Social media and patient privacy lessons ripped from the headlines


Who's responsible to protect health information under HIPAA and HITECH?

One of the biggest lessons from recent cases is that patient information can be very broad.

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA for short, and Health Information Technology for Economic and Clinical Health (HITECH) Act, are patient privacy rules in which covered entities must secure protected health information (PHI).

What's PHI? "Basically anything used to identify a patient," Tatiana Melnik, an associate at Dickinson Wright in Ann Arbor, Mich., told FierceHealthcare. PHI can be patient names, photos of their faces or even tattoos, as well as medical conditions or location.

And who's responsible for protecting that information? "Covered entities," which can be hospitals, physicians, nurses, health plans or business partners that handle PHI.

"People don't seem to understand that posting that kind of information, is in fact, a breach because they think 'I'm one of millions. It's very difficult to find out where I am,' where in fact, that's not the case," Melnik noted. "It's much easier than people than think to find out who someone is."

And there are some rogue employees. "Sometimes, the person knows it's wrong, and they're doing it anyway," Melnik noted.


"People don't seem to understand that posting that kind of information, is in fact, a breach because they think 'I'm one of millions.'"

Good intentions can spell trouble

Even well-intentioned providers may inadvertently violate HIPAA and HITECH. For instance, if a care coordinator who is friends with a patient on Facebook notices that her patient lost some weight and congratulates her by commenting, "I hope your diabetes has improved" without the patient mentioning her condition first, that could be a breach.
"That kind of thing, it's very easy to make because you think you're being friendly, and there's no malice intended … but it's still a breach," Melnik said. She added that a best practice is for providers to avoid "friending" patients, although she acknowledged that's harder to do in smaller communities.

One of the most common situations of social media fumbles are patients posting about other patients. Although it's not a breach of HIPAA or HITECH (because patients aren't considered "covered entities"), the hospital still has a responsibility under state law to protect patients.

For instance, if a patient wants to compliment his nurse by posting a photo, the picture could have the name of another patient's medication in the background. Remind patients that photography must go through the public relations department. Also consider posting no-cellphone notices in the hospital.