Podcast #92 – HIPAA Compliance and Patient Privacy on Social Media


​It is so tempting to want to share stories of the things we see, especially in emergency medicine.  Maybe we just want to tell the world about something strange, or maybe we are being more innocent and want feedback or to answer questions.  However, patient confidentiality is a major issue and in the United States specifically we run into the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Anyone practicing medicine in the United States is familiar with HIPAA.  We are made aware of this early in our career and told to fear the consequences.  It is for a good reason.  We want to protect patient privacy and this act provides those protections with a series of rules.  Unfortunately, it is relatively easy to violate HIPAA if we do not follow some basic principles which is what we will talk about now.
People violate HIPAA when they Protected Health Information (PHI).  This includes all individually identifiable health information including demographic data, medical histories, test results, insurance information, and any other information which could identify a patient or provide healthcare services, or healthcare coverage.  This includes any past, present, and future information.  There are 18 identifiers that can be used to identify, contact, or locate a person:

  1. Names (Full or last name and initial)
  2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. Dates (other than year) directly related to an individual
  4. Phone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers (including serial numbers and license plate numbers)
  13. Device identifiers and serial numbers;
  14. Web Uniform Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

When you think about it, that is a lot of potential information.  However, many of them we are not sharing to social media.  Usually, the issue comes up with names, locations, or images.  Most of the time, social media images are uploaded without written consent by the patient.  How then, do you go about sharing information without violating HIPAA or other relating patient privacy measures?
The easiest way would be to simply say “don’t do it” and call it a day.  However, at times it does come up, and usually it is in the realm of education.  Outside of obtaining written consent, other measures include assuming no information is truly private (especially on social media) and to avoid any details on the patient or the situation.
One way to think of this is to avoid dates, times, and locations of an event.  Do not post about something that happened “last night” or even any other recent event.  The only acceptable date according to HIPAA is a year.  In many such cases, a year is not even necessary.  Just leave it out entirely.  We also do not need names for the cases.
Ages and genders can also get someone in trouble.  It is a common practice to change the age and gender of patients.  In the elderly, this is especially important as it can be easy to identify the very elderly person as few in the area may live to that age.  Also avoid listing specific health conditions or changing parts not necessary to the situation.
With enough changes in detail, you can avoid sharing PHI that would violate HIPAA.  Sometimes, it is easier to create your own patient based on several previous cases or one you just imagine.  This is what we commonly do as we try our very best to avoid ever sharing a specific case.  In the case where any images can be involved, do not share anything that can identify the patient.  Even diagnostic imaging can carry important details and it is a must to know your facility’s policy.  Treat this like someone’s name and avoid actually using images or at least ones that have not gone through proper channels.  By doing so, you avoid violating HIPAA.

You can also let us know what you think by giving us feedback here in the comments section or contacting us on Twitter or Facebook.  Remember to look us up on Libsyn and on iTunes.  If you have any questions you can also comment below, email at thetotalem@gmail.com, or send a message from the page.  We hope to talk to everyone again soon.  ​Until then, continue to provide total care everywhere.

File Size: 11598 kb
File Type: mp3

Download File

Powered by WPeMatico