Excellent blog post by Healthcare Compliance Pros; If you have any questions, please feel free to contact them by phone toll-free at 855-427-0427 or send an email at firstname.lastname@example.org. I highly endorse this Company for all of your compliance needs.
It was not that long ago when an employee at the University of Cincinnati Medical Center was fired for posting a patient’s protected health information (PHI) on Facebook. The employee had posted a screen shot of a patient’s medical record showing her name and her diagnosis of syphilis.
The employee who was fired from the University of Cincinnati Medical Center for posting the medical record posted the screen shot of the medical records in a closed member Facebook group. Even though the employee thought she was sharing the information in a closed group, the information quickly became public. Not that it matters, whether she posted in a closed group or as a public post, either way the disclosure is a breach.
While this is an obvious example of a HIPAA breach, and an obvious no-no, it does provide us with a good example of why PHI should not be shared on Social Media unless you are authorized to do so. And as we have mentioned in a previous article, if you wouldn’t say your comment in public, then don’t put it on social media. If there is any doubt at all about a certain post, picture or comment then check with your compliance officer or even a colleague before publishing.
Below are 5 additional Tips for to consider prior to posting on social media sites:
- Know the difference between personal and professional use.
Personal use of social media is often referred to as a social media use on an account that is registered to an individual that is not used for business purposes. Professional use is generally using social media for approved business purposes on behalf of an account registered to an organization, a practice or provider. You may have language in place in a social medial policy that states if personal use of social media is or is not permitted during business hours. Your policy may also explain professional use of social media on behalf of the organization, practice, or provider. In other words, who should post, who should update, what should be posted, etc.
- Understand if there are any risks involved with what you are about to post.
Whether you are posting on your personal account or on a professional account, it is important to understand if there are any risks. For example, if you post something there may be a risk of receiving negative feedback from the public. Or there may be a risk of sharing proprietary information or content that could get into the hands of someone with malicious intent. Some tips to mitigate risk include: posting accurate information; respectfully disagree with negative comments; etc.
- Do not post PHI without authorization! Even then, be extremely cautious.
Imagine a patient asks you to take a photo with him. You decide it is a cute photo so you post it to Facebook. If you have authorization from the patient, there wouldn’t be an issue under HIPAA. If you do not have authorization, it would be considered a breach under HIPAA. Therefore, when photos or patient information will be used for purposes other than Treatment, Payment and Operations (TPO), a valid HIPAA authorization must been obtained from the patient or the patient’s legally authorized representative. This includes when posting on social media. When in doubt, check with your compliance officer before posting anything that could be considered PHI.
- When posting a response to a question use limited information and suggest another communication method.
If a patient asks you a question on a social media platform that could potentially lead to a disclosure of PHI, it would be best to suggest the patient contact you using another form, a more private form of communication. It is important to limit unnecessary or inappropriate access to and disclosure of PHI. Avoid accessing or discussing PHI that is not essential to the task at hand.
When posting on your personal social media account, if it is something you don’t want the public to know or access, it is also a good idea to communicate with a private form of communication. This includes when sharing information in “private” groups.
- Remember, communication on social media is powerful.
Just recently, the power of social media has been on full display. Social media allows for information to be communicated almost instantly to a broad audience, and may be communicated throughout the world. Understand when you work for a professional organization what you post on your personal social media sites may potentially have an impact on your professional reputation. Before posting somethings, consider what if any impact what you are sharing could impact you or your organization in any way.