In today’s digital era, we rely heavily on social media platforms for both professional and personal use.
However, online social spaces provide plenty of opportunities for private information to become public – including patient medical records and data (HIPAA information).
HIPAA violation penalties do not discriminate on how they happen – they carry serious consequences whether a violation happens online or offline. More concerningly, sharing too much information on social media is easywithout even realizing it.
HIPAA specifies 18 types of patient information (aside from names) that must remain private. Sharing any one of those 18 - whether accidentally or otherwise - is a violation of HIPAA. There are, however, some social media HIPAA violations that happen more frequently than others.
Review the HIPAA Compliance Checklist for your practice
4 Shockingly Common Social Media HIPAA Violations
According to Healthcare Compliance Pros, there are four major breaches of HIPAA compliance on social media:
- Posting information about patients to unauthorized users (even if their name is left out).
- Sharing photos of patients, medical documents, or other personal information without written consent.
- Inadvertently exposing any of the above while sharing a picture of something else (e.g. visible documents in photos of employees).
- Assuming posts are deleted or private when they’re not.
The easiest solution? Keep strict policies in place for how employees can use social media. Outline the correct procedures for any posts to social media and what isn’t acceptable at any time. Also, remind employees they represent your medical center online and can accrue penalties for HIPAA violations with their social media posts - even via their personal accounts.
While you should have rules in place, you shouldn’t cut off access completely – social media boosts your practice’s brand awareness and reach when used correctly.
4 Uncomfortable Examples of Social Media HIPAA Violations
When it comes to HIPAA and social media, there are (unfortunately) plenty of examples of what not to do. The following HIPAA violations on social led to serious consequences for those who hit publish for these posts:
A nurse took to TikTok and posted what she felt were “humorous” videos about the mistreatment of patients.
The nurse claimed the videos were simply for comedic relief and nobody was ever harmed in the videos. She was suspended by her employer, who cited misuse and unprofessional use of social media platforms. Her employer felt her actions went against their core values and would not tolerate that type of behavior.
Is this considered a HIPAA violation? Possibly.
The videos took place while at work on company property. Although there wasn't any protected health information exposed, many of her actions displayed negligence and abusive behavior.
Many members of the healthcare community, as well as other individuals, commented on the nurse’s videos. They argued her content was not appropriate or even humorous.
She was suspended, and legal action has since been taken.
During operations, a group of resident surgeons took pictures of their patients. The images were of body parts removed from the patients and uploaded online without consent.
In some pictures, the patients were still on the operating table. The patients could easily be identified in the images by anyone who knew them.
The suspected resident surgeons were subject to investigation and could be facing severe consequences due to HIPAA safety violations.
Related Content: 10 of the Best Media Tips for Healthcare Professionals
Ashley Jacobs is a former cast member on the reality show Southern Charm. During her time on the show, she worked as a hospice nurse and home healthcare aide.
Jacobs put herself at risk of violating HIPAA regulations when she sent a video to a fan that included one of her patients, a non-verbal pediatric patient. The fan reported the video to the South Carolina board of nursing for violating HIPAA.
Jacobs’ fans would often encourage her to post pictures with her patients. Although she stated that posting pictures of patients would violate HIPAA regulations, she posted pictures anyway.
A nurse at Texas Children’s Hospital was terminated for posting details of a patient’s condition in a Facebook group.
The pediatric patient was too young to receive the measles vaccination and, unfortunately, he contracted the disease.
The nurse turned to an anti-vaccination group on Facebook, posting details of the boy’s condition. She said that his condition didn’t change her stance, but she could understand why parents vaccinate out of fear of these illnesses.
While she did not include the child’s name, the nurse’s Facebook profile listed where she worked. One parent in the group had a child at the same hospital and, worried about exposure to the disease, posted screenshots of the post to the hospital’s Facebook page.
The hospital launched an investigation and immediately suspended the nurse. While the nurse deleted some of her comments, the hospital fired her for posting PHI.
REVIEW THE HIPAA COMPLIANCE CHECKLIST FOR YOUR PRACTICE
Social Media HIPAA Violations: More Than an ‘Oops’
Social media HIPAA violations are alarmingly common. Unfortunately, whether accidental or not, the consequences of compliance breaches remain the same.
Violations related to HIPAA laws have serious consequences, including job loss and other penalties. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan.
Another way to prevent HIPAA violations on social media is to get proper compliance training for your staff. Even further, if you're hesitant to use social media to promote your practice, healthcare social media management can help you capitalize on your online presence while remaining HIPAA compliant.
(Editor's Note: This blog was originally published in November 2021 and was updated in September 2022 with current information.)