Balancing Social Media and Patient Privacy in Healthcare
Maintaining privacy of patients’ protected health information (PHI) is one of the most significant concerns related to social media use in healthcare. Privacy and security of PHI are addressed in federal law and governed by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). States also may have laws related to the privacy and security of PHI, which might be more stringent than federal laws.
Because the boundaries between appropriate versus inappropriate and personal versus professional use of social media can easily blur, managing privacy risks can be challenging. For example, numerous instances have occurred in which healthcare workers have posted pictures of, or confidential information about, patients on professional or personal social media pages without the patients’ consent. Regardless of whether these actions were intentional or inadvertent, they violated confidentiality and the patients’ privacy rights.
In today’s technology-driven culture, it is unreasonable to expect healthcare workers to avoid social media, particularly when many healthcare organizations are using social platforms for marketing and educational purposes. Rather, organizational leaders can educate healthcare workers about social media risks, offer best practices, and implement reasonable social media policies. For example, consider the following guidelines:
- Prohibit or set limitations on the photographic use of cellphones and other portable electronic devices as part of organizational policy.
- Train staff members on HIPAA and state privacy laws, and educate them about the consequences of violating these laws by posting content on social media that contains patient details or identifying information. Provide real-life examples to illustrate intentional and inadvertent privacy breaches.
- Ask staff members to sign confidentiality agreements, and maintain a signed copy of the agreement in each employee’s personnel file.
- When posting content containing patient identifiable information to the organization’s social media sites, ensure patient consent is obtained. The consent should explicitly state how the information will be used. Have someone who is familiar with HIPAA and state privacy regulations review social media content to ensure information does not violate patient confidentiality.
- Be aware that responding to a patient post or review on a social media site might violate HIPAA or state privacy laws. Learn more about managing negative online reviews from patients.
- Understand the technical limitations and terms and conditions of any social media sites that you plan to use. For example, information sent via messaging functions likely is not encrypted, and the site might maintain the right to access any personal information.
Addressing privacy and confidentiality concerns in organizational social media policies and implementing strategic safeguards can help protect patients and reduce liability exposure. For more information, see Social Media in Healthcare: A Slippery Slope.