Thanks to high-tech devices such as smartphones and tablets, thanks to the Internet, and thanks to social media, we live in an age of constant connection. People can share anything at the press of a button, and, just the same, they can access endless material shared by others.
With all this widespread sharing, it is important for physicians to monitor their own use of social media, upholding the security of their patients’ protected health information (PHI), and, thereby, saving themselves and their practices from breeches in patient privacy. As much as physicians are aware that they must store and send sensitive PHI securely, sometimes it is inadvertently shared with others.
18 Ways to Identify a Patient
1. Any geographical subdivision smaller than a state (eg, street address, city, county, precinct, zip code) and their equivalent geocodes
2. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
3. Phone numbers
4. Fax numbers
5. Email addresses
6. Social security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate or license numbers
11. Vehicle identifiers and serial numbers, including license plate numbers
12. Device identifiers and serial numbers
13. Web universal resource locators (URLs)
14. Internet protocol (IP) address numbers
15. Biometric identifiers, including fingerprints and voice prints
17. Full face photographic images and comparable images
18. Any other unique identifying number, characteristic, or code (not including the unique code assigned by the investigator to code the data)
Adapted from: HIPAA PHI: List of 18 identifiers and definition of PHI. Berkeley Human Research Program Protection. http://cphs.berkeley.edu/hipaa/hipaa18.html. Accessed January 31, 2017.
FIVE EASY TIPS
The truth is, with so many social media platforms available, and with more emerging all the time, it can be daunting to figure out what is acceptable to post and what is not. The five easy tips I offer here are what you need to know about protecting your patients and your practice.
Tip No. 1: Do decode patient identifiers. Most health care professionals know to avoid impermissible use or disclosure that compromises the security or privacy of a patient’s PHI. But what, exactly, constitutes PHI? In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) defined PHI as any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service.1 This includes 18 distinct identifiers (see 18 Ways to Identify a Patient).2 The bottom line is that, if the patient can be identified in something you are considering posting, do not post it.
One common example of a HIPAA violation is when a staff member shares his or her excitement about treating a professional athlete or well-known TV personality on social media. According to a blog by the compliance consultant organization Healthcare Compliance Pros, “posting verbal ‘gossip’ about a patient to unauthorized individuals, even if the name is not disclosed” is enough to get medical practices into trouble with HIPAA laws.2
Tip No. 2: Do keep your personal social media accounts and those of your employees separate from the practice’s accounts. Creating a personal social media account using a pseudonym that only friends and family know can help to keep a health care professional’s patients from searching for him or her and sending friend requests. Furthermore, it is important to avoid connecting with patients on personal or practice accounts and to advise your employees to do the same.
Tip No. 3: Do speak up when patients are asking for medical advice online. Crowdsourcing your medical care on social media is never a good idea, but, unfortunately, people do it all the time.3 Instead of making comments that are specific to one patient, speak to patients on social media collectively and offer general advice only. One tactic is to share a patient education video. If an unknown patient reaches out and asks a personal health question on social media, however, the most appropriate course of action is to take the conversation offline. In these situations, use a standard response that asks the patient to call the office and make an appointment, or, if in an emergency, to call his or her local emergency number or go to the emergency room of a hospital.
Tip No. 4: Don’t make the mistake of thinking that posts are private or that they disappear once they have been deleted. Search engines and screenshots can make even deleted posts permanent. As a general rule, do not post anything you would not be comfortable sharing in public.
Tip No. 5: Don’t overlook staff training. Educate the staff in your practice on social media security, and have a solid social media policy in place. In the policy, social media should be defined and specific sites mentioned, and the type of information employees are and are not allowed to post on both the practice’s pages and on their personal pages should be covered.
1. HIPAA PHI: List of 18 identifiers and definition of PHI. Berkeley Human Research Program Protection. http://cphs.berkeley.edu/hipaa/hipaa18.html. Accessed January 31, 2017.
2. Posting with caution: The Do’s and Don’ts of social media and HIPAA compliance. Healthcare Compliance Pros. April 7, 2015. https://www.healthcarecompliancepros.com/blog/posting-with-caution-the-dos-and-donts-of-social-media-and-hipaa-compliance-2/. Accessed January 31, 2017.
3. McCullar E. A warning against crowdsourcing your medical care on social media. KevinMD.com. April 18, 2016. http://www.kevinmd.com/blog/2016/04/a-warning-against-crowdsourcing-your-medical-care-on-social-media.html. Accessed January 31, 2017.