Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Providers Must Ensure that Social Media Practices are HIPAA Compliant.

Providers Must Ensure that Social Media Practices are HIPAA Compliant.

(June 20, 2012): It is essential that providers and suppliers take steps to ensure that an organization’s social media are HIPAA compliant.  The failure to do so can represent a significant risk to medical privacy.  As technology, particularly involving social media, has evolved, the law has tried to keep pace, but is in many ways incongruous with the current state of how we interact on the Internet. In addition, social media and healthcare have a unique relationship. Social media practice have created a large grey area in several regards, including HIPAA compliance, who owns information transmitted to or from a social media site, federal communications law concerns, and possibilities for fraud, abuse, or the unlicensed practice of medicine. While social media can be a powerful tool to help healthcare providers work more closely with their patients, it presents a number of compliance concerns which must be addressed.

I.  Has Your Organization Ensured that Social Media Practices are HIPAA Compliant?

The single biggest threat in social media and healthcare is in maintaining HIPAA compliance. HIPAA’s Administrative Simplification Subtitle, which contains the Privacy Rule and Security Rule, prohibits certain usage or disclosure of protected health information (PHI) without the explicit authorization of the patient involved. PHI is any information in any 1 of 18 categories about health status, treatment, or payment that can be linked to a specific individual. Eight of the 18 “identifiers” are listed below:

  • Name;
  • Geographic identifiers (smaller than state);
  • Dates related to an individual;
  • Social security, phone, fax, health insurance or medical record numbers;
  • Email addresses;
  • Biometric identifiers (fingerprints, voice recordings, etc.);
  • Full face photos;
  • Any other unique identifying number or characteristic.

Clearly, disclosing any of these identifiers without the patient’s specific authorization could be a HIPAA violation. Even if a patient approaches a healthcare provider through social media means (i.e. Tweets a message or posts a message on a provider’s Facebook wall), this is insufficient authorization for the provider to respond to the patient in the same method. Instead, a provider may ask the patient to call them so that any matters the patient has may be discussed in private. Even better, if the situation is not an emergency, it should be addressed at the patient’s next visit, so that the provider has the opportunity to personally examine any complaints and further discuss those problems with the patient. In any regard, both providers and their staff should be cognizant of the potential HIPAA concerns when social media and healthcare come together.

II.  Unlicensed Practice of Medicine and Social Media:

If a provider has ultimately decided to offer medical advice over the internet (although we strongly recommend they don’t), they should remember that the privilege to practice medicine is a state-based grant of authority. A provider licensed in Texas may not be licensed in Oklahoma or Louisiana. So, following that example, what happens if a patient in Oklahoma contacts a physician in North Texas (who is not licensed in Oklahoma) regarding a medical question through a social media site, and the physician responds in kind with certain advice and treatment recommendations? Well, if nothing goes wrong, probably nothing. But it is only when adverse outcomes happen that additional problems arise as a result of social media and healthcare. First, a provider might be liable for malpractice if their over-the-internet recommendation missed something that could have been easily recognized in person. Second, the provider might be liable for practicing medicine without a license. While criminal sanctions for such an act usually require a degree of intent, civil penalties, as well as extremely difficult presumptions in civil suits, will not necessary consider whether the practice was a mere error or intentionally done. For instance, practicing medicine without a license may be considered a prima facie case for medical malpractice for any individual injured by the provider. In our Oklahoma example, the Oklahoma patient, as a result of just about any injury caused by the Texas physician’s advice, will have been presumptively harmed, and have an easier time winning a malpractice suit against the physician. On the other hand, if the Oklahoma patient had crossed state lines and been treated by the Texas physician in his office, it would be more difficult for the patient to establish a claim for damages. But e-treating through social media can and does cause these types of problems. As a result, providers should think carefully about social media and healthcare treatment and operations.

III.  Other Social Media and Healthcare Considerations:

Social media practices may eventually change the way that healthcare is delivered in the United States, but providers must remember that the laws have not caught up to e-health practiced through social media. There is significant risk exposure from any type of treatment conducted over Facebook, Twitter, and other sites, as well as the possibility of violations of federal law, such as HIPAA. Providers who wish to engage in social media usage with their patients should have the legal risks involved researched, and make sure that they have compliance policies and procedures in place which mitigate their risk of violating the law. This becomes all the more important when a provider has one or more employees. It is essential to have a compliance plan which specifies all of the actions an employee may take in the context of social media and healthcare, especially when conducting business on behalf of the practice. Providers should ensure that they and their staff keep their personal and professional lives on social media entirely separate.

Healthcare LawyerRobert W. Liles is a Managing Member in the Washington, D.C. office of Liles Parker. In addition to his significant experience with healthcare fraud and abuse, Mr. Liles also counsels clients on HIPAA, OSHA, and compliance issues, and works with clients to develop and implement effective compliance plans. For a free consultation to discuss your compliance needs, please call Mr. Liles at: 1 (800) 475-1906. 

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.