ODP Business - We provide Smart Solutions that help you take care of business.

HIPAA and Social Media: Protecting Patient Privacy in the Digital Age

By Cheryl Alkon

 

   Nearly everyone has a smartphone these days, and with Twitter, Facebook, LinkedIn, YouTube and other social media sites at our fingertips, it can be embarrassingly easy to violate a patient’s privacy by transmitting protected health information, even without ever mentioning that patient’s name.

 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to help ensure that medical and other identifying details pertaining to a patient’s health wouldn’t be compromised by physicians and other healthcare providers by making it public.

 

And while HIPAA was enacted long before social media use, the ease of sharing information online with others has caused some healthcare providers to lose their jobs, get reprimanded, and simply cause humiliation for their patients and their own employers, as well as for themselves.

 

“Post with caution,” said Steven M. Harris, a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins, LLC in Chicago. According to Harris, both personal and professional accounts need to be used judiciously when communicating patient information. And both healthcare providers and medical practices should understand how such information could be easily compromised.

 

Harris, who wrote about this issue recently for ENT Today, a trade journal for otolaryngologists, said that the most common mistake he has seen physicians and medical practices make is not fully de-identifying a picture or text before posting.

 

“A physician posts an x-ray of a complex fracture on his or her Facebook or Instagram page, and thinks the patient’s name on the x-ray is illegible, but it turns out to be visible when the image is maximized,” he said.

 

Another mistake Harris observed happened when one physician posted about a patient without mentioning their name, but cited the nature of an injury in such a way that third parties were able to determine who the patient was. In that case, said Harris, an emergency department physician in Rhode Island was fired, lost her hospital medical staff privileges and was reprimanded by the state’s Board of Medical Licensure and Discipline, after posting about the patient on her personal Facebook page, which she later deleted. “Despite the physician omitting what she thought was identifiable information about the patient from her post, she apparently did not omit enough information,” wrote Harris in the ENT Today story.

 

Penalties for HIPAA violations, real or alleged, vary, said Harris. On the federal level, a physician or his employer can be slapped with civil or criminal charges, while states can also intervene, based on where the physician is based. While a patient can’t sue under federal HIPAA law, he or she may be able to sue the physician under state laws. And state medical boards may also penalize the physician, either with fines, suspensions or terminating medical licensure in that state, Harris noted.

 

Above all, know what you are doing if you are posting about patient information in any form of social media. Even if you think you are being careful and eliminating any personal details that might identify a patient, it’s possible that a HIPAA breech can still occur, and the consequences to you and your career can be severe.

 

Cheryl Alkon is a seasoned freelance writer who has covered healthcare and medicine extensively. She has written for a variety of consumer, trade, custom and online publications, including USA Today, the New York Times, Prevention.com, More, Women’s Day, ENT Today, and Oncology Business Management. She is the author of “Balancing Pregnancy With Pre-Existing Diabetes: Healthy Mom, Healthy Baby.” (Demos Health, 2010).

 

Chat