HI Professionals Must Post with Caution on Social Media to Protect Patient Privacy

"To be or not to be? That is the question.” This famous line in William Shakespeare’s most popular play, Hamlet, expresses one’s indecision or hesitation about doing something. There have been many advances in technology including online applications (apps) and websites since Hamlet was written sometime between 1599 and 1601, including Facebook, Instagram, LinkedIn, TikTok, and Snapchat.  

According to Demandsage, there are around eight billion people on the globe and 4.9 billion of them use social media. This means that one in three people is socializing on various platforms. A typical social media user in the US has 7.1 social media accounts. Facebook is the biggest social media platform with 2.99 billion users, according to Demandsage’s research. So, for those billions using social media, the real question is: To post, or not to post?  

Healthcare workers are no exception to national trends with recent studies showing that over 90 percent of all clinical employees below the age of 40 are active users of social media. Use of social media sites is so prevalent among healthcare workers that professional organizations such as the American Medical Association (AMA), the American Nurses Association, and the American College of Physicians have directly addressed appropriate use of social media in their professional codes of conduct. The AMA particularly focuses on state and federal privacy regulations, stating “[Members] should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments, including online, and must refrain from posting identifiable patient information online.”  

There are many privacy and security risks to be considered with social media. The Health Insurance and Portability Act (HIPAA) of 1996’s Privacy Rule prohibits the disclosure of protected health information (PHI) on social media networks without the written consent of patients. Everyone should use caution when having any online social contact with patients, former patients, and their family members. Avoid posting within workplace space, which could inadvertently have patients or PHI in the background of videos and pictures.  

Here are some common social media HIPAA violations:

• Posting of images and videos of patients without written consent 
• Posting of gossip about patients 
• Posting of any information that could allow an individual to be identified 
• Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible 

Patient Communications via Social Media 

On June 5, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Manasa Health Center, LLC, a health care provider in New Jersey that provides adult and child psychiatric services. The settlement resolved a complaint from April 2020 alleging that Manasa Health Center impermissibly disclosed the PHI of a patient when it posted a response to the patient’s negative online review. During the OCR’s investigation, it was determined that the center impermissibly disclosed the PHI of three other patients in response to their negative online reviews. The psychiatry practice paid $30,000 to settle the complaint as well as undertaking a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. 

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” says OCR Director Melanie Fontes Rainer in a statement announcing the settlement. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.” 

Organizations should have clear policies and procedures related to the use of social media. New hire and annual privacy training should include education related to appropriate social media use that references the policy. 

Organizations should not only consider social media postings to be a possible privacy breach but also recognize the harm they can do to the reputation of a facility. Employees should be cautious when posting any information related to their place of employment. Even if a post doesn’t identify a patient specifically, it could result in harm to an organization’s reputation.    

Private Groups and Messages Are No Exception 

Although some healthcare workers may believe that sharing PHI online in a private group, private message or group chat, or other private online channel provides adequate protection of patient privacy, the AMA Council on Ethical and Judicial Affairs argues that no patient information should be posted online with any expectation of privacy. In a 2016 report, the AMA contended, “Although the use of privacy settings within a particular website or application may help protect personal information, the complexity of such settings, and the potential for privacy breaches means that most information exchanged online should not be thought of as private.”  

Even beyond ethical considerations, the HIPAA Privacy Rule contains only limited exceptions that permit use or disclosure of PHI without patient authorization except that which is necessary for treatment, payment, or healthcare operations (45 C.F.R. §164.506). None of those limited exceptions apply to online disclosure.  

Healthcare professionals must always think critically about what they are posting on social media and take HIPAA, state, federal, or local laws into consideration first, while also carefully reviewing their internal organizational guidelines before posting anything online. 

Posting patient information online, even in a private community, is problematic from a healthcare regulatory compliance perspective. Healthcare workers discovered to have disclosed PHI are likely to face disciplinary sanctions imposed by their employer and may be subject to additional discipline from their accrediting body as well as potential civil and criminal liability.  

Technology plays a critical role in everyday life and allows people to connect in ways that were not possible before. Everyone should pause and think about the privacy and security risks that come with posting online through social media. To post or not to post is the question to consider when deciding to share information online. Once something has been shared, it may be difficult to remove it, unfortunately, before the information has been viewed.  

Returning to our earlier quote from Shakespeare, the answer to the question is clear.  One should use caution when deciding what to post on social media.  “To be or not to be” or, in the context of “to post or not to post,” take the time to pause and consider if the content should be posted and ensure compliance with HIPAA, state/federal privacy laws, and organizational policies. 

Gretchen Catlett, RHIA, CHPS, HCISPP, is regional director of compliance and privacy at Baptist Health System in Kentucky and Indiana. 

William Daniel Flowe, MSM, RHIT, CHPS, is the director of privacy compliance and system privacy officer at Norton Healthcare, an integrated health system serving patients in southern Indiana and Kentucky.  

Amy Henderson, RHIT, CHPS, CCA, is regional privacy officer of California Acute Care Facilities for Dignity Health at Common Spirit Health. CommonSpirit is one of the largest nonprofit health systems in the US, with more than 1,000 care sites in 21 states coast to coast.