Legal Update: Establish social media policy

Q. Is it possible to commit a HIPAA violation when using social media?

A. Yes. Suppliers should be aware of the intersection of social media and the Health Insurance Portability and Accountability Act (HIPAA). Problems can arise with even innocent responses containing a patient's protected health information (PHI) on social media.

To better highlight this issue, let's review the latest enforcement action by the Department of Health and Human Services Office for Civil Rights (OCR), the government body tasked with enforcing HIPAA's regulations. In October 2019, a dental practice was fined by the OCR for impermissibly disclosing protected PHI in response to Yelp reviews. Specifically, the dental practice posted patients' names, health conditions and treatment plans without authorization. As a result, OCR imposed a fine and required the practice to implement policies to ensure unauthorized disclosures do not occur in the future. 

Suppliers that are “covered entities” (i.e. entity or person that submits HIPAA transactions electronically) and their “business associates” (i.e. entity or person other than an employee that transmits PHI for a covered entity) need to be aware of the restrictions set out in HIPAA. Unless an exception is met, suppliers are required to obtain authorization from a patient before the supplier can use or disclose a patient's PHI. Thus, it is of the utmost importance for a supplier to be familiar with the rules and take all necessary steps toward compliance.

Here are a few guidelines:

• Develop a comprehensive social media policy and communicate to employees the potential penalties for HIPAA violations.
• Provide training to all staff regarding acceptable social media usage as part of your regular HIPAA training including examples of what is appropriate and what is not.
• Conduct refresher training and update your policies annually.

Matthew Fischer is partner and health law attorney at Zumpano Patricios. Reach him at 305.444.5565 or mfischer@zplaw.com.