Chief Compliance and Ethics Officer Health Care

Posts to your Social Media site

  • 1.  Posts to your Social Media site

    Posted 9 days ago
    Posts to your Social Media site

    As a covered entity we all know there are dangers to having a social media site like Facebook or Instagram. One of the problems, specifically with Facebook, is that you own your Facebook page and are legally responsible for all of its content, even posts by others.

    So if that is true, then when someone posts their own PHI on your Facebook page, are you obligated to either get an Authorization for Release of PHI from that person or edit out the PHI prior to allowing the comment to be published?

    Facebook, and I would imagine the other social media sites, have security settings that allow the page owner to control comments by others. For example you can set it so that all visitor comments have to be moderated prior to publishing. Or you can just turn off visitor commenting. You can even set it so that your page can't be tagged or mentioned directly by others.

    It doesn't feel right that just because a visitor mentions PHI, that suddenly you have implicit permission from them to confirm or carry on the discussion, sharing it with everyone on the planet. And since the page is under your control, maybe you shouldn't even allow the comment with PHI to be published at all, at least not without an explicit signed HIPAA authorization.

    Any thoughts or comments (non PHI of course)?

    ------------------------------
    Carl Russell
    Compliance Analyst
    Delta Dental of Idaho
    Boise,ID

    Anything I say is my sole opinion and not of my company.
    ------------------------------
    2019 HCCA Compliance Institute


  • 2.  RE: Posts to your Social Media site

    Posted 9 days ago

    Carl,

     

    I read 45 CFR 164.510 the same way. A detailed authorization specific to the PHI disclosure would be needed in each unique instance. On the one hand, the patient is self-disclosing so the Privacy Rule no longer applies. However, the FaceBook contract stating "You own the content you create and share on Facebook..." and "These guidelines apply if you create or administer a Facebook Page, group, or event, or if you use Facebook to communicate or administer a promotion," introduces this privacy risk on the part of the covered entity even as it's the patient doing the posting (but you own the shared content on your page.) I'm not a lawyer, this is just my opinion.

     

    That aside, I'm struggling to see the value in having a FB page where patients can post anyway.

     




    2019 HCCA Compliance Institute