HIPAA Alert: Four Social Media Myths

Know the difference between myths and reality. These four mistaken beliefs about social media can lead to HIPAA violations.

MISTAKEN BELIEF #1:

It’s okay if I don’t use a name.
"It’s okay if I talk about a patient on Facebook or Twitter as long as I don’t use the patient’s name."
REALITY:  Under HIPAA, patient information is only safe to use when it is stripped of 18 identifiers. Any innocent comment about a patient may help others identify the subject of the post, particularly in small communities.

MISTAKEN BELIEF #2: It’s private.
"My communication is private. No one will see it except the intended recipient."
REALITY: One of the key features of social media is the ability to share information among friends and associates, and among their friends and their associates. When you post something — anything — on any social media site, you need to remember that it could end up anywhere. Even private posts are not private.

MISTAKEN BELIEF #3: She started it.
"My patient posted her protected health information on her own site, so I’m free to comment, like, share or re-tweet."
REALITY:  Be cautious. It’s okay for a patient to disclose his or her own personal health information, but if you share or retweet it on your personal accounts, you are giving it new life and may land in hot water. Play it safe, and don’t do it.

MISTAKEN BELIEF #4: I can delete my post.
"If I make a mistake and then delete my post/comment, no one else will see it."
REALITY:  Enormous server farms are constantly scouring the web, preserving every scrap of data. Even if you post something and delete it just a few minutes later, it’s still alive in the digital world and could come back to haunt you for a very, very long time.

Questions?

To learn more about the use of social media and HIPAA, contact HIPAA Privacy Officer Tracy Durbin at (402) 354-4901.