Hospitals: Five Mistaken Beliefs that Lead to Social Media HIPAA Violations

Photo Credit: Declan

Whether they host social media sites or not, most US hospitals have realized how important it is to develop social media policies for their employees.

But a quick Google search shows that the majority of HIPAA violations related to social media – at least those reported in the media – don’t take place on official healthcare social media sites at all. Instead, they’re posted on personal Facebook pages and Twitter accounts.

What were they thinking?

Here are five mistaken beliefs that can lead to HIPAA violations.

Mistaken Belief #1: It’s private

My communication is private. No one will see it except for the intended recipient.

Reality: One of the key features of social media is the ability to share information among friends and associates, and among their friends and their associates. When you post something – anything – on any social media site you need to remember that it could end up anywhere. Even private posts are not private.

Mistaken Belief: I can delete my post

If I make a mistake and then delete my post/comment no one else will see it.

Reality: Enormous server farms are constantly scouring the web, preserving every scrap of data. Even if you post something and delete it just a few minutes later, it’s still alive in the digital world and could come back to haunt you for a very, very long time.

Mistaken Belief #3: It’s okay if I don’t use a name

It’s okay if I talk about a patient on my Facebook or Twitter account as long as I don’t use the patient’s name.

Reality: Under HIPAA, patient information is really safe to use only when it is stripped of 18 identifiers. Particularly in small communities, any innocent comment about a patient may help others identify the subject of the post.

Mistaken Belief #4: She started it

My patient posted her protected health information on her own site, so I’m free to comment, like, share or retweet.

Reality: Be cautious. It’s okay for a patient to disclose his or her own personal health information, but if you share or retweet it on your personal accounts, you are giving it new life and may land in hot water. Play it safe, and don’t do it.

Mistaken Belief #5: It’s so easy to be careless

It is just so darn easy to be careless – to type something and press send without thinking.

Reality: The fifth mistaken belief is actually an accurate belief, but it fits so nicely in this list I had to include it.

When HIPAA violations occur on personal social media accounts, it is almost always because the person was just not thinking. It is so easy to just type a few quick words and press send, especially when you’re tired or distracted. If every healthcare worker had STOP! and THINK! buttons on his or her Facebook page, it could save a lot of grief.

How we help

Hive Strategies helps health systems create HIPAA-compliant online communities for better health, lower costs and greater loyalty.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *