HIPAA And Social Media Guidelines

The most important rule for any HIPAA and social media guidelines is that social media content must NEVER include protected health information (PHI). This must be front and center of any HIPAA social media policy.

Organizations subject to HIPAA can use our HIPAA and Social Media Checklist to understand how to avoid HIPAA violations due to misuse of social media by employees.

What Are The HIPAA And Social Media Rules?

Because HIPAA was enacted several years before social media such as Facebook, TikTok and Instagram existed, the Privacy Rule does not include any specific references to social media.

Nevertheless, the HIPAA social media rules are the standards relating to permissible uses and disclosures of PHI in the Privacy Rule.

As permissible uses and disclosures do not include publishing individuals’ PHI in the public domain, these effectively prohibit Covered Entities and Business Associates from using or disclosing PHI without an individual´s authorization.

If no PHI is disclosed – and the FTC Rules (see below) are complied with – the Privacy Rule does not apply, and Covered Entities and Business Associates can freely use social media networks to promote healthy lifestyles, market health insurance products, and promote B2B services.

However, it is important to understand what is considered PHI under HIPAA. The term PHI does not solely relate to health information, and it could be possible that – due to a lack of knowledge – a member of the workforce inadvertently discloses PHI in violation of the Privacy Rule.

Understanding Patient Authorization Rules

In addition to understanding what is considered PHI under HIPAA, it is also important to understand the patient authorization rules which must be part of any HIPAA social media policy.

These can be found in §164.508 of the Privacy Rule and stipulate that valid authorizations must include the following core elements:

• A meaningful description of the information to be used or disclosed
• A meaningful description of the purpose of the use or disclosure
• An explanation that the information may be further disclosed
• The individual´s right to revoke the authorization
• An expiration date for the authorization

With regards to the final core elements, it is important for the individual to be aware that a social media post containing their PHI may be widely shared, screenshot, and republished. In the event that a patient requests a revocation of their authorization, the organization may be unable to comply.

This scenario is covered in the Privacy Rule by a clause that exempts revocations in cases where “the Covered Entity has taken action in reliance thereon”. However, these core elements must be included in the authorization in order for it to be considered valid at the time it was signed.

HIPAA Social Media Violations On The Rise

Sharing too much information on social media platforms can have devastating effects on both healthcare organizations and employees if patient-specific information is shared.

With over a billion people on social networks and professional blogs, it is not surprising that HIPAA violations are on the rise and are raising major concerns among medical practices.

There are many benefits to be gained from using social media if your organization is a HIPAA Covered Entity or Business Associate. For example, healthcare providers can promote healthy lifestyles, raise awareness of emerging health issues, and make announcements when special clinics or services are available to the public.

Health plans can use social media to market health insurance products, advertise new plans and benefits, and attract new customers; while Business Associates can promote B2B services and quickly answer questions from interested parties. However, all of these uses of social media may be subject to FTC and HIPAA social media rules.

HIPAA And Social Media Cases

There are several examples of HIPAA social media cases that have resulted in disciplinary action against the offender. For example, in October 2019, a dental practice was fined $10,000 for impermissibly disclosing PHI on a social media review site; while in January 2016, a nursing assistant was fired from her job and sentenced to 30 days in jail for posting a video of a patient online.

Covered Entities, Business Associates, and members of their workforces should take steps to avoid HIPAA violations of this nature. The steps should include providing training on the organization´s social media policies, enforcing sanctions policies that prohibit impermissible uses and disclosures of PHI on social media, and implementing safeguards to prevent inadvertent disclosures.

For further information on the best ways to avoid HIPAA violations when using social media, seek professional advice from a compliance expert. Alternatively, you are invited to download our HIPAA and Social Media Checklist which contains the key points organizations may wish to consider when developing a social media policy to comply with HIPAA.

What are the FTC Social Media Rules?

The FTC social media “rules” are the regulations relating to deceptive acts or practices in Section 5 of the Federal Trade Commission Act. The regulations apply to all forms of advertising and marketing, and define an act or practice as deceptive if:

• a representation, omission, or practice misleads or is likely to mislead the consumer;
• a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
• the misleading representation, omission, or practice is material.

This means any claim – whether made by an organization or on behalf of an organization, and regardless of whether Protected Health Information is disclosed to support the claim –   must not “seek to gain an advantage while avoiding competing on the merits”.

HIPAA Social Media Rules – FAQs

What do you need to know about social media and HIPAA?

What you need to know about social media and HIPAA is that posting PHI on social media is permissible under HIPAA only if you have a written authorization from the subject of the PHI. However, once something is posted on social media, you have no control over what happens to it. If the subject of the PHI subsequently wants to revoke an authorization, you cannot comply with the request because you have no control over who has seen the post or what copies have been made.

What is one reason that social media increases the risk for HIPAA violations?

One reason that social media increases the risk for HIPAA violations is that social media channels make it easy for users to take a photo and upload it with the tap of a screen. This increases the risk for HIPAA violations because members of a covered entity´s workforce can unthinkingly take a photo of something or someone they have seen and post it on the Internet within seconds. If the photo reveals a PHI identifier and health information (for example, a celebrity being brought into ER) it is a violation of HIPAA unless the written authorization of the celebrity has been obtained in advance.

What is considered a HIPAA violation with social media?

One thing considered a HIPAA violation with social media is posting any individually identifiable health information without a written authorization. If a authorization is obtained, the form on which the disclosure is authorized has to inform the subject what the disclosure is for and explain that the subject has the right to revoke the authorization. The subject should also be given the option of stipulating a time period after which the disclosure must end.

As it is impossible to control what happens to a social media post once it has been published, it is unlikely a covered entity will be able to comply with a revocation or expiration request. This is a violation of HIPAA unless the authorization form includes the “reliance upon” clause excluding covered entities from revocation and expiration requests after the event.

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information, is that a breach of the HIPAA Privacy Rule?

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information it is a breach of the HIPAA Privacy Rule if the identity of the individual can be determined from image. However, if the patient has given their written authorization for the image to be used, and the image is shared under the conditions of the authorization, there is no violation of the HIPAA Privacy Rule.

Do the HIPAA social media rules apply to all accounts or just corporate accounts?

The HIPAA social media rules apply to all accounts – not just corporate accounts. It is important to be aware that images posted on private social media accounts without patient consent are in double violation of HIPAA, as the individual has not only posted ePHI impermissibly, they have also obtained the image from a corporate source that lacked the protections of the HIPAA Security Rule.

If there are no specific social media rules, can covered entities still be fined for violations of HIPAA on social media?

If there are no specific social media rules, covered entities still be fined for violations of HIPAA on social media because in most cases unauthorized disclosures of ePHI on social media are impermissible disclosures – which is a breach of the Privacy Rule. If an employee has accessed ePHI without authorization to publish PHI on social media, the covered entity would be liable for the likely breach of the Security Rule for not protecting ePHI from unauthorized disclosure.

Do all employees have to be trained on HIPAA social media rules, or just those with access to ePHI?

All employees should be trained on HIPAA social media rules as part of their security awareness training. All members of the workforce should be aware of the organization’s policies relating to social media whether they have access to ePHI or not. Even members of the workforce without access to ePHI can disclose information on social media such as a patient’s name and what they are being treated for, so it is important they know not to disclose information without authorization through any media.

How can covered entities and business associates implement controls that flag potential HIPAA violations on social media?

Covered Entities and business associates can implement various controls that flag potential HIPAA violations on social media. For example, the simplest way to monitor social media for HIPAA violations is to search for specific hashtags relating to a healthcare facility (i.e., #nyp, #mayoclinic, #UPMC, etc.). Although a manual control rather than a technology control, reviewing what is written about a healthcare facility on social media can help facilities improve their services – and their HIPAA policies – in many different ways.

Why is posting patient information on social media a HIPAA violation?

Posting patient information on social media is a HIPAA violation if you do not have the patient’s authorization because it discloses individually identifiable health information to the public that could be used to commit fraud or identity theft. Even if you do not name the patient when you post Protected Health Information on social media, the patient can still be identified from other information included in the social media post.

What is a HIPAA compliant social media policy?

A HIPAA compliant social media policy is a policy that stipulates the circumstances under which it is allowed to post any information to social media. As social media posts can never be fully retracted (because they may have been shared, screenshot, or copied and pasted prior to retraction) , it is a best practice to prohibit any post containing individually identifiable health information and enforce tough sanctions on any member of the workforce that breaches this policy.

What is the penalty for a social media HIPAA violation?

The penalty for a social media HIPAA violation depends on who is responsible for an impermissible disclosure of PHI and what the consequences are. For example, if a Covered Entity posts PHI on a social media site without authorization for a marketing campaign, and the subject(s) of the PHI complain to HHS’ Office for Civil Rights, the penalty could be a substantial fine.

However, if a member of a Covered Entity’s workforce posts PHI on a social media site without authorization, the penalty will be whatever sanction is listed in the Covered Entity’s sanctions policy. This could range from a verbal warning and retraining to termination of contract and loss of license – a more likely outcome if the violation demeans the patient or is a repeated offense.

Is Facebook HIPAA compliant?

Facebook is not HIPAA compliant. Although social media has some mechanisms to control unauthorized access to accounts, Meta will not sign a Business Associate Agreement with Covered Entities. Indeed, under Facebook’s terms for the Workplace by Facebook service, Meta prohibits the use of the service to  “submit […] any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations”.

Are there any examples of HIPAA violations on social media?

There are several examples of HIPAA violations on social media that have resulted in fines being issued by HHS’ Office for Civil Rights and dozens of examples of employees being fired and/or charged for HIPAA violations on social media.

• In 2019, Elite Dental Associates was fined $10,000 for disclosing a patient’s name, details of her health condition, treatment plan, insurance, and cost information in response to a negative online review.
• In 2022, another dental practice – Dr. U. Phillip Igbinadolor and Associates – responded to a patient complaint on social media disclosing the patient’s name and treatment. The dentist was fined $50,000.
• In 2017, ProPublica published more than fifty examples of HIPAA violations on social media that resulted in employees being sanctioned, fired and/or charged with a criminal offense.

What are the recommended social media guidelines for healthcare professionals?

The recommended social media guidelines for health professionals are not to post anything relating to patients on social media channels. Even if you have the patient’s authorization to comment about someone you are caring for or have treated, there is no way you can fully retract the social media post if the patient decides to revoke their authorization. As well as not being able to retract the post, if a friend or family member of the patient – who does not know you have the authority to publish the patient’s PHI  – sees the post, they may file a complaint with your employer or HHS’  Office for Civil Rights.

Is posting a photo of a patient on social media considered a disclosure?

Posting a photo of a patient on social media is considered a disclosure if the photo identifies the individual and either the photo or a description of the photo implies a past, present, or future treatment relationship. However, posting a photo of a patient on social media is not necessarily an impermissible disclosure if you have obtained the patient’s written authorization.

Is it a HIPAA violation to look up a patient on Facebook?

It is not a HIPAA violation to look up a patient on Facebook because information on Facebook pages is posted by individuals who are aware – or who should be aware – they are publishing information about themselves in the public domain. However, if you are discovered looking up a patient on Facebook, it may raise concerns you could also be snooping on the patient’s medical records. Although not a HIPAA violation, it is best to avoid looking up patient information on any media for purposes not permitted by the Privacy Rule.

Who is allowed to share personal health information on social media sites?

The issue of who is allowed to share personal information on social media sites is complicated. There are guidelines in HIPAA about sharing protected health information on social media; but, if an individual or organization is not covered by the HIPAA guidelines or an employer’s social media policy, other data privacy laws may apply – and these can vary from state to state.

With regards to HIPAA and social media, Covered Entities and Business Associates can share personal health information on social media sites provided they have the patient’s authorization to do so. Employees of Covered Entities and Business Associates are advised not to share personal health information on social media sites unless they have a valid reason for doing so (i.e., marketing) and the patient’s authorization has been acquired by their employer.

What are the rules for social media and patient privacy in HIPAA?

There are no specific rules for social media and patient privacy in HIPAA because HIPAA was created many years before social media. However, each Covered Entity and Business Associate should have a social media policy that either prohibits members of the workforce from posting patient information on social media channels or that outlines the procedures to post patient information on social media channels in compliance with HIPAA. Each Covered Entity and Business Associate should also have – and enforce – a sanctions policy for patient privacy violations on social media.