Question: I like to chat on social media sites (e.g., Twitter and Facebook) with colleagues about difficult cases. I always remove the patient's name from any discussions. Anything else I should be aware of?
by Keith Henaman in Social & Electronic Media on Wednesday, August 12, 2015
Answer: The most important thing to remember is that even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can get you in trouble with HIPAA, state privacy laws and state chiropractic boards.
PHI is defined under HIPAA that which is in part:
- Created or received by a doctor.
- Relates to the health or condition of an individual.
- Identifies the individual (or there is reason to believe the information can be used to identify the individual).
- Is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium.
Under HIPAA, a doctor may use and disclose PHI for “treatment, payment or healthcare operations,” but doing so through social media does not qualify. If a doctor were to use or disclose a patient’s PHI without permission, this would be a violation of HIPAA--and likely state law, as well.
To be able to use this information without the patient’s consent, a doctor must modify what is released so the patient is not identifiable. It is pretty straightforward that a doctor must remove the patient’s name, geographic information, dates (e.g. birth date and dates of care), telephone and fax numbers, email addresses, Social Security number, clinical record number, and images of the patient’s face.
Where it gets tricky, especially considering the amount of personal information available on the Internet is that a doctor must also remove “other unique identifying numbers, characteristics or codes.” Even a small amount of information put into a search engine will generate relevant “hits” that make it difficult to comply with HIPAA standards.
Doctors face multiple penalties for not complying. Not only can the federal government impose civil and criminal sanctions under HIPAA, individual states can enforce penalties that vary from state to state. The patient also may sue for privacy violations. Although HIPAA does not afford patients the right to bring a private cause of action against a doctor, state law often allows it.
Also, state boards often have the right to impose penalties for privacy violations. These can include suspension or termination of a doctor’s license. Even doctors who “like,” “share,” “re-tweet,” or comment on inappropriate social media posts can be reprimanded.