More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA? First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career. Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Sending text messages has become a common method of communication among teenagers, adults, and more recently, medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.”
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule allows healthcare providers to communicate electronically with patients, but it also outlines standards to protect individuals’ e-PHI with appropriate safeguards to protect confidentiality, integrity and security of e-PHI. The following identifies security issues raised by texting of PHI between healthcare providers or provider and patient and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of PHI by healthcare providers is strongly discouraged. Texting, or traditional short message service (SMS) messaging, is non-secure and non-compliant with HIPAA because data stored on personal mobile devices is not encrypted and is usually stored within the computer memory or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and stay forever on the sender and receiver’s phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS limits the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is “not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages.” Physicians are urged not to use text messaging even with established patients “except with extreme caution and with patient consent.”