More and more healthcare practitioners are turning to social media to disseminate health related information and communicate with customers and others in their field. However, healthcare practitioners should pay close attention to the information that they share out there to ensure that they comply with HIPAA Security Rule. Here are a few guidelines to assist you in implementing a social media strategy that complies with HIPAA standards.
What is HIPAA?
First, let’s begin with a basic understanding of the law. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law mandating the non-disclosure of private and personal patient information by healthcare professionals and their business associates. The exception to this rule is that the patient’s information can be shared internally within the confines of the hospital between doctors and healthcare professionals, or between the hospital and the insurance company for payment purposes. Unless the patient voids the non-disclosure, their information has no place outside of the databases of both the hospital and the insurance company.
Guidelines for remaining HIPAA compliant
An accidental error in the information that has been shared on social media can mean that HIPAA compliance has been inadvertently violated. While the mistake may not be on your part, it could mean a host of problems for you, your business, and your reputation. Staying cautious about the information that is disseminated through your organization’s Facebook, Twitter, or other social media pages is significantly important to your career.
Seek patient consent before you post anything – Before you write about a case, seek your patient’s consent. Confidentiality is a fundamental aspect of the relationship you share with those who have sought your professional assistance. Acquiring prior consent should never be overruled, regardless of whether your client’s identity has been omitted from the information you shared online.
Inform before you engage – Some patients are less private about their medical conditions, and would like to communicate with you through social media. You should attempt to take the conversation into the privacy of your workplace. If your patient persists on an online dialogue, inform them of the risks associated with revealing personal information online, then acquire the patient’s consent before communicating through social media.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.