Original Publish Date: April 10, 2018
Employees’ social media use can cause significant liability for healthcare providers who are subject to the Health Insurance Portability and Accountability Act (“HIPAA”). When posting to social media, the lines between what is personal and professional are often blurred, especially when employees develop close relationships with their patients. The Office for Civil Rights’ (“OCR”)1 increased enforcement of HIPAA during the past few years makes it even more critical that health care organizations ensure they are addressing the risks associated with their employees’ social media use because such disclosures would likely constitute breaches requiring notification to both the patient and OCR. This article focuses on health care providers’ liability under HIPAA, but providers must also consider various state laws and employment issues when addressing employees’ social media use.
What is PHI?
As a starting point, health care organizations should ensure employees have a clear understanding of what constitutes protected health information (“PHI”) under HIPAA. A common misconception is that PHI only includes an individual’s name and health information, such as a diagnosis or other treatment information. The definition of PHI, however, is very broad and includes any individually identifiable health information held by a covered entity, in any form or medium, that relates to an individual’s physical or mental health or condition, or the provision of or payment for the provision of healthcare to the individual, and for which there is a reasonable basis to believe it can be used to identify the individual.2 For example, a nurse’s Facebook post describing a patient’s condition may violate HIPAA even if it does not contain the patient’s name or other identifiers. If the patient is a celebrity or is being treated as a result of an incident that received significant media attention, it could take very little information to be able to identify the individual. In addition, employees may not realize that posting photographs of a patient without first obtaining a signed authorization from the patient may also violate HIPAA.
Responding to Patient Reviews
Health care organizations must take HIPAA into consideration when addressing patients’ online posts and reviews on websites such as Yelp and Google. Because confirming that an individual is a patient constitutes PHI, providers should only respond to reviews generally and should not disclose any information specific to the patient. For example, if a patient writes a Yelp review stating that a dentist at XYZ Dental was rude to him, XYZ Dental may respond to the review by including a statement such as, “XYZ Dental values all of our patients and treats every patient with respect.” But, XYZ Dental may not include any specific references to the patient’s condition and/or treatment in the response because doing so would likely violate HIPAA.
Policies and Training
In order to help minimize HIPAA violations resulting from employees’ social media use, health care organizations should implement policies that specifically address the issues associated with social media use. An organization’s social media policy should prohibit the use of personal devices to photograph or film patients and should include examples of posts that would violate HIPAA. Specifically, organizations should include sample posts that do not mention a patient’s name but contain enough information to create a reasonable basis that the individual could be identified based on the post, to ensure employees have a clear understanding of the types of posts that are prohibited and how broadly the regulations can be interpreted. An organization should also address the proper protocol for responding to online reviews and include examples of permitted responses. Once an organization has developed its social media policy, the next step is ensuring employees know what the policy says. Training on social media use should also include examples of posts that employees may not realize violate HIPAA.
If an organization experiences an incident involving an impermissible disclosure of PHI via social media, despite implementing policies and training, the organization should investigate the incident immediately and take steps to mitigate any harm caused by the disclosure. Such steps should include ensuring the post has been removed and that the responsible employee has been sanctioned, as well as providing the employee with additional training on the proper use of social media. If the organization determines that the disclosure constitutes a breach under HIPAA, then it should also provide the required notifications pursuant to the Breach Notification Rule. As with any internal investigation, an organization will want to maintain thorough documentation of its investigation and any subsequent mitigation steps, in case OCR opens an investigation into the incident. Consultation with legal counsel is also advised.
ConclusionBecause it is unlikely that social media use will decline anytime soon, it is increasingly important for health care organizations to take immediate preventative steps to minimize the risks associated with such use. By implementing policies and procedures that specifically address employees’ use of social media and training employees on those policies and procedures, organizations can greatly reduce the risk of experiencing a HIPAA breach and any subsequent OCR review.
1 OCR is the agency within the U.S. Department of Health and Human Services that is responsible for enforcing the HIPAA Privacy, Security and Breach Notification Rules.
2 45 C.F.R. § 160.103.
About the authors: Abby Bonjean is a health care attorney with Polsinelli LLP who counsels health care providers on health information privacy and security and HIPAA compliance. Ginamarie Caya is a health care attorney with Polsinelli LLP who counsels clients on complex health care litigation and class action matters. Contact Abby at firstname.lastname@example.org or 312.463.6230. Contact Ginamarie at email@example.com or 415.248.2119.