As a doctor of chiropractic, you should be acutely aware of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
This federal law is designed to protect potentially sensitive data related to patient health, i.e., protected health information (PHI). It established a number of nationwide standards to accomplish just that.
While some applications of this guidance are straightforward and easy to abide by, other areas are mildly confusing, such as HIPAA and social media. Maintaining the necessary access to patient information while also implementing protections for their privacy is an important balance to strike, and failure to remain in compliance can warrant consequences.
While DCs are familiar with most aspects of HIPAA, social media has created a wrinkle of uncertainty. Social media did not exist when HIPAA was enacted; therefore; it is not explicitly mentioned in the official language of the law, although they do have an updated journal that provides evolving guidelines. This article discusses some important HIPAA and social media guidelines DCs should be aware of.
HIPAA rules for social media
When it comes to your patients’ privacy, it is better to be overprotective than lax. This is a general mindset that makes for a safe guiding principle for your chiropractic practice. When in doubt, take the conservative route and opt to keep your patients’ PHI under wraps.
However, if you are searching for a more in-depth explanation of the relationship between HIPAA and social media, you have come to the right place.
Patient authorization and social media
Within the Privacy Rules, there are fundamental stipulations placed on gaining patient authorization to share PHI. These principles include five specific prerequisites to authorization:
- A meaningful description of the information that will be disclosed or used.
- A description of the purpose of the disclosure or use.
- A clear explanation that the information in question may be disclosed further.
- The right of the individual to revoke the authorization they have granted.
- A predetermined expiration date for the authorization.
In addition to these Privacy Rules on authorization, it is essential to make it abundantly clear that you plan to share someone’s PHI on social media and that it could be disseminated further, including through republishing and screenshots.
The complications of HIPAA and social media
Obtaining authorization from a patient before using or disclosing their PHI is vital, but even if you go through the process and have them sign the required documentation, you could still run into trouble due to the nature of social media.
The last two stipulations of the Privacy Rules regarding authorization create a loophole that is impossible to circumvent. Once you post something on social media, you relinquish control of it. You have no ability to limit who sees it and how they save, copy or utilize it. You also cannot take it back once it has been released.
In other words, social media makes it impossible to comply with the final two rules mentioned above. You cannot honor the individual’s right to revoke authorization, nor can you truly allow the authorization to expire. This technicality could spell trouble.
How to approach HIPAA and social media
Because of the ambiguity in regard to HIPAA and social media, the inability to follow Privacy Rule stipulations to perfection, posting patient information on social media is a HIPAA violation waiting to happen, even if you get authorization first.
As such, it is best to avoid posting any PHI or potentially identifying information on social media. As a DC, you should take the time to explain this policy to your office and your team. Notifying them of the risks and guiding principles your chiropractic office will adhere to will hopefully prevent any instances of HIPAA violation, including accidental cases.
For more chiropractic insights and the latest news on HIPAA and social media, be sure to subscribe to Chiropractic Economics magazine.