Businesses should be aware of the intersection of social media and the Health Insurance Portability and Accountability Act (“HIPAA”). Problems can arise with even innocent responses containing a patient’s protected health information (“PHI”) on social media.

To better highlight this issue, let’s review a recent enforcement action by the Department of Health and Human Services Office for Civil Rights (OCR), the government body tasked with enforcing HIPAA’s regulations. In October 2019, a dental practice was fined by OCR for impermissibly disclosing protected PHI in response to Yelp reviews. Specifically, the dental practice posted patients’ names, health conditions, and treatment plans without authorization. As a result, OCR imposed a fine and required the practice to implement policies to ensure unauthorized disclosures do not occur in the future.

Covered entities (i.e., entity or person that submit HIPAA transactions electronically) and their business associates (i.e., entity or person, other than an employee, that transmit PHI for a covered entity) need to be aware of the restrictions set out in HIPAA. To recap, HIPAA addresses the use and disclosure of confidential information pertaining to patients. Unless an exception is met, businesses are required to obtain authorization from a patient before the business can use or disclose a patient’s PHI. Thus, it is the utmost importance for a business to be familiar with the rules and take all necessary steps toward compliance.

Here are a few guidelines to help:

- Develop a comprehensive social media policy and communicate to employees the potential penalties for HIPAA violations;

- Provide training to all staff regarding acceptable social media usage as part of your regular HIPAA training including examples of what is appropriate and what is not; and

- Conduct refresher training and update your policies annually.