You may be violating HIPAA and you don’t even know It

As a whole, the healthcare industry is very familiar with HIPAA rules and laws. In fact, when it comes to the basics, most individuals probably know the big 'no-no's' like the back of their hand. However, there's an area where the waters can get a little murky, and organizations or individuals may unknowingly violate HIPAA.

Social media is powering the world in ways we never imagined. Its benefits -- the ability to increase brand recognition, manage reputations, rapidly disseminate content, and glean insights into potential and past consumers -- make it an incredibly powerful tool for professional communication. But due to the personal, and sometimes vulnerable nature of social media, it is critical that healthcare marketers treat every digital interaction with the same care and formalized processes that would be taken if a patient were being treated at a facility.

Within the
​healthcare industry, social media offers an invaluable opportunity for providers to engage with potential patients and connect with alumni. For both audiences, it provides a platform for them to network and remain active members of a ​community. For example, a ​provider can share important resources, tips, and event notices to enrich the recovery experience for alumni, or even encourage action to seek treatment for others who may need it. Likewise, alumni coordinators can monitor comments to see how alumni are progressing in their journey in real-time, and can quickly respond or intervene when necessary. This creates fulfilling, meaningful connections between an individual and a ​care ​facility, which in turn, results in more individuals receiving the help they need.

However, as care providers, there are additional regulatory and ethical considerations to consider. Social media is an excellent way to communicate, but these communications are public, and as such, fall under HIPAA guidelines. The Privacy Rule is just one piece of the HIPAA puzzle. Simply put, this rule regulates the use and disclosure of 18 areas of Protected Health Information (PHI) by "covered entities" such as medical service providers, health insurers, and health plans. It also covers independent contractors of the above covered entities. Of course, PHI is any information about health status, provision of healthcare, or payment for healthcare that is created or collected by the covered entity. This includes information such a patient's name, Social Security number, email address, fingerprint, and IP address. Without express written consent from a patient, PHI cannot be disclosed by a covered entity. Sounds simple, right? Not quite. Take for example the disclosure of provision of healthcare. This is a well-known rule by which many healthcare organizations abide, but here are a few examples of how quickly social interactions may result in a violation:

1. In 2010, a man accused of killing a young police officer was being treated for gunshot wounds at a Dearborn, MI hospital. A nurse who treated this patient wrote a Facebook post after her shift saying that she had come face-to-face with evil and hoped that the alleged cop-killer would rot in hell.The nurse did not divulge the suspect's name, medical condition, or at which hospital he was being treated. However, the nurse was contacted by hospital management, and a few days later, she was fired. Though the nurse did not explicitly identify the patient, the circumstances of the patient's injury and concurrent media coverage made him easily identifiable. The hospital also cited that the post was unprofessional.

2. A state Governor tweeted his support of the state Legislature's recent initiative to trim expenditure. An administrative assistant at a local university medical center (UMC) replied to the Governor's tweet: "Schedule regular medical exams like everyone else instead of paying UMC employees overtime to do it when clinics are usually closed," referring to claims that the Governor came to her university's clinic during closed hours for a check up, requiring special staffing of 15-20 employees. As a result, the administrative assistant was suspended for three days without pay, and was strongly encouraged to resign, which she did. Despite the fact that this administrative assistant was never involved with the Governor's health care, she was an employee of the medical center, which means she must comply with HIPAA for all UMC patients.

3. A former patient writes on Treatment Center ABC's Facebook wall, "I went to this treatment center two years ago and I'm still fully recovered two years later! The therapists are great and the psychiatrist was great. Everyone was incredible." Appreciative of the kind words, Treatment Center ABC responds to the individual's comment by saying, "We're so glad we were able to play a part in your journey. It was a pleasure getting to know you, and we're so happy to see that you've maintained success in your sobriety. Congratulations!" Without realizing it, Treatment Center ABC has now publicly acknowledged a provider-patient relationship.

The ever-changing digital landscape combined with confusing regulations and policies may leave some fearful of taking advantage of social and digital platforms. Afterall, the consequences of HIPAA violations can be extreme, including job loss, fines, loss of licensure, and legal sanctions or criminal charges. However, this doesn't negate the powerful impact that social media can have on company growth and leadership. With a little extra care and thought, it's entirely possible to build an engaged and active social media community that is free of HIPAA violations. Monthly social media audits, team trainings, assigned social media managers, strict brand guidelines, and documented policies and procedures are all things that can help ensure compliance in the social sphere.

The fact of the matter is, more individuals than ever before are sharing, learning, and engaging with others on networking sites, and this number increases daily. As of 2015, the Pew Research Center reports that 65% of American adults use social media platforms; and as the millennial generation grows into adulthood, these digital natives will tip the scales even further. Brands that aren't engaging on social media are simply missing a huge opportunity to further connect with their audience. Consumers are going to continue seeking healthcare information online and via social networks, so it's imperative for facilities to take the necessary steps and precautions to formalize digital interactions just as it would be done with in-person interactions.

Ryan Eisenacher is the Content Marketing Manager at Recovery Brands. In her role, she is responsible for leading the branding and strategy of Recovery Brands' social media channels, blogs, email campaigns, and viral marketing projects. With over six years of experience leading content strategy and implementation in agency and startup environments, she's helped brands amplify their online presence & community engagement. Ms. Eisenacher has been involved on social media and content marketing campaigns for Goodwill Industries, the National Disaster Search Dog Foundation, and the San Diego Union Tribune.

Ruchi Sanghani, MA, is the Director of Research at Recovery Brands where she oversees the development and implementation of research investigations to synthesize meaningful and relevant analyses for public consumption to aid in the decision-making process of those seeking addiction treatment. She is an expert in quantitative methodologies with extensive experience in utilizing survey tools to develop products and programs to increase efficiency. Ms. Sanghani also authored several peer-reviewed publications, including a public call to action for the development of vital multi-metric outcomes measurements to improve the quality of care in the addiction industry.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars