As anyone who works in the healthcare industry knows, maintaining HIPAA compliance is one of the most important responsibilities you hold.
Maintaining the privacy of patient data is not only a best practice, it is required, and failing to do so can result in hefty fines or legal consequences.
HIPAA regulations are expansive and can sometimes be difficult to understand the full scope of - especially when trying to navigate using social media as a tool for your business.
Today we’ll cover some of the basics, as well as review some examples of violations on social media.
The Basics of HIPAA Compliance
To help make it easier to maintain HIPAA compliance, here are the 5 main components and what they mean for you and your practice:
This pillar of HIPAA regulations means that there needs to be rules in place within your organization that limit access to medical records or other patient information.
One of the easiest ways to accomplish this is to keep physical files locked away and only allow access to those who absolutely need it, and to keep digital files protected by implementing authorization levels for access.
There are often times when a practitioner needs to share patient information with other healthcare providers. In scenarios like this, maintaining compliance means that you have an information release form signed by the patient.
Additionally, depending on the case, it is up to the physician to determine exactly what information is necessary for the other provider to know. Some situations may call for sharing access to the patient’s full file, while others may only require certain information.
Despite many Americans never opting to view their medical records, patients possess the right to request that information at any time, as well as the right to know who has access to their file at any time.
Practitioners in this position have the responsibility of assisting patients through the data transfer process, and keeping them informed of any potential security risks that exist based on how the data is shared.
As with any instance of sharing patient information, patients are required to sign a consent form prior.
Since patient information and compliance with HIPAA regulations is such a critical part of operating a healthcare facility, practices are required to designate a Privacy Officer.
This position exists to ensure that a plan is in place for a practice to adhere to security requirements and keep employees updated of any changes, as well as addressing any current issues or future breaches in security.
If a smaller medical practice cannot create this position internally, they are permitted to outsource a Privacy Officer for their establishment.
It is the responsibility of the enterprise sharing patient information to ensure the security of any facilities or individuals that they are providing that information to.
Even after receiving the patient consent form and maintaining your own HIPAA compliant practice, it is still crucial to ensure that any other practices you share data with are HIPAA compliant in all facets as well.
Examples of HIPAA Violations on Social Media
Norton Healthcare EMT
Facebook - September 2020
In summer 2020, there were public protests occurring for racial reform, which resulted in many injuries for protesters, first responders, and bystanders. Because of this, many were quick to post videos of the incidents they witnessed.
An EMT from Norton Healthcare was placed on leave as a result of posting on Facebook about his treatment of an injured police officer at one of the protests.
As a healthcare provider was posting personal information about services rendered to a patient, and is a blatant example of a HIPAA violation, and an example of the potential consequences of not maintaining compliance.
YouTube - April 2020
A Nurse from Lincoln Hospital recorded a video for an online publication in which she interviewed some of her fellow co-workers about the COVID-19 pandemic and their experiences.
Within this video, each co-worker identified themselves and shared stories of their hardships. At a certain point, one of the Lincoln employees shared that if their hospital had the necessary resources, a patient (and head nurse from another hospital) would still be alive.
This caused news outlets to cover the story of the nurse who had passed, and before the video even made it to YouTube, the story was already viral.
Lincoln hospital is investigating the incident and provided the initial individual with notices regarding Lincoln Hospital’s social media policy to avoid future mishaps.
For more information regarding social media usage in healthcare or HIPAA compliance, check out the 99MGMT Blog!