Maintaing HIPAA compliance when patients share PHI over social media

To maintain HIPAA compliance when patients send protected health information (PHI) via social media, respond without disclosing PHI and direct them to secure communication channels like HIPAA compliant email. Include disclaimers on your profiles to discourage sharing personal health information. Train staff to handle these messages appropriately, document any PHI incidents, consider deleting sensitive posts, and regularly review your social media policies for HIPAA alignment.

Why social media isn’t HIPAA compliant for PHI communication

In the first half of 2018 alone, more than 56% of the 4.5 billion compromised data records were attributed to social media incidents. The HIPAA Privacy and Security Rules require specific safeguards to protect PHI, including encryption, restricted access, and controlled sharing. Social media platforms, however, lack the encryption and privacy controls needed to secure PHI, and messages or comments can easily become accessible to unauthorized viewers. Additionally, HIPAA mandates the “minimum necessary” standard, which means only the information strictly necessary for treatment or care coordination should be shared. When patients attempt to share PHI on social media, the privacy risks are significant, and any response must avoid further sharing of sensitive information.

Related: Social media HIPAA violations

Common ways patients share PHI on social media

Patients may reach out via social media messages, comments, or even tagging a provider in a post. They might discuss their symptoms, request appointment information, or ask for treatment advice, inadvertently placing sensitive information on a public or minimally secure platform. Often, patients are unaware of the risks of sharing private information through social media. They may use it for convenience or because they’re unfamiliar with secure communication options.

HIPAA compliant responses to PHI shared on social media

1. Acknowledge without disclosing: When patients send PHI through social media, a brief acknowledgment without sharing PHI is necessary. For instance, if a patient asks for details about their last visit, respond with, “Thank you for reaching out. For privacy reasons, please get in touch with us by calling [contact information] to discuss this matter.”
2. Redirect to secure channels: Guide patients to HIPAA compliant alternatives such as encrypted email like Paubox, or phone lines. Ensure they understand these are the preferred channels for discussing personal health matters.
3. Provide clear instructions: Use clear language to help patients understand that social media isn’t suitable for private inquiries. Example: “To protect your privacy, please avoid sharing personal health information here. We recommend sending an email or calling in for any questions related to your care.”

Best practices for preventing PHI disclosures on social media

• Proactive disclaimers: Include a disclaimer on your social media profiles advising patients not to share personal health information. Phrases like, “Please do not use this page for sharing medical or personal information,” can help deter accidental PHI disclosures.
• Patient education: Educate patients about HIPAA compliant communication channels during in-person visits and follow-up communications. Simple reminders can encourage patients to use secure email or official contact numbers.
• Develop a social media policy: Establish a clear social media policy that outlines the handling of PHI. Include guidelines for staff on managing patient-initiated messages that contain PHI and detail approved response protocols.

Handling PHI incidents on social media

When PHI is shared on social media, healthcare organizations should follow a clear protocol to minimize risk and maintain HIPAA compliance. First, document any instances where patients post PHI, record the incident in a privacy log, and consult with your HIPAA compliance officer to assess if further reporting is necessary. Next, take immediate steps to limit PHI exposure by hiding or deleting sensitive comments or posts where possible, ensuring that any response remains compliant with HIPAA rules and does not further disclose PHI. Finally, treat these incidents as valuable learning opportunities by conducting an internal review to refine your social media policies and, if needed, strengthen staff training to prevent future occurrences.

Read more: How to stay HIPAA compliant on social media

Training staff for HIPAA compliant social media use

A study published in Health Law states, “...allowing social networking without proper training and restriction can lead to breaches of privacy in an era in which penalties for such violations are increasingly stringent.” Therefore, healthcare organizations must train employees to understand the basics of HIPAA and know how to recognize and handle patient communications that could lead to privacy risks. Provide staff with response scripts and guidelines for redirecting patients to secure communication channels. 

FAQs

Can we respond to general health questions from patients on social media?

Yes, but keep responses broad and avoid discussing any specific patient details or cases. Rather, direct the patient to secure communication channels for personalized advice.

Is it necessary to report every incident of PHI shared on social media?

Not every incident requires reporting, but you should document all occurrences and consult your HIPAA compliance officer to determine if the situation warrants further reporting.

Can we use social media to communicate general health tips or information to patients?

General health tips and educational content can be shared as long as they don’t contain identifiable patient information or PHI.