Social media is an increasingly common presence within the health care industry – among providers and consumers alike – but despite the potential benefits it can offer both parties, it introduces many risks.
Paging Dr. Google
It’s no exaggeration to say that the internet has completely transformed the way people seek medical information, and social media has played a significant role in this transformation. In fact, of the 74 percent of internet users that engage on social media, 80 percent of those are specifically searching for health information, and nearly half are looking for information about a specific doctor or health professional.
What’s more, research has shown that social media can have a direct influence on a patient’s decision to choose a specific health provider, or even lead them to seek a second opinion, particularly amongst patients coping with a chronic condition, stress, or diet management.
This presents many opportunities for healthcare providers looking to get ahead of the competition – and for those who choose to actively engage in social media, the rewards can be significant, but so can the risks. So before jumping into social media headfirst, physicians need to understand the potential pitfalls, specifically the risks associated with patient privacy, and their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Social media and PHI
PHI stands for Protected Health Information. The HIPAA Privacy Rule provides federal protections for personal health information held by HIPAA covered entities (health care providers, health plans, healthcare clearinghouses, plus their business associates) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
The limits of permissible disclosure, however, are extremely limited, and definitely don’t include social media; if a physician were to disclose a patient’s PHI via social media without consent, even accidentally, this would be a direct violation of HIPAA guidelines and probably state law too.
While one would hope that most healthcare professionals know not to share PHI publically, some may not even know that what they are sharing, or intend on sharing is actually PHI; it is extremely difficult to anonymize patients, and even the subtlest of identifiers could be deemed a breach of patient privacy if it can be tied to a patient.
To avoid this happening, providers need to understand the 18 PHI identifiers, which are:
- Geographic information;
- Dates (e.g. birth date, admission date, discharge date, date of death);
- Telephone numbers;
- Fax numbers;
- E-mail addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- IP address numbers;
- Biometric identifiers (e.g. finger and voice prints);
- Full-face photographic images and any comparable images; and
- Other unique identifying numbers, characteristics, or codes.
How to ensure a HIPAA compliant social media strategy
To avoid an inadvertent breach of PHI, covered entities should educate staff on best practices when using social media, including:
Avoid social messenger services
The likes of Facebook Messenger, LinkedIn, and Twitter Direct Messages may be familiar and convenient, but they are not secure and should be avoided at all costs when discussing patient health matters or exchanging PHI, even with trusted colleagues. Not only are these platforms inherently insecure due to a lack of encryption and access controls, the potential for error is increased as users could accidentally post information publicly or send a message to the wrong recipient.
What’s more, as BYOD (bring your own device) becomes more widely adopted in healthcare organizations, and as more devices are carried between home and work, the potential for device theft or loss increases, which further jeopardizes the security of any sensitive information that exists on a device, within social media applications, or on web browsers. This considered, PHI should only ever be exchanged via HIPAA-secure messaging services, that have been approved by IT departments and are used as part of an organization’s regular workflow.
Think very carefully before posting
When utilized as part of a wider marketing strategy, social media can be a very effective tool, but those responsible for managing social media output on behalf of an organization must be well versed in what type of content is and is not acceptable to share online. Even a seemingly harmless photo of the outside of a premises could cause problems if patients can be seen entering or exiting the building, or if a vehicle can be recognized in the car park. The same can be said of waiting rooms and reception areas, where the likelihood of capturing a patient’s face is high.
Keep work and home life separate
A HIPAA violation can just as easily happen in the home as it can in the workplace. After a hard day at work it is not uncommon for members of staff to air their grievances online – be it on Facebook, Twitter, or within closed forums. Again, considering how difficult it is to de-identify PHI, this behavior should be strongly discouraged, particularly where complaints about patients are involved. Similarly, posting about a famous person, friend, or family member being seen in a practice may be tempting, but is equally risky.
Social media has become second nature for many of us, and the ease of access to it is both a blessing and a curse for the healthcare industry. When managed responsibly, social media can be a highly effective marketing tool, and can even help improve the health outcomes of patients searching for information online. When used irresponsibly, however, the risks are high, and potential repercussions significant.
For HIPAA covered entities who engage in social media, the message is simple; develop robust company policies to ensure responsible usage, and ensure all staff are trained to think before they share.
About The Author
Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as health care and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc. DocbookMD is an official partner of the Medical Association.