Social Media: a HIPAA Danger Zone
Social media is a danger zone for health care workers. A good rule of thumb is to keep work and private lives separate, and never post comments about or photos from work on a social media platform. There is a good chance that if your post is about work, you may disclose personal health information (PHI), whether in text or through photos.
Disclosures of PHI via social media are one of the common HIPAA violations at URMC and Affiliates. Some involve photos, e.g. “selfies” with eRecord screens or patient documents in the background, or photos of patients without the required authorization. These are not only a HIPAA violation, but a violation of some affiliates’ photography policies. Other posts involve comments about the work day, or particular cases. Many are self-initiated; some are responsive to others’ posts.
Even if someone else, including a patient or patient representative, has made a post about a patient’s condition, members of the care team may not acknowledge their role in the patient’s care, or otherwise comment publicly, because that inevitably will disclose PHI. Just the fact that a person is a patient at URMC or Affiliates is PHI.
“Real World” Examples of HIPAA Violations on Social Media:
- Posting on Snapchat a video of a patient singing a Christmas carol, without consent
- Tweeting that the soccer player who was on the news after collapsing on the field is in surgery
- Posting “Hard day. My patient died of injuries from that pileup on 590.”
- Private messaging your colleagues on Facebook that patient Jones is psychotic
- Texting friends that someone you saw last night at a restaurant just came to your medical office
- Acknowledging that you cared for a patient/resident when a family member tags you in a post, e.g. “So glad we could get him home for the holidays.”
All of us have a responsibility to protect patient privacy. A staff member who receives PHI via social media from co-workers has an obligation to report the violation to their supervisor or via the Integrity Hotline at (585) 756-7888. An electronic communication can also be made to the hotline. Here’s the list of the different methods of communication through the Compliance Office.
Deliberate or thoughtless disclosure of PHI on social media can result in patient/resident/family distress, regulatory citations for the health care facility, and loss of employment for an employee.
Please think before you post!
For additional information on any HIPAA-related topics, please refer to the URMC intranet site or contact your Privacy Officer or HIPAA Security Official.