Male healthcare worker scrolling on a cell phone

How to Avoid Social Media HIPAA Violations

by Christy Arnold J.D., on May 18, 2017
What is HIPAA?
You may be familiar with a little law called the Health Insurance Portability and Accountability Act of 1996 (also known as “HIPAA”).  You have likely signed many consents, notifications and notices regarding disclosures covered under this law.

This law applies to “covered entities and their business associates” which include health care providers, health plans and individuals and businesses who work with them and have access to “Protected Health Information” also known as PHI.PHI includes most “individually identifiable health information” held or transmitted by a “covered entity or its business associate” whether electronic, on paper, or oral.  There are a small number of exempt categories.

What Makes Information PHI?
Protected Health Information is information, including demographic information, which relates to (1) a person’s past, present, or future physical or mental health or condition, (2) the provision of health care to a person, or (3) the past, present, or future payment for the provision of health care to a person, and that identifies the person or for which there is a reasonable basis to believe can be used to identify the individual. There are many common identifiers that can make health information “individually identifiable”. 

   Protected Health Identifiers Include: 
  • Names;
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
  • The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and 
  • The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000.
  • All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  • Telephone numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Fax numbers;
  • Device identifiers and serial numbers;
  • Email addresses;
  • Web Universal Resource Locators (URLs)
  • Social security numbers;
  • Internet Protocol (IP) addresses;
  • Medical record numbers;
  • Biometric identifiers, including finger and voice prints;
  • Health plan beneficiary numbers;
  • Full-face photographs and any comparable images;
  • Account numbers;
  • Any other unique identifying number, characteristic, or code; and
  • Certificate/license numbers.
 
How Employers Can Avoid Social Media HIPAA Violations
HIPAA requires compliance to ensure the security and privacy of your PHI is maintained and requires specific action if a breach occurs. Breaches can be very costly and can extend to the covered entity and in some cases to individual employees. 

Businesses and individuals spend a significant amount of time creating policies and procedures, and conducting training with employees to implement the policies and procedures and maintaining the security of their databases.  All of this privacy and security implementation and training can be undone with one social media post.  As noted in an article from Pharmacy and Therapeutics, social media can include but is not limited to social media (Facebook, MySpace, Google Plus, Twitter); professional networking (LinkedIn); media sharing (YouTube, Flickr); content production (blogs [Tumblr, Blogger] and microblogs [Twitter]); knowledge/information aggregation (Wikipedia); and virtual reality and gaming environments (Second Life). 
 
    Examples of Nurses Violating HIPAA Through Social Media:
  • A nurse posted a seemingly innocent picture of a funny coffee mug on Instagram (that happened to be sitting next to an open patient file listing PHIs).
  • A post on Facebook about a patient (even one that leaves out the name of the patient).
  • A comment on social media about a rumor, funny incident or patient can be a breach if any of the identifiers listed above are present. 
    Employers, Remember To:
  1. Review your HIPAA policy and procedures to ensure you have included social media training and policies. 
  2. Train your entire staff (not just supervisors or managers) to ensure they are aware of what PHI is and the identifiers that can lead to breaches. 
  3. Institute and enforce a social media policy including a policy on the use of free, unencrypted email services or electronic calendars.
  4. Implement a clean desk rule policy.
  5. Make your staff aware of the stiff penalties for social media hipaa violations. 
  6. Routinely review policies with employees including items listed on the checklist below.
 
Social Media Checklist
Some key items to review with employees are listed in A Checklist For Avoiding Social Media HIPAA Violations and are listed below: 
  • Keep personal social media accounts separate from the practice accounts. 
  • Avoid “friending” patients and clients.
  • Understand that even a deleted post can still exist in cyberspace. (Search engines are constantly scouring all social channels, aggregating and storing information to serve it up to anyone entering a search query. If a few seconds pass between posting a comment and deleting it, the search engine may have already come, picked up the information and gone).
  • Understand that even posts on a private personal page can be accessed by users other than friends and followers.
  • Understand that HIPAA lists eighteen personal identifiers including photos, neighborhoods, birth dates and vehicle identifiers. All of these must stay private. In small communities especially, people can quickly determine who is in the hospital and for what with just a few details. Innocent comments about a patient lead to identification.
  • Understand that even if a patient posts every last detail about his or her medical issues and treatments, no medical professional or staff should repost, retweet or "regram" this information on their personal pages.
  • Understand that when someone comments on a patient’s page about illness or treatment, that goes farther than the patient, it goes to all his or her friends as well.
  • Understand they do not have the right to transmit by electronic media any image of a patient.
  • Understand they do not have the right to take a photo of a patient on their personal phones or possibly any phone.
  • Understand they must report any breach of privacy or confidentiality committed by any fellow employee.
  • Understand they must never post information on personal social media pages as the voice or representative of the hospital, practice or business.
  • Be aware that, during photographable events like office parties, all patient files or photos must be hidden.
  • Understand that they must encourage any patient looking for advice on social media to contact their nearest health professional.
 
Penalties for HIPAA Violations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. Penalties for social media hipaa violations can be expensive.  Below is a summary of the civil penalties that can be assessed.  Depending on the situation, violations may also result in criminal prosecutions.
HIPAA Violations Minimum Penalty Maximum Penalty
Unknowing $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million
Reasonable Cause $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
Willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
Willful neglect and is not corrected within required time period $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum

Compliance with HIPAA requires employers and employees to be vigilant in keeping health information private and secure.  Constant training and updates to employees are necessary to ensure everyone is aware of current policies and complying with them to ultimately avoid social media hipaa violations.

For more specific information on covered entities, business associates and PHI, please visit https://www.hhs.gov/hipaa. 
 
99
Christy Arnold J.D.

Christy Arnold serves as LandrumHR's Managing Director - General Counsel.

View more blogs by Christy Arnold J.D.