At the time of HIPAA’s inception, social networks were a relatively new concept. There was nothing like Facebook or Twitter. Even now, HIPAA doesn’t feature any guidelines or regulations that apply specifically to social feeds.
But that doesn’t mean you can ignore HIPAA when you’re on social – and neither can your employees. Even if there aren’t regulations within the HIPAA framework specifically geared towards Facebook or Twitter, HIPAA itself is still very applicable to your organization’s use of social media. And that’s doubly true of your staff.
Consider, for example, what happened to Olivia O’Leary, a North Carolina medical technician when she made an otherwise innocent comment about an accident victim’s cause of death. Upon seeing a news story covering the crash, she simply commented, “should have worn her seatbelt.” After acknowledging that she was working in the ER when the victim was brought in, she was ultimately fired from her position.
O’Leary’s story is hardly an uncommon one. Incautious use of social media by anyone within your organization can cost you dearly. The best advice I can give in that regard is to treat social media with the same care you would any other social channel.
A good rule of thumb is “better safe than sorry.” If you wouldn’t say something in a public setting, don’t post it on social media. And if there’s even a minimal chance that something could be construed as PHI, don’t post it.
Of course, it’s not just your social feed you need to pay attention to – you also need to make sure your staff isn’t posting anything that could land your organization in hot water. O’Leary’s story is firm evidence of that. As such, you should establish a clear and comprehensive set of HIPAA policies that will serve as guidelines for how your employees should conduct themselves on the web.
These should be regularly reviewed by your compliance department, and should include:
- How social media is to be used during working hours.
- What constitutes an “unacceptable” post: ie. gossip, information about a particular patient’s condition or treatment plan, photographs that were taken without written consent, etc.
- Expected conduct outside working hours, when employees are using their personal accounts.
- Guidelines for posting to the hospital or health organization’s official social channels. These should be updated with each new social channel the organization expands to.
- Examples of all of the above – make it absolutely clear what’s acceptable and what isn’t.
- A clearly-document approval process for all posts made to official channels, along with controls that ensure that the process is followed for every single post.
- Guidelines for discussions with patients who have disclosed their own PHI via social media.
- A process for reporting HIPAA violations, coupled with an automated system to help sniff out potential ones.
For healthcare, social is a relatively new frontier – but it’s one worth exploring. Just make sure you proceed with caution. There’s a lot of sensitive information you could accidentally disseminate, and you need to be aware of where and how that can happen.