Twitter, Facebook, YouTube, Instagram, LinkedIn, Snapchat, blogs, Web pages, Google+. What do all of these social media outlets have in common? Each can present compliance problems for healthcare providers and get them in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. News outlets frequently report on data breaches that occur in the medical community, including those that arise out of healthcare providers’ use of social media, and many of which could have been avoided.
Healthcare providers should be aware that their use of social media networks (both for personal and professional use) intersects with the regulatory net of HIPAA and state laws. Thus, even inadvertent, seemingly harmless disclosures of a patient’s protected health information (PHI) through social media can be problematic. HIPAA defines protected health information, in part, as health information that:
- is created or received by a healthcare provider;
- relates to the health or condition of an individual;
- identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and;
- is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium.
HIPAA permits a healthcare provider to use and disclose PHI for “treatment, payment or healthcare operations.” Using or disclosing PHI through social media, however, generally does not qualify as treatment, payment, or healthcare operations, but if a healthcare provider were to use or disclose a patient’s PHI through social media without permission, this would constitute a violation of HIPAA (and likely state law).
HEALTHCARE PROVIDERS SHOULD BE AWARE THAT THEIR USE OF SOCIAL MEDIA NETWORKS INTERSECTS WITH THE REGULATORY NET OF HIPAA AND STATE LAWS
In order to use or disclose a patient’s PHI (without obtaining the patient’s consent), the information must be de-identified so that it does not identify the patient and there is no reasonable basis to believe that the information can be used to identify the patient. One option under HIPAA permits health providers to retain an expert to determine whether “the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively, and more frequently, a healthcare provider that seeks to use or disclose patient PHI can remove the following identifiers from the PHI and remain compliant with HIPAA:
- Geographic information;
- Dates (e.g., birth date, admission date, discharge date, date of death);
- Telephone numbers;
- Fax numbers;
- Email addresses;
- Social Security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- IP address numbers;
- Biometric identifiers (e.g., finger and voice prints);
- Full face photographic images and any comparable images; and
- Other unique identifying numbers, characteristics, or codes.
Identifier #18 presents the most difficult compliance issue because a significant amount of personal information is available on the Internet, particularly through search engines like Google. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly more difficult to comply with the de-identification standards under HIPAA. And, even if Identifiers #1–#17 are carefully removed, the broadness of Identifier #18 can turn a seemingly innocuous social media post into a patient privacy violation.
IDENTIFIER #18 PRESENTS THE MOST DIFFICULT COMPLIANCE ISSUE BECAUSE A SIGNIFICANT AMOUNT OF PERSONAL INFORMATION IS AVAILABLE ON THE INTERNET
Do not let the violators in the following examples of patient privacy violations be you:
An emergency room physician in Rhode Island was reprimanded by the Rhode Island Board of Medical Licensure and Discipline, fired, and had her hospital medical staff privileges terminated after she posted information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[The physician] did not use patient names and had no intention to reveal any confidential patient information. However, because of the nature of one person’s injury was such that the patient was identified by unauthorized third parties. As soon as it was brought to [the physician’s] attention that this had occurred, [she] deleted [her] Facebook account.” Although the physician omitted information about the patient in her post that she thought was identifiable information, she apparently did not omit enough to prevent third parties from identifying the patient.
In St. Louis, an OB/GYN used Facebook to complain about and express her frustration with a patient: “So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now 3 hours late for her induction. May I show up late to her delivery?” Another physician then commented on this post: “If it’s elective, it’d be canceled!” The OB/GYN then responded: “here is the explanation why I have put up with it/not cancelled induction: prior stillbirth.” Controversy erupted after someone posted a screenshot of the post and response comments to the hospital’s Facebook page, even though the OB/GYN did not reveal the patient’s name. The hospital then issued a statement that its privacy compliance staff did not believe the posting to be a privacy breach. The hospital added, however, that it would use this opportunity to educate its staff about the appropriate use of social media to ensure that patient privacy is protected. Many believe this physician got off too easy.
Many penalties exist for patient privacy violations, and even for alleged patient privacy violations. Under HIPAA, the federal government may impose civil and criminal sanctions on the healthcare provider and his/her affiliated parties (e.g., employer, hospital). States too can impose forceful penalties for patient privacy violations, which vary from state to state. Additionally, the patient who was identified or whose health information was disclosed can sue the healthcare provider and his/her affiliated parties for privacy violations. Although, under HIPAA, patients do not have the right to bring a private cause of action against a healthcare provider, state law often provides patients with such a cause of action. Furthermore, in some states, state medical boards may also impose penalties on a physician for privacy violations, including penalties that are monetary or non-monetary (e.g., suspension or termination of medical licensure). In some recent cases, there have even been reports that people who “like,” “share,” “retweet,” or comment on inappropriate social media posts have been reprimanded as well. Finally, and perhaps most importantly, healthcare providers may suffer immeasurable reputational harm for an inappropriate post on social media, especially given the availability of information on the Internet. Unfortunately for the physicians described above, when their names are entered into a search engine, the top hits are news articles reporting their inappropriate posts rather than articles or information about their professional accomplishments and prestigious educations.
Post on social media networks with an awareness of the risks and with extreme caution.