Most people have some sort of social media account. While it is a great medium for sharing family photos, funny videos, or interesting news stories, it has become a big liability for medical employers. A growing consequence is the unintended release of patient’s protected health information on social media. Even vague statements about a patient’s condition could be identified through the connections social media grants us. It is crucial that professionals in the medical field understand how privacy violations can occur quite innocently on social media and what they can do to avoid them.
What Constitutes Protected Health Information?
While HIPAA can seem like common sense, the definition of patient information can get a bit convoluted. It is crucial that those who work in the medical field understand exactly what is considered protected information. According to HIPAA, protected health information (PHI) is defined as:
“Health information that: (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium.”
PHI can be used as a medical identity that is tied to an individual due to their illness or injury. This information is permissible to be disclosed for purposes of treatment, payment, or other hospital operations.
De-identification Standards
If you need to use PHI but don’t have a patient’s consent, you need to perform a process called de-identification. There is an established protocol to aid health care workers with properly de-identifying a patient. Two current methods, “expert determination” and “safe harbor” are the standard. Below is a brief overview of the current methods. A more thorough explanation of the elements can be found on the U.S. Dept. of Health and Human Services website.
Expert Determination
The expert determination method sets a standard that a person with appropriate training and experience would only use information that would incur a very small risk to be used alone or together with other information to identify a patient. The process would be documented and analyzed to determine that a patient would not be able to be identified. While this sounds pretty vague, there are specific guidelines and definitions that could assist a health care worker in determining if the expert determination is proper.
Safe Harbor
The safe harbor method lists eighteen personal identifiers of the patient that need to be removed in order to be adequately de-identified. This includes names, addresses, phone numbers, insurance numbers, and other information that could be used to identify a particular patient. The safe harbor method also specifies that any information that could be used in conjunction with existing information to identify a patient is not permissible to share. This is the most common and straightforward process to de-identification. Even if you feel that you have properly de-identified a patient, it is still not advisable to post anything regarding your patients on social media. Better to be safe than sorry.
Consequences of HIPAA violations
The consequences of violating HIPAA can include severe civil and criminal charges brought on the physician and their employers. State penalties vary from state to state, but most are quite serious. HIPAA itself prevents patients from bringing civil suits against physicians for violations, but some states allow those suits to be brought in state court. Further penalties can include suspension or termination from your position and could result in a loss of your medical license.
4 Simple Steps to Avoid Social Media HIPAA Violations
Working in the medical field can be uplifting, difficult, or sometimes downright hilarious. Interesting patient interactions are a part of your daily life and something you may feel you want to share. However, the consequences of HIPAA violations far outweigh the benefits of a “like” or “favorite” on social media.
1) Never Record Interactions
Never record patient interactions without written consent from the patient. Even then, the recording should only be used to assist in treatment or for hospital use only. Never post videos or recordings on video sharing sites such as YouTube.
2) Keep it Separate
It is acceptable to have social media accounts, but make a concerted effort to not mix personal and professional accounts. Keep your Facebook personal and your LinkedIn professional.
3) Be Mindful
When you post anything on social media, really think about the content of what you are posting. Do not mention patients, even in general terms such as, “heart transplant patient” or “crazy code red.” Even small bits of general information gathered together would be enough to positively identify a patient.
4) Follow Your Employer’s Policy
Take a look at your employer’s protocol regarding social media accounts. In response to the increase in social media based HIPAA violations, many healthcare employers have created specific policies detailing how employees should manage their personal social media accounts.
The safest route is not to mention any sort of patient information or interaction on social media. When you keep your professional and personal life separate, it is easy to avoid accidental HIPAA violations.