How to Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, webpages, Google+, LinkedIn. What do all of these social media outlets have in common? Each can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. It seems that all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and most of which could have been avoided.

Physicians should be aware of the intersection of social media—both for personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.

PHI is defined under HIPAA, in part, as health information that (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Under HIPAA, a physician may use and disclose PHI for “treatment, payment, or healthcare operations.” Generally, using or disclosing PHI through social media does not qualify as treatment, payment, or healthcare operations. If a physician were to use or disclose a patient’s PHI without permission, this would be a violation of HIPAA—and likely state law as well.

In order to use or disclose a patient’s PHI without obtaining the patient’s consent, a physician must de-identify the information so that the information does not identify the patient and there is no reasonable basis to believe that the information can be used to identify the patient. One option under HIPAA is to retain an expert to determine “that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively, and more commonly, a physician seeking to use or disclose patient PHI can remove the following identifiers from the PHI:

  1. Names;
  2. Geographic information;
  3. Dates (e.g. birth date, admission date, discharge date, date of death);
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. URLs;
  15. IP address numbers;
  16. Biometric identifiers (e.g. finger and voice prints);
  17. Full-face photographic images and any comparable images; and
  18. Other unique identifying numbers, characteristics, or codes.

Identifier #18 is the most difficult to comply with in light of the significant amount of personal information available on the Internet, particularly through search engines like Google. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly difficult to comply with the de-identification standards under HIPAA. Even if the first 17 identifiers are carefully removed, the broadness of #18 can turn a seemingly harmless post on social media into a patient privacy violation.

Comments

  1. says

    Breaches of Protected Health Information (PHI) will continue to happen until both Covered Entities and Business Associates get serious about putting in place the necessary controls for ensuring the safety and security of PHI. It means developing comprehensive HIPAA policies and procedures, undertaking annual security awareness training and risk assessments, and many other critical activities. Sure, budgets are tight and margins are thin in today’s competitive business landscape, but what business do you have if PHI is breached and seriously compromised? I think most companies truly want to do all they can in protecting PHI and becoming HIPAA compliant, but it just seems overwhelming at first because of the massive amount of policies, procedures, and processes that need to be in place. My advice; take a deep breath, find an experienced HIPAA consultant, get a hold of some quality HIPAA policy templates and begin the process. You’ll get there!

  2. Harriet L. says

    2015-01-07 I just received an email from a doctor I previously had treatment with. However, he sent the same email to about 300 other patients as a mass email, without using the blind-copy feature – so now MY email has been shared with about 300 strangers. And yes, I can see all of their email addresses too. I feel like this was a violation of my privacy and am pretty upset. How do I handle this?

  3. Marvin Barnes says

    Hi , l called University of Cincinnati call center to have someone forward my information to my neurologist. Shortly after the call ended I began to receive very inappropriate text messages from a number 513- 545-0644 which I did not recognize. After the first text I answered back do I know you. I received two more text messages after that from this same unknown number saying they wish I would fall out and kill myself as they know from viewing my medical records I have been diagnosed with seizures. After that statement I text back, I know who you are, from UC call center and I will contact your relation team to inform them of this abuse of privacy and confidential information. After contacting the patient relations department I received a call later that day from the manager of UC call center to apologize. So obviously I guessed right that it was an employee from UC call center and the text messages stopped after that. I would like to have some one look into this as this has caused emotional stress as I am also diagnosed with depression.

Leave a Reply

Your email address will not be published. Required fields are marked *