Social media networking sites like Facebook and Twitter have become an integral part of our daily lives. According to a study conducted by AdWeek, more than two in three Americans use social media. While there's nothing wrong with sharing personal stories and opinions, doctors, nurses and other workers whom are employed by “covered entities” must use caution in regards to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
As you may already know, HIPAA was signed into law for the purpose of protecting the privacy of healthcare patients. Consisting of several Rules, it establishes guidelines that covered entities must follow in order to remain compliant with this law. Healthcare practices that violate HIPAA place themselves at risk for fines and/or other penalties handed down by the Office for Civil Rights (OCR).
Posting a photo of your healthcare practice on Facebook may seem harmless enough. After all, hundreds of other doctors and physicians do it on a regular basis, so it must be okay right? Well, it depends on the photo and what it contains. Generally speaking, covered entities and their respective third-party business associates are prohibited from disclosing a patient's personal information without the patient's consent. Such personal information may include, but is not limited to, the patient's name, address, phone number, Social Security number, medical ID number, and medical history.
So, is a photo considered to be “personal information” in the eyes of HIPAA? It depends on whether or not the photo depicts a patient. If it does, then yes, it is considered to be personal information; thus, the healthcare practice must have the patient's consent before posting it on social media. It's not uncommon for nurses to post photos of patients on social media, asking other users for donations or other forms of assistance. While their intentions are honest and admirable, actions such as this could be viewed as a HIPAA violation.
If a doctor or nurses wants to post a photo of a patient on social media, they must first obtain a HIPAA compliant authorization form from the patient. This form grants the covered entity permission to use the patient's personal information, which in this case would involve social media photos.
When in doubt, it's best to err on the side of caution by avoiding all patient-related photos on social media. Remember, it's difficult to erase content once it has been posted online. Even if you delete the photo, other users may have copied and saved it to their hard drive.