The full text of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) doesn’t include the words “social media” for the simple reason that social media wasn’t really a thing yet at the time. 10 years before Facebook, social media was in its infancy, on blogs, online bulletin boards, and forums.
Nonetheless, HIPAA contains rules and regulations which now apply to social media.
We’ve written before about HIPAA and social media, but we can distill the regulations — as opposed to best practices and suggestions — right here.
The privacy rule
The Privacy Rule says that people’s “protected health information” must be guarded by “covered entities.” If you are covered by HIPAA, therefore, you can’t share patient information without written consent, except for purposes that have been approved and listed by HIPAA.
That totally doesn’t include exciting deets on a celebrity patient showing up in your Twitter stream.
Protected health information includes data about an individual’s health, their medical care, and their payments for their medical care. It includes this information in every situation in which an individual could be identified. Certainly, using a patient’s name, address, birth date, or Social Security Number counts as identifying that patient, but it could also include other identifiers. In fact, it includes any information “that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
When you read “reasonable basis,” remember that these words have been used in lawsuits. “Reasonable” can be pretty flexible in a courtroom.
There are many situations in which use of personally identifiable health information may be authorized. None of them are relevant to social media.
De-identified health information
It is completely appropriate to write about diseases, experiments, local public health concerns, health and wellness advice, medical news, and staff accomplishments.
Notice that these topics don’t require any protected health information.
These are the regulations within HIPAA that apply to social media. Read more on the subject: