Social media can help health care organizations develop deeper partnerships and communication channels with patients, families, staff, and communities—but many organizations have shied away from using Twitter, Facebook, and other tools due to concerns about patient privacy, IT security, and more.
As more providers come to view social media as a critical aspect of their marketing and strategy toolkits, it's important to understand how hospitals and health systems can appropriately engage with social media while ensuring compliance with privacy laws, notably the Health Information Portability and Accountability Act (HIPAA).
Recently, we spoke with Mark Hedberg and Matthew Jenkins, partners at Hunton & Williams LLP, about the legal challenges providers face with regard to social media use and how they might overcome those challenges.
Q: What is the most common misconception about social media and protected health information?
Hedberg and Jenkins: Many providers mistakenly believe that if a patient shares some aspect of their protected health information (PHI) on social media, then the PHI is no longer protected under the HIPAA.
That's not the case: Under the law, patients' use of their own PHI does not, in any way, alter covered entities' obligation to protect PHI from inappropriate use or disclosure.
By way of background, HIPAA defines PHI as health data that are personally identifiable to the patient and created or received by a covered entity during the course of care; covered entities include health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses.
Q: So how can providers get patients' permission to use their PHI for social media?
H&J: Patients can grant covered entities the ability to use or disclose their PHI through either authorization or consent—but those are technical processes that can never be implied through social media postings.
For example, if a patient posts on Facebook about their recent joint replacement at a given hospital, any public response by the provider organization may be considered a HIPAA violation. The only way for the provider to avoid a HIPAA violation is by seeking authorization from the patient to disclose the specific aspect of PHI that is disclosed on the specific post in question.
According to HIPAA's Privacy Rule, "authorization" amounts to their signed permission to allow a covered entity to use or disclose the individual's PHI for an expressed purpose and to an expressed recipient. An authorization must include the description of the PHI to be used or disclosed, the name(s) of individual(s) authorized to make the requested use or disclosure, the name(s) of individual(s) who may use the PHI, a description of each purpose of the requested use or disclosure, authorization expiration date, and the PHI owner's signature and date. In other words, Authorizations are discrete, rather than blanket approvals to share PHI.
Q: How does providers' use of social media pose new challenges with regard to HIPAA compliance?
H&J: As the health care sector becomes more like the retail sector, the temptation to use social media to manage and influence customer relations in the same manner as retailers is strong, but perilous. Retailers use consumer information to segment their markets and target consumers, often through social media channels. Within health care, providers have access to a wealth of consumer information, but without authorization, any public use of that information may amount to a HIPAA violation.
Case in point, providers may not use patients' health history as the driver for targeting paid ads for information about specific products or services. Once the provider feeds PHI into any third party algorithm without the patient's authorization, it's considered an unauthorized disclosure of PHI and a violation of HIPAA. Further, while retailers may require customers to agree to terms and conditions in order to use the app, providers cannot condition treatment on authorization to disclose PHI.
Q: When a HIPAA breach occurs on a social network, how should a provider organization respond?
H&J: If wrongful disclosure occurs on social media, there are no rules stating that providers may treat it any differently than if the breach occurred through another outlet. Legally, providers are obliged to notify patients and, depending on the size of the breach, notify regulatory agencies.
However, it's worth noting that an unlawful disclosure of PHI on social media poses a new challenge for providers because the event is public and its impact can multiply almost instantaneously. If a ransomware attack leads to the disclosure of one patient's PHI, the issue can be handled on a one-off basis. On the other hand, if one patient's PHI is unlawfully disclosed on social media, the public nature of the event can lead to a larger PR nightmare. Moreover, providers' do not have complete control over employees' social media accounts, so it's more difficult to "plug the hole," so to speak.
While we haven't seen hospitals directly monitoring their employees' private social media accounts, most do have restrictions on employer-provided equipment (e.g. tablets, phones, desktop computers). So, if an employee accesses their private account through an employer-owned devices, the employer may be able to monitor social media use.
Q: Though social media use complicates HIPAA compliance, many providers see it as an opportunity to boost access and engagement. What advice would you give to providers who want to appropriately engage with patients through social media?
Access our cheat sheets on HIPAA and other key legal landmarks
With MACRA, HIPAA, the ACA, and countless others, the health care landscape has become an alphabet soup of legislation. To help you keep up, we've created a series of cheat sheets for some of the most important—and complicated—legal landmarks.
Check them out now for everything you need to know about the Affordable Care Act, antitrust laws, fraud and abuse prevention measures, HIPAA, MACRA, and the two-midnight rule.