Friday, February 6, 2009

Not Getting around HipAA

More than once, in the past few days I have been asked about how we" get around" HIPAA requirements in Facebook.

ex. dchstx @JennTex are you familiar with any HIPAA issues and social media, specifically use of images of friends/fans as profile pics?

The answer is we don’t.

The Health Insurance Portability and Accountability Act requires that we do not identify patients or their PHI without their express permission.

So we do not;

  • Post images of people identified as patients on our Facebook page without a signed consent form. As you may notice we do not have very many pictures out there
  • Allow wall posts from people who identify themselves as patients and then begin sharing their PHI with the audience.
  • Allow patients to post images or videos to our pages
But the question has also been asked about the issue of fan photos in the page. I think it is wrong to assume that all of our fans are patients. Our fans consist of media, caregivers, employees, potential employees, and yes patients. Unless you choose to go to and click on every one of those fan profiles you most likely could not easily identify which are patients. Facebook also allows people to hide their profile information from the public if they choose. So you have to be a friend of that person to see any personal information about them.

PHI would only be compromised if they...
  • Are a fan
  • Are a patient, and identify themselves as such
  • Are sharing PHI on their personal page
  • Have not locked their page from the public
Facebook does offer these security features, but you must choose to use them.

I often try to draw comparisons to real life communications efforts when trying to understand and apply guidelines to our social media use. I equate this to a patient standing on our steps yelling their diagnosis and treatment plan out to the passing public. Short of kicking them off of our steps, how could we protect them futher? In that case we would have done our due diligence.

Recently I saw a video, on Youtube that a caregiver shot in our hospital, it was clearly our hospital. He was going to visit a family member, we saw his parking spot, his elevator ride, the room number he was visiting... Then he tagged the video with our name. That was really too much information. But my point is if they want to share their information they will do it, whether we exist on Facebook or not.

No comments: