by Pamela D. Tyner

Social media have become de rigueur globally.  Today, millions maintain connections with their friends, relatives and business acquaintances via Facebook, Twitter, LinkedIn, blogs and YouTube.  Recent studies indicate that social media popularity even predicts polling popularity and the stock market.  Translated to the healthcare arena, healthcare facilities and organizations are now trained to promote their business by communicating effectively via social media.  In addition, patients, physicians and employees of healthcare facilities and organizations frequently communicate and discuss patient status via cell phones, Facebook, YouTube and other social media.  However, many people do not realize that use of these media may compromise health information privacy unless certain protections are implemented to safeguard them.

Invasion of Health Information Privacy

Under the confines of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health (“HITECH”) and state privacy laws, certain protections of protected health information (commonly known as “PHI”) are mandated.  The increased usage of social media to reference patient whereabouts, ailments and treatment plans continues to leave healthcare employers scrambling to implement new forms of encryption, other IT protection and disciplinary actions.

Examples of Social Media and IT Breaching Confidentiality of PHI

From the trenches, here are some recent examples of social media and IT affecting the privacy of PHI:

  • A day in the life of a patient posted on YouTube, posted without consent of other patients and employees of a hospital system.  The Hospital asked for the individual to immediately remove the content from YouTube.  In addition, the Hospital conducted a thorough investigation and notified the patients affected about the breach of their PHI.
  • A patient updates his/her status via Facebook and later discovers the status update informs her Facebook friends that s/he is in the hospital.  The patient complains to the Hospital's compliance department about a breach of her PHI.  Afterwards, the Hospital investigates the incident and discovers the patient updating the status inadvertently notified Facebook of the individual’s whereabouts.  The facility is in the process of revising its Patient Handbook to include information about updating an individual’s “location update” status while a patient as potentially identifying the individual’s hospital stay.
  • Doctors, nurses and medical students  revealing patient information on Facebook.  Facilities are implementing social media training to medical staff, employees and allied health professionals about the potential breach of confidentiality and/or disciplinary actions that might result from their Facebook updates about patients.
  • A health care institution realizes that its computer encryption system has a loophole through the usage of USB ports.  The institution must scramble to protect its system information while waiting for the software company to fix the loophole.
  • Articles and blogs inform consumers how to mine PHI about others.

Government Action

The National Relations Board has become very active in addressing social media's impact on the workplace.   In future, it is anticipated that additional government agencies and the court system will jump on the band-wagon and scrutinize social media as it relates to the healthcare environment and patient confidentiality.

Office of Civil Rights Solicits Comments on Mobile Devices and Confidentiality

In early March 2012, the Office of Civil Rights and the ONC Office of the Chief Privacy Officer (OCPO) invited members of the public to provide input on mobile devices' uses along with comments on current and emerging privacy and security best practices regarding protecting and securing health information while using mobile devices. Public commentary will help inform the OCR and OCPO for future development of an effective and practical way to bring awareness and understanding to those in the clinical sector regarding protecting and securing health information while using mobile devices.  Popular health information technology remains a hot topic for the OCR; a roundtable discussion on mobile devices and safeguarding health information is planned for mid-March.

Lessons Learned and How Healthcare Employers Should React

Healthcare facilities and organizations must act quickly to assess each usage of social media to gauge whether patient confidentiality may be vulnerable to compromise.  Due to the rapid evolution of social media technology, healthcare facilities and organizations’ social media and employee disciplinary policies must be scrutinized frequently for uniformity within their corporate compliance program.  In addition, these entities must analyze and implement clear guidelines outlining how its physicians and allied health professionals may be constructively redirected and/or advised on the proper usage of social media to facilitate efficient communication concerning patients without compromising PHI confidentiality.



Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.