How to Stay HIPAA Compliant in the World of Social Media

This post has been guest-authored by Atlantic.net as part of our guest post series. Learn more about Atlantic.net at the bottom of this post. While health companies need to take great pains to make sure they are in HIPAA compliance, which includes all the cyber and physical security mandates, one thing commonly overlooked is social media security. When improperly used (or even properly, in some cases), social media can be a pitfall of security and privacy leaks for health companies, whether it be due to negligence, poor staff training, or just plain bad actors. In this article, we’re going to discuss ways that health companies can stay HIPAA compliant in the world of social media. Though the information in this article isn’t only applicable to health companies striving to remain HIPAA compliant, as many of our security tips are applicable to companies of all sizes.

Common HIPAA violations pertaining to social media

According to research, some of the most common social media blunders which create HIPAA violations are as follows:

Posting photographs or any form of personal healthcare information without written consent from a patient.
Sharing of comments or pictures which may depict harmless activity, but in fact, contain sensitive information in the background. An example would be group staff photos with patient charts or medical records visible in the photos.
Posting of verbal gossip about a patient to unauthorized individuals, whether or not the patient’s name is disclosed.

Those are all outright violations, which can typically be made by careless staff. Of course, there are other blunders to consider, which may not be immediately threatening, but pose a risk nonetheless. Using personal social media accounts on company devices, for example, is one such risk. An employee who checks their personal social media or email while logged into a company device is at risk of acquiring malware which can then infect the company device. There are numerous virus types which, once residing on a company device, can begin to attack and breach the entire network of company devices. We saw this happen with infamous viruses such as Eternal Blue, and its spinoff variations, WannaCry and Petya/NotPetya. These viruses were able to infect one device on a network, then migrate to every other device connected to the network, leaving destruction in their wake. The reason this ties into social media is because cybercriminals have become prolific in modern times, and many are using social media as launching pads for new viruses. One common strategy being used is cloning social media profiles, then sending virus-infected attachments and videos to unsuspecting individuals, who may believe the attachments came from a personal friend’s real account. Once the user is infected, their account becomes compromised and begins sending out the virus attachments to everyone on that account’s “Friends” list. It’s an old method that hearkens back to the earliest forms of email viruses, just updated for modern-day social media. Employees should never be sending company documents across personal social media, even if it’s simply sending photos or documents between staff members, as things have a way of being leaked. If your staff needs to upload and share sensitive data, consider implementing something like HIPAA compliant cloud storage.

Other ways social media can cause HIPAA violations

While social media such as Twitter and Facebook offers methods of privacy control, such as limiting who can view status updates to custom lists of friends, it’s entirely possible for private posts to accidentally be made public. A single mis-click in the Security settings, for example, can retroactively make every account post suddenly public. Sensitive posts can also be forgotten about, deeply buried in the timeline, and somehow scraped by a third-party. Staff may accidentally disclose PHI (personal health information) of patients, whether through a form we mentioned earlier, such as group photos with visible documents in the background or through gossip and idle chatter on a group page. Another thing to be aware of is that giving healthcare advice over social media may potentially be hazardous for compliance issues, especially if patients use their real names on social media, and contact healthcare professionals while seeking healthcare-related questions.

Rules to follow for remaining HIPAA compliant on social media

Some of the following tips may seem like a no-brainer, but you want to address all potential situations. When things hit the fan, nobody likes to take the fall, and staff can easily say that security instructions pertaining to specific scenarios were not given. Thus, it’s important to try and be as absolutely comprehensive as possible and cover all the bases. Employees absolutely need to be trained in cybersecurity, which should discuss topics such as social media usage and include the following rules and guidelines. Do not post any patient information or details of any situation. Even if a patient’s name isn’t given, a story can be pieced together by internet detectives. For example, a nurse accidentally identified an accused murderer who was being treated for a gunshot wound, simply by posting about him without mentioning his name. Current media coverage of the crime made it easily identifiable who the nurse was referring to. Never assume information is private. Online privacy can largely be a facade. Even if you think you’re anonymous, many internet users have the habit of using the same online handles, passwords, and other identifiers across the entire web. Deleting social media posts doesn’t always guarantee they’re gone forever, as screenshots could’ve been made before a post was deleted. Always get written permission from patients. There can be certain situations where you’d like to share a patient’s testimonial or answer a seemingly harmless question. However, it is of vital importance to have the patient’s written consent before posting anything, and even if you do have the patient’s consent, you should still try to keep as much personal information out of the picture as possible. Create an office-wide policy pertaining to social media usage. The Institute of Health released some research saying that only 31% of healthcare organizations have specific social media guidelines given to employees. As we mentioned earlier, it is of vital importance to be as comprehensive as possible. If you have an employee handbook (which you absolutely should), update it with a section on basically everything we are discussing in this article. Only allow staff who are knowledgeable of HIPAA compliance to use official company accounts. You should appoint only a few people, who are well-versed in HIPAA guidelines, to actively use any official company social media pages. These staff should also be able to monitor for any potential violations, and if a violation has occurred, they should have appropriate steps to take, such as immediately deleting the posts and consulting with a legal advisor about protecting the patient’s rights. Atlantic.Net is a global Cloud Services Provider with a focus on security, compliance, and simplifying user experience. Trusted by over 15,000 businesses and channel partners, Atlantic.Net provides award-winning managed and compliant Cloud Services, including flexible private, public, and hybrid hosting solutions. Find out more about them here.