Health information is a becoming a bigger target for hackers, so I'm worried about keeping my organization HIPAA...
compliant. One of my concerns is social media use by the employees violating HIPAA, so I'm developing social media policy best practices for HIPAA compliance. How concerned should I be about this, and what should I include in the social media policy for healthcare?
Healthcare providers who are regulated as covered entities under HIPAA should absolutely be concerned about employee conduct on social media. It is entirely possible that an employee comment about a patient on social media could intentionally or inadvertently disclose protected health information in violation of the HIPAA privacy regulations.
HIPAA-regulated entities should have one clear and absolute rule in their social media policy best practice: employees and business associates with access to protected health information should never post anything about a patient on social media without that patient's permission. It's possible that even the fact that a patient is associated with a healthcare provider could constitute an unwanted and unlawful violation of patient privacy. An absolute rule prohibiting posting about patients helps eliminate ambiguity and protect the organization's interests.
In addition to that strict mandate, healthcare social media policy best practices should also think through other circumstances that might trigger an accidental HIPAA violation. For example, an employee posting a picture of a new clinic on social media should be sure that the photo does not include the images of any patients. All official social media posts should be screened by an individual who is very familiar with HIPAA regulations. It's a good idea to have a second set of eyes on any post to avoid mistakes.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn more about social media policies
Discover the top social media compliance issues in Fortune 100 firms
Find out the best practices for CISOs on social media
Dig Deeper on Social media security risks
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.