• E-mail
• Print
• RSS

HIPAA Q&A: HIPAA violations on social networking sites

HIPAA Weekly Advisor, June 21, 2010

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q. I am beginning to hear about HIPAA violations occurring on popular Internet sites (e.g., Facebook and MySpace). Do you have any guidelines or recommendations regarding the sharing of patient information and/or PHI in the healthcare setting? Retaining control of employee use of social networks is becoming increasingly difficult because healthcare workers access them on personal time away from work.

A. This is a challenge for many healthcare organizations. Those that have addressed it generally prohibit their employees from including any information about patients on their social network pages, even if patients have given them permission to do so. Some organizations also prohibit healthcare workers from linking to a patient’s social network page.

Individuals are free to disclose any information they choose on their own social network pages, including their PHI. However, many healthcare organizations are sensitive about their employees linking to these pages because of the appearance of impropriety.

Editor’s note: Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters. Brandt is president of Brandt & Associates, Inc., a healthcare consulting firm in Bellaire, TX. She is a nationally recognized expert on patient privacy, information security, and regulatory compliance, and her publications provided some of the basis for HIPAA’s privacy regulations. She is also the former director of policy and research for the American Health Information Management Association.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive