The Health Insurance Portability and Accountability Act (HIPAA) covers a lot of territory in terms of transferring and continuing health insurance policies when people experience job changes voluntarily or involuntarily. What it also accomplishes is establishing standards for electronic health care information and the confidentiality of protected health information. As social technologies are increasingly used in 2017 by sonography students and professionals, there is a higher risk of unintentional violation of HIPAA rules.
What is the HIPAA Privacy Rule?
The HIPAA law has adapted to technology. As technology enabled the creation and use of Electronic Health Records (EHRs), there was concern that lack of standards and security issues would jeopardize patient rights to privacy concerning their personal health information. Thus the HIPAA Privacy Rule was established as far back as 2002 and has been modified over the years, but its main purpose has never changed:
- Establish safeguards to protect personal health information
- Establish rules concerning what constitutes privacy
- Set conditions for the disclosure of information contained in electronic health records
- Establish required authorization for disclosure
- Define the rights concerning the examination and release of health information
The intent of the law is clear and makes sense. However, 12 years ago it was difficult to predict how many people would be using social media to discuss topics like what happened at work that day. For sonography students and practicing Diagnostic Medical Sonographers what happens at work is intricately involved with patient care and patient-related events.
What is a HIPAA Violation?
The HIPAA law is written as clearly as possible, but avoiding violations is proving to be more complicated than anticipated. For example, a sonographer’s co-worker may decide to look at a person’s medical records without authorization. In another example, a sonographer may share patient information with family or friends without proper authorization.
There may be no intent to violate the HIPAA law, but it can easily happen when healthcare professionals do not understand what constitutes a violation. A simple statement made by a sonographer concerning the results of a scan can easily violate the HIPAA rules and jeopardize patient safety. Now consider how easy it is to go online and discuss a day in clinical training or a day at work.
There is growing concern that students and professionals alike are violating HIPAA rules on social media and are not aware they are doing so. HIPAA breaches are not merely intentional violations of the law. A HIPAA breach includes:
- Intentional acquisition, access or use of health information that is protected by patient rights
- Inadvertent disclosure of protected health information by a person who is authorized to access the information
- Disclosure of information by an unauthorized person who gained access in some manner to information maintained by a business like a health insurance company
- Maintaining protected health information in a technology based system that is unsecured
How are Students Violating HIPAA on Social Media?
In many ways, social media is a landmine of potential HIPAA Privacy Rule violations. People write what seem like innocuous statements about patients, believing they are protecting patient privacy, and then discover others can read between the lines and identify the patient.
For example, a sonographer may write on a social media page, “Had an emergency patient in the imaging department at midnight last night who went into labor and experienced trauma. During delayed labor an anomaly scan confirmed previous images were correct in that the Center City patient was delivering a baby with deformities.” Family and friends who live in Center City who are familiar with the situation will do some mental sleuthing and determine the patient is someone they know. The HIPAA rule was just violated.
Social media accounts like Facebook, LinkedIn and Twitter, and any others, present inadvertent opportunities for violating HIPAA rules. Those who frequently post are more likely to violate the standards. Discussing the day’s events or unusual situations or sharing images are acts that potentially violating patient privacy right. Though no names are disclosed, there is often enough information included to make it possible for the person to be identified by others.
Following are some guidelines:
- Only talk about medical situations and conditions in general and do not describe daily activities involving patients
- Write professional posts and be careful about replies to followers or people who submit questions
- Do not talk about specific patients and do not write details even when the name of the patient is held back, i.e. do not mention ethnicity, age, gender, personal characteristics and so on
- Do not talk about the specifics of events like location, medical facility, names of fellow students or professionals, etc.
- Do not use social media to complain about clinical conditions or work environments
It is surprising how easily people can put two-plus-two together and figure out the identity of a patient being discussed online. It is easy to violate the HIPAA Privacy Rule, so common sense should rule.
Tempering Excitement with Caution
Sonography students want to share their experiences in the healthcare industry because they are excited about working with patients and getting close to starting a new career. Smart employers are developing policies that address HIPAA and social media. However, it is important that sonography students and professionals understand the rules because once they are violated, a patient may have already lost anonymity.