Social media has the potential to be an extremely effective marketing channel for healthcare providers and organizations. The instantaneous nature of Twitter, Facebook, and other platforms allow for a quick and cost effective means of communicating with consumers, and offer the potential for a two-way dialogue that most other marketing channels do not.
In a healthcare environment, however, over sharing the wrong type of information can have devastating consequences for all involved – the employee, the employer, and the patient. There are key considerations that healthcare providers need to be aware of when using social media, with regard to the safeguarding of patients’ protected health information (PHI) in particular.
PHI and social media
HIPAA mandates healthcare providers make appropriate safeguards to protect the privacy of the PHI they hold. While every effort can and should be made to ensure an organization is watertight from a cybersecurity point of view, breaches can – and often do – occur as a result of simple human error or misjudgement.
Social media, for all the good it can bring, presents an easy way for staff to inadvertently disclose patient PHI; even a seemingly innocent message published on social media could be deemed a violation of HIPAA (and likely state law, too) if it were to contain adequate information to make a patient personally identifiable.
Listed below are 18 PHI identifiers, as defined by HIPAA.
- Names;
- Geographic information;
- Dates (e.g., date of birth, admission or discharge date, date of death, etc.);
- Telephone numbers;
- Fax numbers;
- Email addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate / license numbers;
- Vehicle numbers and identifiers, such as license plate numbers;
- Device identifiers and serial numbers;
- URLs;
- IP address numbers;
- Biometric identifiers;
- Photographic images; and
- Other unique identification numbers, codes, or characteristics.
The bottom line is, if there is any chance at all someone might be able to tie information back to a patient, then it’s technically disclosing PHI.
Below are four hypothetical examples of how PHI could be inadvertently disclosed via social media:
- Sharing information or news about a patient with unauthorized audiences
- Assuming that a message is private or cannot be accessed again if deleted
- Posting photographs without written consent
- Engaging with patients online
Best practices for HIPAA compliant social media
So what can be done to minimise the risks associated with social media?
- Don’t post about patients. Ever. As highlighted in the 18 PHI identifiers above, it is extremely difficult to anonymize patients, even when referencing them in the most general terms. Therefore, it’s best to not post anything about patients at all. Ever.
- If you wouldn’t say it in public, don’t post it online. A simple but effective test – if you wouldn’t speak about something in an elevator, don’t share it on social media. If in any doubt, consult your compliance officer or a fellow colleague before publishing content online.
- Consider that private messages aren’t always private. Social media channels including Twitter, Facebook and LinkedIn each offer a built-in messaging platform for users to ‘privately’ communicate. However, if the recipient leaves their account logged in on a public computer, then the privacy of those messages could easily be compromised. Similarly, many social media messaging platforms are insecure and easily compromised, and should not include sensitive information.
- Keep personal and professional lives separate. Maintain separate social media profiles for your personal and professional lives. Connecting or interacting with patients online should be avoided at all costs, as this could easily result in the public exchange of PHI.
The risks of getting it wrong
Penalties for disclosing PHI are complex and multifaceted. Civil and criminal sanctions can be imposed under HIPAA and/or state law, and can penalise both individuals and any of their affiliated parties. Medical state boards could also impose sanctions, including suspension or termination of medical licensure. In addition, a patient affected by a PHI violation may decide to press their own charges.
There are also the reputational damages to consider, breaches can be catastrophic for an organization should they lose patients who deem them to be incompetent or untrustworthy. Ask yourself: Would you trust an organization with a track record of exposing PHI?
The truth of the matter is, all the cyber security safeguards in the world mean nothing if there’s not a good team to manage them, and organizations can not expect staff to understand and adhere to the complexities of HIPAA compliance without proper education. Social media offers many exciting opportunities for individuals and organizations alike, but it should be approached with utmost caution.