Professional Insurance Programs

Social Media and Patient Confidentiality: A Balancing Act

One of the most significant concerns related to the use of social media in healthcare is the requirement to maintain strict confidentiality of patients’ protected health information (PHI). This obligation is addressed in federal law and governed by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Individual states also may have laws related to privacy and security of PHI, which might be more stringent than federal laws.

Because the boundaries between appropriate vs. inappropriate and personal vs. professional use of social media can easily blur, managing privacy risks can be challenging. For example, numerous instances have occurred in which healthcare workers have posted pictures of, or details about, their patients on their professional or personal social media pages without patients’ consent. Regardless of whether these actions were intentional or inadvertent, they violated confidentiality and the patients’ privacy rights.

For healthcare providers who want to use social media personally and/or professionally, the following risk strategies may help address privacy and confidentiality concerns:

  • Do not post or publish any content on social media sites that contains patient details or identifying information (including photographs and testimonials) without the patient’s permission and written consent. The consent should explicitly state how the information will be used.
  • Consider prohibiting the photographic use of cellphones and other mobile technologies as part of your healthcare practice’s staff policies.
  • Have someone who is familiar with HIPAA and state privacy regulations review social media content to ensure information does not violate patient confidentiality.
  • Train staff on HIPAA and state privacy laws, and educate them about the consequences of violating these regulations.
  • Ask staff members to sign confidentiality agreements, and maintain a signed copy of the agreement in each employee’s personnel file.
  • Be aware that responding to a patient post or review on a social media site might violate HIPAA or state privacy laws. Carefully consider how to manage these situations, and speak with legal counsel if necessary.
  • Understand the technical limitations and terms and conditions of any social media sites that you plan to use. For example, information sent via messaging functions likely is not encrypted, and the site might maintain the right to access any personal information.

Addressing confidentiality and privacy concerns in your practice’s social media policies and implementing strategic safeguards can help protect patients and reduce liability exposure.

Source: The Medical Protective Company