report patient privacy social media violation hipaa

by Afton Ankunding I 4 min read

HIPAA Social Media Rules - Updated 2022

20 hours ago  · The HIPAA Privacy Rule prohibits the disclosure of ePHI on social media networks without the express consent of patients. This includes any text about specific patients as well as images or videos that could result in a patient being identified. >> Go To The Portal


What is considered a HIPAA violation on social media?

Common examples of social media HIPAA compliance violations include: Posting verbal "gossip" about a patient to unauthorized individuals, even if the name is not disclosed. Sharing of photographs, or any form of PHI without written consent from a patient.

Is it a HIPAA violation to look up a patient on Facebook?

Researching a patient online, then, is not a breach of PHI. HIPAA was enacted to legally protect patient privacy by limiting use and disclosure of PHI, thus legislating providers to keep confidentiality. However, public online searches are not prohibited by HIPAA regulations.

Can you talk about patients on social media?

Social media is a place to be social, not to talk about patients. You should never talk about patient names, addresses, or medical records.

What is a HIPAA violation on Facebook?

According to Healthcare Compliance Pros, there are four major breaches of HIPAA compliance on social media. Posting information about patients to unauthorized users (even if their name is left out) Sharing photos of patients, medical documents, or other personal information without written consent.

Is it illegal to look up patients on social media?

The legalities The information a physician would find through a simple Google search or scan of the patient's social media accounts is not confidential; to the contrary, it is publicly available for anyone to see. Thus, there is no issue regarding a breach of confidentiality.

Is texting patient information a HIPAA violation?

Texting patient information to patients is allowed by HIPAA provided the Covered Entity has warned the patient that the risk of unauthorized disclosure exists and has obtained the patient´s consent to communicate by text. Both the warning and the consent must be documented.

Is taking a picture of a patient a HIPAA violation?

Yes! Pictures that show any individually identifiable information is considered PHI. The 18 Health Insurance Portability Accountability Act (HIPAA) individually identifiable elements are listed below. If a photograph can be connected to a patient, it's considered PHI, which falls under the HIPAA privacy rule.

Is gossiping a HIPAA violation?

In order to be a violation of HIPAA: The gossip has to be spread by an individual governed by the HIPAA Privacy Rule, The gossip has to be about a patient who has rights under the HIPAA Privacy Rule, and. The gossip has to contain at least one of the 18 identifiers that make health information PHI.

What information can be shared without violating HIPAA?

Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact ...

How many nurses are fired for inappropriate social media?

Jussie Smollett Case: 50 Hospital Workers Fired For Alleged HIPAA Violations.

What actually violates HIPAA?

Further HIPAA Violation Examples Impermissible disclosures of PHI. Improper disposal of PHI. Failure to conduct a risk analysis. Failure to manage risks to the confidentiality, integrity, and availability of PHI.

Why did Kathy complain about her husband's death?

Knee deep in chicken droppings.”. Kathy complained and considered a lawsuit because it was insensitive and unprofessional. The post didn’t mention Leon’s name, but Kathy said that “everybody knows where my husband died,” so people would know that it referred to her husband.

When did the HCA leak?

Your video will be available shortly. An internal memo from Hospital Corporation of America (HCA) leaked to Business Insider in April 2020. The email, originally sent to all employees in March, detailed the health conglomerate’s newest addition to its social media policy.

Why was Elite Dental Associates fined?

The Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp.

Is PHI a HIPAA violation?

Some of these were accidental. Maybe PHI was in the background unknowingly. In some cases, employees don’t realize that what they’re posting is a HIPAA violation.

Did MUSC Health notify parents of the post?

The employee posted the photo without permission. MUSC Health notified the parent immediately after the hospital learned of the post. The health organization officials informed the parent that “appropriate action was taken,” though they couldn’t elaborate on the employee’s consequences or provide details of the image.

Did the nursing home staff know the victim didn't like hospital gowns?

Staff members of the nursing home knew that the victim didn’t like hospital gowns . However, The video showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her. It turned out that the two employees who uploaded the video were significant others.

Who informed the parent that appropriate action was taken?

The health organization officials informed the parent that “appropriate action was taken,” though they couldn’t elaborate on the employee’s consequences or provide details of the image.

How to reinforce HIPAA?

To reinforce the importance of HIPAA, you need to have a strong discipline policy. That way, you can take the right steps when someone happens to violate HIPAA on their social media. While the federal and state governments have penalties for violating HIPAA, setting your own policies lets you take immediate action.

How to share social proof for medical practice?

Photos and videos can be a good way to share social proof for your medical practice. You can ask for patients to record video testimonials of their experience with you. Or you can share before and after photos of something like weight loss or improving acne. Testimonials and patient stories can be a great marketing tool.

What thin line do you have to walk when posting on social media?

One thin line you also have to walk when posting on social media is with photos and videos. You can share a picture or video of you at your desk or otherwise working.

Why do you move a conversation to a secure messaging system?

Move the conversation to a secure messaging system so that you can make sure the messages are encrypted. You can’t control the privacy or security breaches that social networks experience. By using a different system, you can make sure your messages are secure.

Can you post pictures of patients?

It’s especially important that you don’t post photos or videos that can identify patients. Avoid posting anything with patients in view, even if they’re facing away from the camera.

Is social media immune to HIPAA?

While HIPAA isn’t that old of a law, it does predate the rise of social media. Still, social media isn’t immune to the effects of HIPAA.

Can you post a video without consent?

Photos or Videos Without Written Consent. Now, there is one exception regarding posting photos and videos of patients. If you have written consent from a patient, you can share a photo or video with that person in it. Photos and videos can be a good way to share social proof for your medical practice.

Complaint Process

Anyone can file a complaint if they believe there has been a violation of the HIPAA Rules. Learn what you'll need to submit your complaint online or in writing.

Filing a Patient Safety Confidentiality Complaint

Read about the Patient Safety Confidentiality Act and how to file a complaint online or in writing.

What to Expect

Learn how OCR investigates your complaint and what happens after the investigation is complete.

How does Snapchat and Instagram relate to HIPPA?

There are two ways that the relationship between social media and HIPPA intersect when using Snapchat and Instagram. The first involves an innocent posting by a person who has no awareness that what they are sharing has PHI. The other is when a person is knowledgeable that what they are posting is a violation of HIPAA regulations, ...

Is Snapchat a HIPAA violation?

The addition of Snapchat and Instagram to the social media arena further expands the potential for breaches of personal health information (PHI) and violations of HIPAA rules . Social Media and HIPAA are closely related and their direct relationship needs to be addressed.

Did Snapchat have a security breach?

For example, it was believed that Snapchat had a security breach in 2014 where 100,000 photographs and videos were made public, and this had the potential of violating HIPAA rules. The breach did not occur on Snapchat servers; however,  a third party site called Snapsave.com was identified as the source.  There is still concern regarding applications that allow the user to save pictures, videos and information on their devices.

Is posting a violation of HIPAA a violation of HIPAA?

The other is when a person is knowledgeable that what they are posting is a violation of HIPAA regulations, but they post it because they think the content is temporary. Both of these violations are punishable under HIPAA.

Did Snapchat breach HIPAA?

For example, it was believed that Snapchat had a security breach in 2014 where 100,000 photographs and videos were made public, and this had the potential of violating HIPAA rules. The breach did not occur on Snapchat servers; however, a third party site called Snapsave.com was identified as the source.

Is social media a HIPAA violation?

The time when social media involved only Facebook and Myspace has changed, and with that change comes a risk to healthcare providers for HIPAA violations. Not only can employees access patient information on their desktop and laptop computers, but they can also access it via their portable devices like smartphones and tablets. The addition of Snapchat and Instagram to the social media arena further expands the potential for breaches of personal health information (PHI) and violations of HIPAA rules. Social Media and HIPAA are closely related and their direct relationship needs to be addressed.

What are the requirements for HIPAA disclosure?

Such requirements include descriptions of who is authorized to disclose and receive the PHI, specific and meaningful descriptions of the PHI disclosed, the purpose of the disclosure, an expiration date, information detailing the individual’s right to revoke the authorization, information about the condition treatment, payment, enrollment or eligibility for benefits on the authorization as well as the authorizing individual’s signature.

What is protected health information?

Protected health information (PHI) is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, phone number, email, Social Security number, any part of a patient’s medical record, or full facial photo to name a few.

Can a physician disclose PHI?

There are two clear-cut scenarios in which a covered entity, like a physician or healthcare facility, can disclose PHI: If the patient has provided formal written authorization. If there is a statutory exception to requiring formal written authorization.

Do you need a written authorization for HIPAA release?

Read more about HIPAA release forms here. Additionally, there are certain situations when a physician does not need a patient’s written authorization for every disclosure, but these are only when there is a statutory basis for the exception. Exceptions are clearly stated in the HIPAA statute.

Do optometrists need to disclose PHI?

For example, Treatment and Payment Operations are some of the broadest exceptions. In those cases, an optometrist would not need a patient’s authorization to disclose PHI each time to get paid or to send information to another treating doctor.

Can a doctor acknowledge a patient?

Without the patient’s written authorization, the answer is NO. Physicians cannot even acknowledge that a patient is, indeed, their patient. While it may seem counterintuitive that a patient can detail every account they’ve ever had with Dr. Smith and Dr. Smith cannot acknowledge this, HIPAA regulations are clear. Dr.

Did the practice take any disciplinary action against the doctor?

Further investigation found that the practice did not take any disciplinary action against the doctor and did not take any corrective action after the media disclosure. The practice was forced to pay $125,000 after being found liable for the HIPAA violation.

How to implement HIPAA?

And for healthcare organizations he has these suggestions: 1 Do have an interdisciplinary team review your employment policies relating to confidentiality, social media, and related topics. 2 Do include representatives from compliance, legal, IT, human resources, risk management, finance, and similar departments on the team. 3 Do apply the policies to the entire workforce, not only healthcare practitioners. 4 Do recognize that in addition to HIPAA standards, the policies must address state laws, other mandatory rules, and applicable professional codes of ethics. 5 Do have a single individual (named by title) responsible for overseeing the social media policy. 6 Do conduct ongoing, frequent education and communication about HIPAA, patient confidentiality, and the dangers of inappropriate use of social media.

How can social media be used in healthcare?

When used as an official communication of healthcare entities, social media can be used to enhance hospitals’ and health system’s visibility, educate the public, and provide patients with better information.

What is an example of the tangled web of complications that can come from the use of social media by healthcare personnel?

It involved a physical therapist who was treating a child who had a brain tumor.

What is a patient response?

Responding to a post or public message from a patient with additional details about the patient’s health

What is a post on a patient?

Posting a photograph or video recording of a patient. Mentioning a patient by name. Posting a diagnostic image containing a name, medical record number, or date. Describing a patient encounter with enough specificity that the patient or someone who knows the patient would know who is being referred to.

Why was the family disclosure case dismissed?

The charges were eventually dismissed because the state’s regulations were vague and the public nature of the previous family disclosures negated any “rights or dignity” violation. But the physician therapist suffered the anxiety and cost of defending herself until dismissal of the disciplinary action.

Why is social media important for healthcare?

Social media brings people together, allows sharing of important information, and builds a sense of community. Like other social media users, healthcare professionals post pictures and information about their personal and professional lives, from family vacations to another hard day at work.

What should be the policy for social media complaints?

The policy should, among other things, identify a single individual or group who will be responsible for reviewing and responding to complaints. All other employees and volunteers should know that the only action they should take if they become aware of a complaint on social media is to bring the complaint to the attention of those designated individuals, regardless of their indignation or urge to respond. Policy and the advice of counsel should direct staff and volunteers to avoid responses in the heat of the moment that could not only violate the patient's privacy but also escalate and inflame the situation.

When complaints on social media are particularly egregious, but the practice is unable to respond publicly, what is?

When complaints on social media are particularly egregious, but the practice is unable to respond publicly, providers may express frustration at the lack of response, particularly if they are named personally in the complaint.

How to respond to a complaint in a health center?

The best response will often be to identify the individual who complains, if possible, and invite him or her to come to the health center to discuss the concerns privately. These situations can then be handled consistently with the organization's existing complaints policy.

Is Ask Ecri legal advice?

The recommendations contained in Ask ECRI do not constitute legal advice. Facilities should consult legal counsel for specific guidance and develop clinical guidance in consultation with their clinical staff.

Can providers express their concerns in a private setting?

In these meetings, providers can express their concerns in a private setting, and counsel can present evidence of the consequences the provider and health center could face if they were to respond to the complaint on social media.

image