Breaking Down the Rules for HIPAA and Social Media

The following is a guest blog post by Moazzam Adnan Raja, Vice President of Marketing at Atlantic.Net.

Social media is a challenging front for any organization from a security and compliance perspective, and that is particularly true for organizations handling health data given the need to guard against unauthorized disclosure – as outlined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The extent to which a person’s health data is used and disclosed in a marketing context is up to them, per the HHS marketing guidelines and as directed by the HIPAA Privacy Rule. If you want to use or disclose any patient information for marketing purposes, you will need to get a written authorization from them. (The Privacy Rule also establishes what is included in the scope of marketing, making exclusions for activities related to treatment and operations.)

Steps toward HIPAA-compliant social media

Here are recommended steps for HIPAA compliance on social media from the National Association of Rehabilitation Providers and Agencies (NARA) and HIPAA Journal, along with additional guidance:

Create a comprehensive social media policy. You can prevent breaches by highlighting the needs of compliance. The five steps to a strong social media policy, from health administration specialist Joy Hicks, are: 1.) Define what social media is (so there is no confusion about what is included); 2.) Set parameters for appropriate social media behavior (such as including a statement that their views are their own and not discussing workday activities online); 3.) Discuss the high costs of HIPAA social media violations; 4.) Incorporate training resources from the federal government and other credible sources; and, 5.) Provide examples of HIPAA violations (see below).

Learn the HHS federal guidelines. Look over the HHS guidelines for federal agencies to learn about HIPAA compliance related to social media.

Preserve all the posts made by your official accounts, along with all edits. You must be able to track, evaluate, and audit your social activity to ensure compliance.

Choose someone to manage social media policy who knows HIPAA. When you need a social media policy for HIPAA, leverage the expertise of a person who can apply compliance to that setting. That individual can check any content before it goes live. It could be your Privacy Officer or Security Officer (i.e. the primary points of contact and management for the Privacy Rule and Security Rule, both central to HIPAA).

Whenever a patient introduces PHI on social media, do not engage with them. Stand back from any health data exposure, since acknowledging the information could lead to a violation.

Outline your plan. Create a social media plan that helps you envision the nature of your posts. Through this preparation, you can prevent problematic posting.

Avoid patient names. You can talk about cases but cannot mention patients. Including a name in a social media post legally counts as an exposure of PHI.

Use compliant photos. There should not be any patient names or other health data in your photos on social media. Get permission from patients if you ever want to use their images.

Give your personnel examples of what is considered a violation to clarify compliance. Here are two provided by Hicks: 1.) Two nurses took photographs of the x-ray of a patient with a phone and posted them on Facebook. There was an object in the rectum of the patient that turned out to be a sex device, prompting the women to take pictures. They were subsequently fired, but it still qualified as a HIPAA violation because it was an unauthorized disclosure of electronic protected health information (ePHI), breaking the Privacy Rule. 2.) A nurse treated a police officer and the person suspected of shooting him, both for bullet wounds. She wrote on her personal Facebook that she had a “face to face” interaction with a “cop killer” and wanted him to “[rot] in hell.” She was fired, in part because it violated the HIPAA Privacy Rule to communicate that someone with reasonably identifiable characteristics (i.e., someone suspected of recently killing a police officer) had been treated at her facility.

Apply rules to personal accounts. It should be clear that health data cannot be presented anywhere on social media, including through personal accounts.

When performing risk assessments, incorporate social media analysis. Broadly, your risk assessment should contain all the reasonably foreseeable risks that threaten electronic health data (i.e., that could compromise its integrity, availability, and confidentiality) that you produce, receive, send, or store. One area of risk is social media. Comprehensive risk assessments should be performed “annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of [your] environment,” per the HHS.

Update your social media policy each year. Remember that environments evolve, as does your risk profile. Treat social media policy as a living document.

Building secure, compliant partnerships

Ensuring HIPAA compliance is in part about managing your relationships and only working with credible third parties. To further validate the security controls of an IT service organization, look beyond HIPAA and HITECH certification for a Statement on Standards for Attestation Engagements 18 (SSAE 18; formerly SSAE 16) data center audit.

Atlantic.Net provides HIPAA Compliant Cloud Hosting for healthcare providers and is a proud sponsor of

About Moazzam Adnan Raja
Moazzam Adnan Raja has been the Vice President of Marketing at Atlantic.Net for 14 years. During Raja’s tenure, the Orlando-based, privately held hosting company has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally. In collaboration with a skilled and dedicated team, Raja has successfully led a full spectrum of marketing campaigns, as well as handling PR work with major news outlets and the formation of key strategic alliances.