Most of the advice we read about HIPAA compliance and Facebook misses the central issue. The central issue is that health care providers who allow posts, reviews and recommendations by patients who have not provided a written HIPAA Authorization in advance are violating the Privacy Rule.
This hard reality is different from the advice covered entities usually receive from marketing consultants who encourage using social media to grow their medical practice. Positive consumer reviews, whether for clothing, dentists or surgical services drive new business. Patient reviews are powerful.
But medical identity theft is a crisis today, and HIPAA law is intended to guard against this theft. Covered entities are responsible for protecting patient information, and failure to do so can be costly – for the patient if their insurance coverage is stolen, and for the provider, if they’re investigated for noncompliance.
The obvious advice we’ve seen includes not allowing staff to post pictures or comments about patients, but the less obvious is that patients should not be allowed to disclose their own information unless they have expressly authorized this disclosure, in writing, in advance.
Facebook Page Owners Have a Contract with Facebook
A Facebook page is a website, and is governed by HIPAA rules for websites.
Understand the Terms of Service
As the owner of a Facebook page, you own all of the content and information you and others post, provide or share on your page, and you can control how it is shared through your privacy and application settings.
Legally, this makes the Facebook page like an independent website, even though its platform and features were created by Facebook, Inc. The Terms of Service (formerly called the Statement of Rights and Responsibilities) make clear when it comes to a page’s content, the owner is responsible for compliance with all laws and regulations, not Facebook.
The Terms of Service (including Commercial Terms for a business page), the Data Policy and the Community Standards, along with three other categories of policy types, all comprise the rights and responsibilities of the user and Facebook in its contract. Even though you didn’t negotiate it and may not have read it in full, you are bound by it once you sign up.
The Terms and Policies are modified periodically so it’s important to review them and stay up to date.
From the Commercial Terms (for a business) –
You represent and warrant that your access or use of Facebook Products for business or commercial purposes complies with all applicable laws, rules, and regulations.
And from the Community Standards –
Do not post:Content that shares or solicits any of the following private information, either on Facebook or through external links:
Personally identifiable information (PII) about yourself or others (and goes on to list an array of PII that should not be posted)
HIPAA requires covered entities to protect PHI and only one identifier, like a name or a photo, connected to the provision of healthcare, is PHI, even if no medical details are included. Review the HIPAA definition of Protected Health Information (PHI).
The Ninth Circuit Court of Appeals in 2018 agreed that Facebook’s Terms of Service are a legally binding contract in Winston Smith, et al v. Facebook, Inc., et al. The appeals court found that a lower court was correct when it dismissed a suit brought by Facebook users who claimed the company illegally scraped data about their visits to medical websites, because the users consented to the tracking by agreeing to Facebook’s privacy policy.
Patient Reviews and Testimonials
A common HIPAA myth is that if a patient voluntarily posts a review, recommendation or comment, they have consented to the public disclosure of their name and the healthcare provider has not violated HIPAA. This is not true.
There is no implied consent under HIPAA
Patients are protected by HIPAA law and are not liable for compliance. In contrast, health care providers are held to a high standard to safeguard protected health information (PHI) and are liable for compliance. A healthcare provider with a website – including a Facebook page – must protect patient privacy there.
On the other hand, an independent review site, like Yelp, is not under the provider’s control. If a patient who has not provided a written Authorization posts a review on Yelp, the provider is not responsible under HIPAA as long as the provider does not reply. If they reply, they have impermissibly disclosed protected health information by confirming the person is a patient.
HIPAA, Facebook and Your Own Website
Enforcement
A website or Facebook page is the first place regulators will look in an investigation. The websites are easy to find, and provides clues or red flags about an organization’s compliance.
In 2016 a physical therapy provider paid $25,000 to settle a HIPAA investigation because it had posted testimonials, including names and photographs, without a HIPAA Authorization. The Office for Civil Rights (OCR) Director at the time, Jocelyn Samuels, said:
“All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form.”
Compliance
You may invite and use patient comments, recommendations and testimonials, provided you have a written HIPAA Authorization from the patient in advance.
Everything on your social media website page is your responsibility, whether you post it or someone else does. If a Facebook page is important for your organization, you should adjust your privacy settings. You can either disable comments (visitor posts) or permit your Facebook administrator to review them and obtain an Authorization before allowing them to be published on the page.
NOTE about “recommendations” on Facebook: unless patients have signed a valid HIPAA Authorization in advance, you need to turn off recommendations (formerly called reviews) because if you allow them you cannot review them in advance or remove them. Only Facebook can remove a recommendation if Facebook decides the recommendation violates its Community Standards.
If you want to include testimonials on your regular website, obtain the Authorization first.
HIPAA also requires that a covered entity must post its Notice of Privacy Practices in a prominent place on any website that provides information about “customer services or benefits”, and must make it available electronically through the website. This requirement applies to both the regular website and to the Facebook page.
Be careful to separate fact from myth in managing your internet presence and social media. If a marketer advertises that they offer a suite of “HIPAA compliant” advertising services, ask some hard questions or call The HIPAA E-Tool® for back up.