Everything you need to know about HIPAA Compliance when posting on social media as a healthcare practice
If you read the article on how social media can be a waste of time, you know why it is important to post pictures and content of your staff, patients, and your community.
Cost of Violating HIPAA
According to HHS, the majority of HIPAA violations from recent years have occurred from employees mishandling Protected Health Information (PHI), many of which stem from inappropriate social sharing. Violations under the HIPAA Privacy Rule include Civil Money Penalties which can result in fines ranging from $100 – $1,500,000 or Criminal Penalties which can result in fines up to $250,000 and up to 10 years in prison. Other consequences of violating HIPAA include lawsuits, the loss of a medical license or employee termination.
How does someone Violate HIPAA?
The best way to understand how to avoid violating HIPAA is by understanding what it takes to violate HIPAA. On one hand, violating HIPAA is Simple:
You violate HIPAA by sharing Protected Health Information (PHI)
So, as long as you don’t share Protected Health Information (PHI) you are fine. Let’s define what PHI is, but first, it is important to clarify some background information on what HIPAA is.
HIPAA Compliance – What It Means
The Health Insurance Portability and Accountability Act (HIPAA) actually consists of Five Titles. However, when someone refers to HIPAA compliance,they are generally are not referring to the entire act, they are referring to Title II, which is also known as the Administrative Simplification provisions.
Title II of HIPAA includes several compliance requirements: National Provider Identifier (NPI) Standard, Transaction Standards, Security Rules for ePHI, enforcement rules, and privacy rules.
When a person or entity violates HIPAA through inappropriate social sharing the exact section of HIPAA that they violate is almost always the HIPAA Privacy Rule. This rule is in Title II of The HIPAA Act. The HIPAA Privacy Rule is officially known as the Standards for Privacy of Individually Identifiable Health Information.
PHI vs PII
When discussing the HIPAA Privacy Rule, there are two important terms to understand: PHI and PII. PHI is a term that is specific to HIPAA, whereas PII is a term used in many industries. The regulations, and requirements around PHI are far more stringent than those of PII.
What is Personally Identifiable Information (PII)?
PII is any information that may be used to identify or reasonably identify an individual person. Certain information like an address, full name, birth date, and biometric data are always considered PII. Other data, like first initial and last name, first name, or even height or weight may only count as PII when combined with other information (source: Virtu)
What is Protected Health Information (PHI)?
PHI is any form of an individual’s personal health information that was either created, maintained or transmitted by a health organization that includes one or more personal identifiers (i.e. Full Name, Street address, dates, Telephone, Medical Record number, SSN, etc.).
5 Step Checklist: HIPAA Compliant Social Posting
As stated earlier, violating HIPAA happens when you share PHI. While it is not violating HIPAA to share PII, it is a violation of privacy if you do not receive consent.
If your social media post does not contain any information or reference to people (other than your staff) or personal information you can also confidently post it. If the post consists of patients or patient information, here are the steps to take to ensure that your post is appropriate:
- Get consent – This is the most basic and critical step of the process to protect your practice legally. Don’t over think this one. You are asking the patient for permission. Nowadays, most people are very comfortable having their photo online. As a business, you just want to clarify that you and the patient are both on the same page. For best protection, it is recommended that you come up with a simple consent form that you have them sign at the time the photo or video is taken.
- Have the patient take their own photo – If you don’t want to have to deal with consent forms, another option is to come up with contests, or ideas that involve patients taking their own photos and tagging the business’s page. In this case, you are always allowed to re-post or re-share a patients post.
- Consent doesn’t give you free reign – Just because a patient signed a consent form doesn’t give you the ability to post whatever you want about that patient. HIPAA compliance is still in effect. By receiving consent you are allowed to post the specific PII that they patient consented to. You are never allowed to post PHI.
- Verify that there is no PHI in the post – Read over the post and make sure you are not giving away any health information on the patient. It is acceptable to mention in generic terms what the patient received/went through. For example, “We are so happy that Suzy is loving her new smile!” or “This was a long process for Johnny, but he persevered through recovery and in his words, ‘it was all worth it!’ “
- Remove any personal identifiers This is the last and final step. In order to be sure that you are not compromising your HIPAA compliance it is a good idea to make sure that you are not sharing any of the 18 different identifiers that HIPAA has defined. This process is called “de-identifying” the health information. The list of the 18 different identifiers can be found at the bottom of this post.
As always, whenever you come across a questionable situation it is always best to reach out to a lawyer that is well-versed in HIPAA Compliance. A good saying to remember is, “when in doubt, leave it out.”
18 personal identifiers
This is a list of the 18 personal identifiers that must be removed when sharing or disclosing health information to a non-essential entity. As described by UCLA’s OHRPP
- Street address
- All elements of dates except year
- Telephone number
- Fax number
- Email address
- URL address
- IP address
- Social Security number
- Account numbers
- License numbers
- Medical Record number, Health plan beneficiary #, Device identifiers and their serial numbers, Vehicle identifiers and serial number, Biometric identifiers (finger and voice prints), Full face photos and other comparable images, Any other unique identifying number, code, or characteristic.
Resources & Works Cited
In compiling this article, I spent almost a week researching and compiling dozens of sources and websites. I wanted to share a list of the best sources that I found for information around the topic of HIPAA compliance and social media usage for a medical office or business:
- HIPAA Complaints and Violations – HHS.gov
- Overview of HIPAA (Health Insurance Portability and Accountability Act) – SearchHealthIT.TechTarget.com
- What is protected health information (PHI)? – Indiana University
- Posting with Caution: The DO’s and DON’Ts of Social Media and HIPAA Compliance – healthcarecompliancepros.com
- Personally Identifiable Information: HIPAA Best Practices – virtu.com
- Tip Sheet: Protected Health Information and Personal Identifying Information – UCLA