ICYMI: HIPAA and Social Media IRL
Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Just as consumers can post or search reviews for anything from vacuum cleaners to egg rolls, they can also vet healthcare on social media sites. Given the personal nature of healthcare, patients often share their appreciation or displeasure with providers. From the regulated entity perspective, however, they are at a disadvantage in responding to communications on social media sites due to HIPAA and state data privacy laws.
For example, a patient may undergo a procedure with a particular provider and decide to share his/her experience or rating. While reviews are often glowing and readily welcomed by providers, when they are critical or even disparaging, providers may wish to directly respond to clear the air and set the record straight. TBH (“to be honest”), providers must proceed with caution to avoid a data breach or a public undermining of their own commitment to patient rights.
HIPAA prohibits covered entities and their business associates from disclosing PHI in many circumstances, and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently confirmed that it interprets PHI broadly to include identifiable health information provided through a HIPAA-regulated entity’s website or mobile app, “even if the individual does not have an existing relationship with [the] entity and even if . . . [such information includes an] IP address or geographic location, [but] does not include specific treatment or billing information.”
OCR has also emphasized that it is monitoring the online activities of regulated entities and will intervene where appropriate. Specifically, in December 2022, OCR announced a settlement with a practice over the alleged inappropriate disclosure of PHI in responses to online reviews. Specifically, OCR initiated an investigation after receiving a complaint that the practice inappropriately disclosed PHI, including patient names, treatment, and insurance information, while responding to patient reviews on a public platform. OCR also determined that the practice failed to incorporate the appropriate components within its Notice of Privacy Practices and also failed to implement sufficient policies and procedures governing use and disclosure of PHI. In addition to a number of corrective actions, the practice agreed to provide breach notices to all affected individuals.
In assessing whether to respond to a post, HIPAA-regulated entities should consider whether they are disclosing more than the minimum amount of PHI necessary, whether the information identifies a patient, as well as whether the information is particularly sensitive or was already disclosed by the patient in his/her post, among others. Unfortunately, OCR has not yet adopted a clear, bright line standard for what types of interactions are permissible, and as a result, any interaction carries risk.
As OCR is taking a serious look at HIPAA and its application to social media platforms, it is more important than ever that HIPAA-regulated entities assess their compliance obligations. Even where a regulated entity feels that a response is warranted, HIPAA may not allow that disclosure – in that event, a regulated entity should consult with their Privacy Officer or counsel to consider alternative means of communication that better align with HIPAA’s requirements. If you have any questions about HIPAA or its impact on you or your business’s online activities, please contact a member of the Sheppard Mullin Healthcare Team.
 Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS (Dec. 1. 2022), Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov.
 HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information, HHS (Dec. 14. 2022), HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information | HHS.gov.
 New Vision Dental resolution Agreement and Corrective Action Plan, HHS (Dec. 14. 2022), New Vision Dental Resolution Agreement and Correction Action Plan | HHS.gov.