is crucial to avoid the risk of fines. And it’s not as straightforward as you might think.
For example, in the most recent HIPAA violation due to social media misuse, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with B. Brandon Au, DDS, Inc. of New Vision Dental in California over the impermissible disclosure of PHI in response to online reviews and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The violation involves the provider’s inappropriate use of social media to respond to patient reviews and the disclosure of protected health information. This practice is illegal under HIPAA.
Hefty fines imposed for social media HIPAA violations
New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.
Healthcare social media is not like personal social media accounts
It is not uncommon to share photos and stories from your workday on Facebook and Twitter, but staying HIPAA compliant on social media is unfamiliar to most professionals. Most industries treat these posts as routine and harmless—no different from sharing vacation photos or past memories.
In today’s world, however, our increased interconnectivity can lead to serious problems for healthcare and behavioral health professionals. If the personal health information of patients or clients is posted on social media, it becomes a HIPAA violation and can result in serious fines.
The OCR cracks down on social media HIPAA violations
“This latest enforcement action demonstrates the importance of following the law even using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO,” said OCR Director Melanie Fontes Rainer.
Rainer continued, “OCR is sending a clear message to regulated entities that they must safeguard patients’ protected health information appropriately. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
Read more: What is protected health information (PHI)?
New Vision Dental’s HIPAA compliance and social media issues
New Vision Dental was accused of impermissibly disclosing PHI, including patient names, treatment and insurance information, in a complaint to OCR in November 2017. The complaint was based on online reviews of the practice by patients. As a result of OCR’s investigation, they found possible breaches of HIPAA’s Privacy Rule, including improper uses and disclosures of protected health information. In addition, a Notice of Privacy Practices and privacy policies should have been provided and implemented by the organization.
What can you post on social media as a healthcare professional?
When posting on social media as a healthcare professional, make sure your posts don’t contain information that can be tied to specific patients or medical records. An individual’s PHI is demographic information that can be used to identify them. Information such as name, date of birth, address, social security number, medical information and financial data are examples. Overall, you’ll want to avoid using any of the 18 unique identifiers of PHI. To safeguard patients’ privacy, HIPAA regulations prohibit the use of PHI in social media campaigns.
6 things healthcare professionals can post on social media
- Tips for healthy living that patients might find helpful.
- Patient-friendly upcoming events.
- Research or findings relevant to your area of expertise.
- Your organization’s honors or awards.
- An overview of your staff’s profiles or biographies.
- You may advertise your services as long as they do not include any patient-protected health information (such as names, photos or other information that can be personally identified).
HHS offers detailed information and a guide if you are concerned and need more clarification about what you can and cannot post as a healthcare provider on social media.
Are you considering sending email with PHI?
The best way for nurses and doctors to securely communicate PHI is by email through a third-party email security provider that ensures the encrypted delivery of 100% of the emails you send. That’s where Paubox Email Suite’s HIPAA compliant email service comes in.
Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt, and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary.
In addition to enabling healthcare email encryption for compliance with HIPAA email rules, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block malicious cyberattacks from reaching the inbox in the first place.