HIPAA and Social Media: Think Before You Post

Social media poses many liability risks to physicians and healthcare facilities. LHA Trust Funds has encountered several scenarios where social media posts by nurses, physicians, and other hospital employees have resulted in HIPAA violations among other exposures in employment law, reputation, morale, regulations, and finance.

What NOT to Post

Here are some of the top social media exposure scenarios encountered by LHA Trust Funds claims experts and why they are problematic:

• Facebook posts about patients
  Even if the post does not specifically identify the patient, the scenario presented in the post may be sufficient for readers - especially in a small or rural community - to know the patient that the writer is referring to.
• Cell phone photos or videos.
  If the patient consented to allow a medical staff member to take a photo or video, do not assume that their consent extends to sharing the photo/video with people who are not directly involved in the patient’s medical care.
• Posts on other social media websites (Instagram, Tik Tok, LinkedIn)
  Some healthcare providers have posted videos, photos, or patient information while on duty. In some cases, the patient is in the photo/video, or enough information is provided about the patient to be able to identify them. While most of these photos, videos or posts are not intentionally focused on the patient, most potentially violate a patient’s privacy as the patient can be seen and identified in the background.
  
  Posting a photo or video of healthcare providers that include a patient while the patient is under anesthesia/sedation also potentially violates a patient’s privacy. Even posting information and details about a shift - good, bad, or otherwise - in enough detail can pose a risk to the healthcare provider’s employment status.

Blog Blunders

Consider this scenario:

A physician creates a blog that provides medical information. However, some information featured on the blog is incorrect or at least questionable. There is potential liability if a blog reader acts on the information and experiences a bad result. While a court may eventually determine that there was no physician-patient relationship, there are no guarantees on the ultimate legal determination.

Physicians should be careful to examine their influences before blogging. Even a general, non-specific medical scenario may be unconsciously influenced by a specific patient and lead to exposure.

Physicians should also recognize that, while a patient or patient family members may have posted information or a photo on social media, that post does not necessarily mean that they have consented for others to do so.

This type of scenario was documented in a 2018 article for the Healthcare Financial Management Association.[i] Attorney J. Stuart Showalter advises that social media liability can result from “seemingly innocent, well-intentioned actions.” He describes the case of a physical therapist who was involved in the care of a child with a brain tumor. The family had been posting about the child’s condition on a personalized website at CaringBridge.Org. The site allowed family and friends to receive updates on the child’s condition. He writes:

“At one point, the physical therapist posted on her own Facebook page, ‘Please say some prayers for (patient’s name). They just found out his brain tumor is growing again…Poor guy has to get his central line reinserted and chemo started again.

Even though the patient’s mother had no objection, the physical therapist’s motives were pure, and the Facebook post contained information that had already been made public on the CaringBridge website, the Kentucky Board of Physical Therapists received a complaint and filed charges alleging that the therapist had failed to ‘respect the rights and dignity’ of her patient (a standard embodied in state law.)"

Addressing Social Media Risks

While the examples above may not have intended to violate any regulatory standard or share confidential information, today’s society shares everything on social media, especially when people are ill or facing health challenges. That’s why we encourage all healthcare organizations to develop and implement a social media policy regulating the use of social media within their facilities or offices.

The social media policy should include the following:

• A process for the organization to keep up with current and changing technology trends as it relates to social media apps and online information sharing.
• HIPAA training as it relates to social media violations
• Training should be done upon hire, annually, and on an as-needed basis.
• Separate personal and professional use.
• Limit accessing social media sites while on duty.
• Set expectations to discourage social media posting while on the job.
• Encourage staff members to think before they post and be cautious both on- and off-duty when it comes to posting commentary, photos, or videos containing patient information.
• Don’t post photos or videos that show patients without first obtaining their written consent.
• Don’t post gossip, stories, or co-worker complaints about patients.
• Don’t post information that could allow the patient to be identified.
• Don’t post photos or videos taken inside the healthcare facility in which a patient or PHI is visible.
• Don’t share texts, photos, or videos within private groups.
• A process for the organization to monitor social media sites
• HR processes to manage staff member performance expectations as it relates to the use of social media while on the job and posting patient information on social media

“Think before you post” is a great motto for all healthcare staff to follow to limit the release of patient information and prevent risks to their organization.

[1] Showalter, J. Stuart (2018). Unintended consequences: Patient privacy in the age of social media. Healthcare Financial Management Association. https://www.hfma.org/topics/tr...

Learn More

Need a reminder to think before you post on social media? Download our flyer.