HIPAA Compliance with Social Media for Vocational Rehabilitation Agencies

Photo of plastic hipo model with "I am HIPAA" painted on side

Health and service organizations must be observant of Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA was adopted in 1996 and is designed to protect personal information. HIPAA standards are taken seriously; companies have entire departments and expensive document systems designed to meet HIPAA guidelines. HIPAA compliance courses are taught in nursing and medical administration programs. However, the advent and use of social media has led to conflicts between organizations and HIPAA guidelines. Your vocational rehabilitation agency must follow all necessary regulations and social media guidelines to avoid violation penalties.

What is the Law?

HIPAA ensures a client’s information, such as medical history and conditions, or payments for medical procedures, is protected and secure.  Vocational rehabilitation facilities have to keep detailed records in a secure place according to HIPAA compliance rules. They must follow strict guidelines when transferring information from one party to another. Vocational rehabilitation companies should encrypt client information so it is not vulnerable to hackers or ransom ware.

HIPAA allows a small group of entities (insurance companies and some government agencies) to receive secure transmissions of protected health care information. The law also establishes rules for anonymous health care information and details how someone can waive their HIPAA rights. HIPAA laws apply differently to minors; parents can access their children’s health records for various reasons.

Violations

HIPAA violations are serious; agencies can be penalized for infractions. Penalties are assessed per record and data breaches and other lapses in privacy can cause the release of thousands of records.  HIPAA fines are capped at $1.5 million per year, but a vocational rehabilitation agency may face additional legal liabilities for infractions. Employees responsible for HIPAA violations may suffer civil and criminal penalties as well.

Controlling Social Media Sharing

Considering the seriousness of HIPAA violations, employees should be encouraged to eliminate job-related posts on social media. It is common to complain about or discuss interesting things that happen at work.  But, when done on social media, there is ample opportunity to break HIPAA rules. Employers must clearly communicate the importance of avoiding all unnecessary or frivolous discussions of consumers and their personal information. Even if an employee does not share a client’s name or condition, a social media post may contain enough information to identify an individual, which would be a HIPAA violation.

No Guarantee of Privacy

Another important rule is to remember is private information can easily become public information. Facebook, Instagram, and similar sites allow for private posts.  However, these safeguards are relatively weak. Social media websites are designed to allow people to share information easily.  Most people do not consider their security settings every time they post something and “friends” can always take and share screen shots of your posts.

As a result, assume any post is a public post. A person should never post anything on social media, either privately or publicly, that they would not tell their boss to their face. This simple suggestion can lead to employees thinking twice before posting text or a picture that may lead to a severe HIPAA violation.

Fair Waivers

There are a few occasions when social media use and access to private information can be relaxed. As mentioned previously, people with sensitive medical information can opt out of their HIPAA protections. An individual may offer a vocational rehabilitation agency testimonial on the agency’s Facebook page. They may want to share a video of their progress on Instagram or offer a health update in a Facebook group.

In this case, HIPAA provides several clear guidelines. The relaxation of privacy expectations must be communicated and the individual must show they understand the nature of the disclosure. In addition, the material can only be used in a narrow way that the person agrees to. For instance, someone may allow his or her testimonial to be shared in one situation and not in other instances. Violations of these terms, or failure to communicate the risks associated with private medical information disclosure, could result in severe fines and penalties for the organization involved.

A Coherent Policy

An encompassing social media policy that spells out what individuals can and cannot share needs to be created and shared with employees. The policy needs to follow HIPAA laws and regulations. A person with experience in social media and HIPAA regulations should be in charge of devising and maintaining the policy.

In addition, the policy needs to address expectations while accommodating the ways people use different social networks. Guidelines for LinkedIn usage will be different from Facebook or Instagram guidelines. For example, concerns about gossip and illegally taken photographs would not necessarily be a concern LinkedIn users, since LinkedIn is mainly used to network and find employment opportunities.

Conclusion

Vocational Rehabilitation agencies face the same challenges regarding HIPAA and social media that other organizations do. One rogue employee on Facebook or a well-meaning employee taking photographs of consumers without securing a signed release can ruin even the best policies. Agencies need to take the lead and formulate strong, flexible social media policies that will show employees what they can and cannot do on their favorite networks.

Want to know more about how to create a social media policy for your VR agency? Check out 6 Essential Elements of Social Media Policy, an infographic created with information gathered by RTC:Rural researchers after they studied the social media policies of 22 VR agencies.

 

Photo credit: sylvar on Visualhunt.com /  CC BY-NC

 

Footer