Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, webpages, Google+, LinkedIn… What do all of these social media outlets have in common? Each can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. It seems that all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and most of which could have been avoided.
Physicians should be aware of the intersection of social media—both for personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.
It’s important to know which medical information must be de-identified before PHI is shared over social media. This includes:
- Geographic information
- Dates (e.g. birth date, admission date, discharge date, date of death)
- Telephone numbers
- Fax numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- IP address numbers
- Biometric identifiers (e.g. finger and voice prints)
- Full-face photographic images and any comparable images
- Other unique identifying numbers, characteristics, or codes
The penalties for patient privacy violations (or even alleged patient privacy violations) are multifaceted. Not only can the federal government impose civil and criminal sanctions under HIPAA on the physician and his/her affiliated parties (e.g. physician’s employer), but states can also impose penalties. The patient may also sue the violating physician and his/her affiliated parties for privacy violations under state law. However, the reputational harm associated with an inappropriate post on social media is immeasurable, especially in light of the availability of information on the Internet.
Post with caution.