HIPAA and Social Media Guidelines

Learn how to avoid HIPAA violations due to social media misuse and get some useful HIPAA and social media guidelines Using social media is highly beneficial for businesses, whether they are digital marketing businesses or healthcare organizations. The latter, for example, use social media platforms to promote healthy lifestyles, raise awareness of emerging health issues, promote B2B services, etc. Yet, communicating and posting on social media in healthcare should be highly selective, as the information you use may be subject to HIPAA social media rules. This article is written to help organizations understand how to avoid HIPAA violations due to misuse of social media and provide some useful HIPAA social media guidelines.

What Are The HIPAA Social Media Rules?

The first and foremost rule that HIPAA-covered entities and business associates must remember is that social media content must NEVER include protected health information (PHI) unless you have obtained a patient's formal consent. While HIPAA itself does not specifically address social media (remember, it was enacted long before the active proliferation of social media), the HIPAA Rules apply to any disclosure of PHI, including those on social media platforms. Specifically, the HIPAA Privacy Rule prohibits Covered Entities and Business Associates from using or disclosing PHI without an individual's consent. Instead, they can freely use social media to promote healthy lifestyles, market health insurance products, and promote B2B services providing no PHI is disclosed without authorization.

What is PHI Under HIPAA?

Protected health information, as stated in HIPAA in 45 CFR §160.103, means individually identifiable health information that is transmitted or/and maintained by electronic media or any other form or medium. This definition is incomplete within a full understanding of what constitutes health information and individually identifiable information. Health information is defined by HIPAA in 45 CFR §160.103 as any information, including genetic information, whether oral or recorded in any form or medium, that:

• Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

An example of health information is “post-traumatic stress disorder (PTSD)” or “broken arm.” Without a personal identifier, this information describes a general health condition and is not related to any specific person. Individually identifiable health information, in turn, is information that is a subset of health information, including demographic information collected from an individual, and:

• Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

• Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

• That identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

An example of individually identifiable health information is “Mr. Jameson has a broken arm.” Posting a photo of a hypothetical Mr. Jameson with a broken arm or writing such a text on social media without the patient’s consent is a serious HIPAA violation. It is important to understand that the term PHI does not solely relate to health conditions. Scheduling an appointment with Mr. Jameson within the healthcare facility also belongs to PHI as it is related to the provision of healthcare. NOTE: some social media platforms, like Facebook or Instagram, try to insure themselves from being involved in healthcare data incidents by prohibiting the use of the service to “submit […] any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations”.

Understanding Patient Authorization Rules

Posting PHI on social media is permissible under HIPAA only if you have written authorization from the data subject. Thus, if you need to share a social media post with PHI, it is important to know and understand the patient authorization rules (see §164.508 of the Privacy Rule) which must be part of your HIPAA social media policy. The valid authorizations must include:

• description of the information to be used or disclosed;
• description of the purpose of the use or disclosure;
• An explanation that the information may be further disclosed;
• The individual's right to revoke the authorization;
• An expiration date for the authorization.

Concerning the final two statements, it is crucial to understand that a social media post incorporating PHI could be extensively distributed, captured in screenshots and circulated again. If a patient seeks to annul their authorization, the organization might face challenges in complying with such a request.

Understanding Professional Boundaries

Healthcare providers should maintain professional boundaries when utilizing social media. Avoid accepting friend requests from patients, communicating in social media chats, and be cautious about sharing personal information that could compromise your professionalism. The HIPAA violation cases demonstrate how neglecting this rule can lead to fines. For instance, in June 2023 Manasa Health Center, a healthcare provider from New Jersey received a settlement resolving a complaint received by OCR back in 2020. OCR was alleging that Manasa Health Center impermissibly disclosed the PHI of a patient when posting a response to the patient’s negative online review. The entity paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations.

Avoid Using Analytics

When using social media platforms, HIPAA-regulated entities must consider that they are not permitted to use tracking technologies which are often used by social media platforms in a manner that would result in impermissible disclosures of the individual’s PHI to tracking technology vendors. For instance, on October 14, 2022, a data breach at Advocate Aurora Health exposed up to 3 million patients’ electronic personal health information (ePHI) due to using tracking technologies - “pixels” utilized by Google and Facebook data analytic tools. The consequences of such an incident involved substantial financial and reputational losses for the company. Furthermore, HIPAA warns that third-party tracking technologies may continue to gather information about users even after they navigate away from the original website. Read more on data analytics in our blog post Is Google Analytics HIPAA Compliant?

HIPAA Social Media Checklist

HIPAA does not offer specific rules for social media but each Covered Entity and Business Associate should have a social media policy that either prohibits employees from posting PHI on social media channels or outlines the procedures to do it in compliance with HIPAA. Furthermore, a sanction policy for HIPAA violations on social media should be implemented. To evaluate your HIPAA social media compliance use the following checklist:

• Develop clear policies covering social media use and ensure all workforce members acknowledge the policy. Review and update your social media policies at least annually.
• Train all workforce members on acceptable social media use. Communicate the potential consequences of violation of the HIPAA social media policies.
• Ensure all social media platforms used by the company are approved.
• Monitor your organization’s social media accounts and implement controls that can flag potential HIPAA violations.
• Do not engage in online discussions with patients/plan members who have disclosed their PHI in social media networks.
• Ensure appropriate access controls and MFA are in place to prevent unauthorized access to corporate social media accounts.
• Ensure all social media accounts and other online platforms are included in your organization’s risk assessments.

Finally, use social media cautiously, and feel free to contact Planet 9 team with any HIPAA compliance issues. We’ll be happy to assist!