Posting information online about a patient’s diagnosis is a growing conundrum for those policing the privacy and security rules outlined in HIPAA. In 2018, a pediatric nurse at Texas Children’s Hospital lost her job after she posted details about a toddler’s measles diagnosis on an Anti-Vaxxer Facebook Page. Since then, scores of clinicians and nurses have lost their licenses for posting private information on social media. Often these cases result in lawsuits and settlements by health care providers.
“In some cases, clinicians have faced criminal charges. But this happens in the worst cases, such as a nurse or aide posting videos to social media, showing elderly people as they are taking showers or even having sex,” said Diane Evans, publisher of MyHIPAA Guide, a consultancy and subscription service for HIPAA compliance management.
While these are the worst-case scenarios, she added, even seemingly innocuous postings to social media by employees containing protected health information could result in breaches. Evans said she would like to see the federal government disseminate social media guidelines, just as they have with other HIPAA-related issues, such as the handling business associates. It’s important for all health care providers to have a social media policy with requirements clearly spelled out, according to Evans.
Careful What You Post
Evans acknowledged the potential benefits of using social media. For example, health care providers can attract new patients via social media websites. Posting reviews, however, can be a mistake. In 2016, Dallas-based Elite Dental Associates agreed to pay $10,000 to the Office for Civil Rights (OCR) at the US Department of Health and Human Services and adopt a corrective action plan to settle potential HIPAA violations. The OCR received a complaint from an Elite patient alleging that the practice had responded to a social media review by disclosing the patient’s last name and details of their health condition. OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Elite, a privately-owned dental practice that was providing general, implant, and cosmetic dentistry, did not have a policy and a procedure regarding disclosures of PHI.
The social media HIPAA compliance problem is especially widespread in the residential care sector, Evans said. To combat the problem, it is recommended that all clinicians make sure their employees take refresher training at least once a year to ensure HIPAA social media rules are strictly followed. This is not commonly practiced, however. “In large part, this is due to a lack of quality training programs and a lack of knowledge in general about the full scope of HIPAA compliance,” Evans said. “A check-the-box training exercise once a year is not sufficient. The remedy is a social media policy that forbids any work-related postings on social media by any staff members without written authorization. A sanctions policy is also a must. And it needs to be well communicated, so that employees know the consequences for violating an organization’s policies as well as the privacy of individuals served.”
James A. McGurk, the social media manager at the University of North Carolina (UNC) Health in Chapel Hill, North Carolina, said the HIPAA Privacy Rules are intended to apply to all forms of communication, including verbal, written, and electronic. The handling of information on social media is particularly critical in terms of protecting privacy rights because of social media’s broad reach.
“UNC Health has a formal social media policy, which covers all teammates. All 13 UNC Health affiliate hospitals have social media leaders who provide basic advice to employees and leadership on the appropriate use of social media channels,” McGurk said.
This information is provided at employee orientation and onboarding and is addressed in UNC’s online HIPAA training required by all teammates. Department leaders interested in exploring social media use are required to contact the UNC communications and marketing team prior to launching any new social media channels. They are then briefed on privacy and HIPAA considerations.
Avoid Personalized Medical Advice
“Our doctors and coworkers are advised to never offer individual medical advice via social media. However, doctors and nurses could potentially reply to questions on social media in very general terms, as a way to navigate the platforms properly,” McGurk said. As social media manager, he employs various social listening tools to actively monitor all of the UNC social media channels and he consults with a leadership team when concerns arise.