HIPAA + Social Media: Is Your Organization Compliant?

Share On

image of HIPAA forms on a Doctor’s desk.

[et_pb_section bb_built=”1″ _builder_version=”3.0.47″][et_pb_row _builder_version=”3.0.48″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″][et_pb_text _builder_version=”3.10.2″]

“Our mind is of 3 categories: what we know, what we don’t know, and what we don’t know we don’t know. Not knowing is unfortunate; not knowing that we don’t know is tragic.” – W. Erhart

Often times in life, I find myself coming back to the sage wisdom in the quote posted above. Today, I’m going to refer to it in discussion of HIPAA, or the Health Insurance Portability and Accountability Act of 1996, and as I’ll show you, it can indeed be tragic to be unaware that you don’t know something. Most of us aren’t lawyers or politicians. Most of us have private sector jobs and don’t think too much about laws, regulations, compliance, costs or consequence- we just like to get our work done assuming someone up the chain IS actually responsible for for the minutia contained within the tomes of legalese jargon heaped upon us, the masses, by our brave and fearless leaders. However, the world today is becoming more complex, and Social Media has most definitely created an emerging set of business dynamics in the last 2 decades which has changed the way that consumers interact with service providers and product makers(I miss Friendster, it was just so simple back then).

Healthcare Compliance Pros reported in February that “Social Media is used by 74% of internet users and 80% of people using social media actually use it to research doctors, hospitals and medical news and information.”  That’s a large amount of digging happening just within the healthcare sector on social media. The power of social media for businesses in any sector to reach and finely tune their audience (mostly for free) is a large part of how sites like Facebook and Twitter have changed the game. As such, it is important for Healthcare providers and their employees to become aware of how to stay compliant with HIPAA regulations when posting to Social Media. Horror stories of dire consequences are out there and we hope this article helps you avoid having to write your own HIPAA Horror Story.

You’ll need to understand what is considered a violation or breach of HIPPA in regards to social media; under HIPPA, any disclosure or nonpermissible use of protected health information(PHI) which could compromise the protected information. The most common examples of social media HIPAA violations are:

  • Posting verbal gossip or hearsay about a patient which is accessible by unauthorized individuals.
  • Sharing images, or any other type of identifiable PHI without consent from the patient in writing.
  • the idea that private or deleted posts are not viewable by the public (they most likely are).
  • posting otherwise benign comments or photos, such as a picture from a meeting that contains visible patient files in the foreground, or anecdotal mentions, like, “It was wonderful to see such & such in the office today.”

Certainly, a few best practices implemented in your organization can take you pretty far on the road to compliance. The very top of those might seem obvious, but nevertheless cannot be stated enough; If you wouldn’t say it in an elevator or coffee shop, just don’t post it. We all should have some idea of the what is and isn’t appropriate to say publicly, and this filter should definitely extend to your social media pages for your practice. If any doubt exists regarding a specific comment, image or post, you should refrain and refer to your organizations’ compliance officer, or at the very least another colleague, before you blast it across the internet. Also, a HIPAA Privacy Policy and Security Policy should be drafted for your business and posted publicly on your website. Your company’s legal team may need to be consulted, as well as integrating social media policies into the copy. Due diligence with regard to HIPAA compliance and employee training should include detailed training any resources at the time of hire, or start date, and be followed up at least annually.


“At Ray Rico Freelance, Our staff is trained in HIPAA Privacy and Security, and endeavours to make sure each project that we work on is in compliance for our medical clients.”

image of Book titled “Privacy Act” on a table with a Judges courtroom gavel.

Social media can cause violations, we can help you avoid them.
Image Source: Shutterstock

The penalties for violations can range from the slap of the wrist (a $100 wrist slap, per violation, that is) up to hundreds of thousands and even millions of dollars in the most extreme circumstances such as repeat violations annually or when willful neglect has been determined and corrections not applied in a timely manner. For smaller practices, this means that compliance is more than necessary, it’s mission critical. Small businesses often struggle with compliance cost across the board, and budgets sometimes have to be creative, however, these expenditures pale in comparison to the penalty costs for covered entities charged with a breach PHI. Criminal penalties, lawsuits, revoked licenses and termination of employees are not off the table of penalties either. If your organization is ever faced with a situation in which a violation occurs on a professional blog or social media, you’ll want to make sure to follow these next steps.

  • Notify your designated compliance officer, summarize the violation including date of occurrence & date of violation discovery(when it was noticed).
  • Provide notifications to individuals whose PHI may have been compromised in a timely manner & without unreasonable delay(maximum 60 days). This applies to the covered entity and their business associates.
  • Take appropriate action to follow procedures for reporting the breach to HHS & the media if more than 500 individuals have been compromised.
  • Schedule re-training for employees or departments involved in the breach, or who actively post to your organization’s social media accounts.

Conclusion: HIPAA compliance is of the utmost importance to Healthcare providers who digitally transmit forms, Healthcare insurers and clearinghouses, and Medicare prescription drug card sponsors.

At Ray Rico Freelance, understand the seriousness of staying in compliance, and have helped several clients level up their efforts to avoid HIPAA violations. Our staff is trained in HIPAA Privacy and Security, and endeavors to make sure each project that we work on is in compliance for our medical clients.  Obviously, HIPAA compliance is very important, so if you’re not 100% sure that your graphic, digital and print collateral is not in violation, you should 901-800-1172 today to schedule a consultation. You’ll be glad you did when your practice isn’t fined hundreds, thousands or even millions of dollars.

image of doctor crossing her fingers with an unsure look other face

Are you in compliance?
image source: Shutterstock

For more information on HIPAA compliance visit the homepage on HHS.gov and here is the HHS HIPAA Guideline for Social Media, or you can also check out this great article from the American Medical Association which is very detailed, yet quite simplified.


Share On