HIPAA Myths and Social Media Violations

“HIPAA” is more than healthcare jargon—it’s a federal law regulating patient privacy and information security, and if you’re in the healthcare sector and have access to patients’ private health information, understanding HIPAA requirements is an essential job skill.

HIPAA violations cost individuals and businesses billions of dollars in fines and remediation efforts every year. While many HIPAA violations are often the result of mishandling files, many examples of HIPAA violations involve employees making poor choices when using social networks. As Twitter and Facebook blur the lines between our public and private lives, many employees need additional social media training on the appropriate use of technology in the workplace.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 protects health insurance coverage for workers when they change or lose their job and establishes privacy and security standards for healthcare information. HIPAA involves four rules:

  1. Privacy Rule: Protects the privacy of individually identifiable health information, known as protected health information

  2. Security Rule: Sets national standards for the security of electronic protected health information

  3. Breach Notification Rule: Requires covered entities and business associates to provide notification following a breach of unsecured protected health information

  4. Patient Safety Rule: Protects identifiable information being used to analyze patient safety events (health care quality issues or medical errors) and improves patient safety

These rules are enforced by the Office for Civil Rights, a division of the US Department of Health and Human Services. There are many classes of HIPAA violations, each with their own set of penalties, from fines to jail time.

What constitutes a HIPAA violation?

HIPAA defines specific types of protected health information, or PHI, and prohibits unauthorized disclosure of PHI by any healthcare professional with access to patient information. This seems simple, but the devil is in the details: PHI is broadly defined to include not just the patient’s name and address, but a wide range of information like the date of service, patient record numbers, vehicle license plate numbers, and more. It’s essential for every healthcare professional to understand what constitutes PHI to avoid making unintentional unauthorized disclosures.

HIPAA and Social Media Violations

HIPAA violations perpetrated by individuals on social media breach both the Privacy and Security rules. In many cases, employees don’t realize their behavior is violating HIPAA because of perceived security on social networks or a lack of understanding around HIPAA’s definition of privacy. There are many common myths surrounding HIPAA that can be prevented with a good social media policy and employee training. Let’s take a look at some HIPAA violation examples and see how they could have been prevented:

Myth #1: Discussing patients without their names is okay  

In 2010, five nurses were fired from a medical center in California for discussing patients on Facebook. The hospital claims no identifying information, such a patient names or photos, were included in the posts, but chose to fire the employees anyway.

In a similar situation, a nurse in Michigan was fired for an angry update on Facebook about an alleged cop-killer (unnamed in her post) who was a patient at her hospital. Due to the news coverage, the hospital felt that it was clear whom the nurse was discussing.

In both these examples where HIPAA and Facebook meet, the hospitals felt that the social media updates constituted unauthorized disclosures of PHI.

Myth #2: Pictures at work are okay as long as they aren’t of patients

Four nursing students in Kansas were expelled from their program for posting pictures of themselves with a human placenta on Facebook. The students contend they were informed their post would not be a violation of privacy, but were expelled for their “lack of professional behavior” anyway.

It is also important to recognize often time more can be seen in a picture then a photographer intends. Even taking pictures of fellow staff members in the hallway might inadvertently capture a patient’s name on a door or walking down the hallway.

Myth #3: Public figures don’t have the same protections

An employee at a medical center in Mississippi resigned from her job due to a privacy violating tweet. The employee responded to a tweet from Governor Haley Barbour concerning trimming expenses from the budget with a remark regarding the governor’s private, after-hours appointment several years prior. Though the governor is a public figure, his medical history, including PHI like dates of service, is protected under HIPAA.

What can you do to prevent HIPAA violations on social media in your organization?

The first step towards protecting your patients’ PHI (and protecting your organization from fines!) is developing a thorough HIPAA social media policy. Your policy should define PHI in detail, so that employees understand that sometimes information they don’t expect is still covered under HIPAA. Your HIPAA social media policy should also carefully explain that social networks, even when set to “private”, are still public disclosures. 

When it comes to HIPAA, the message to employees should always be better safe than sorry. Your policy is an important first step, but it should be followed by HIPAA training to ensure that your employees have opportunities to learn from HIPAA violation examples and ask questions. Making employees aware of the laws and consequences can help cut down on the number of violations and protect both the company and employees. OpenSesame offers a wide range of HIPAA training courses to help you stay up to date on the laws and regulations and out of legal trouble.