Monday, June 24, 2024
HomeHealth LawICYMI: HIPAA and Social Media IRL

ICYMI: HIPAA and Social Media IRL


Social media’s interaction with healthcare privateness presents a consistently evolving problem. ICYMI (“in case you missed it”), there’s an uptick in enforcement and scrutiny IRL (“in actual life”) associated to communications by social media and different public platforms by entities topic to the Well being Insurance coverage Portability and Accountability Act of 1996 (“HIPAA”).

Simply as shoppers can publish or search evaluations for something from vacuum cleaners to egg rolls, they’ll additionally vet healthcare on social media websites. Given the private nature of healthcare, sufferers usually share their appreciation or displeasure with suppliers. From the regulated entity perspective, nevertheless, they’re at a drawback in responding to communications on social media websites because of HIPAA and state information privateness legal guidelines. 

For instance, a affected person could bear a process with a specific supplier and determine to share his/her expertise or ranking. Whereas evaluations are sometimes glowing and readily welcomed by suppliers, when they’re vital and even disparaging, suppliers could want to instantly reply to clear the air and set the report straight. TBH (“to be sincere”), suppliers should proceed with warning to keep away from a knowledge breach or a public undermining of their very own dedication to affected person rights.

HIPAA prohibits lined entities and their enterprise associates from disclosing PHI in lots of circumstances, and the U.S. Division of Well being and Human Companies’ Workplace for Civil Rights (“OCR”) just lately confirmed that it interprets PHI broadly to incorporate identifiable well being data supplied by a HIPAA-regulated entity’s web site or cellular app, “even when the person doesn’t have an current relationship with [the] entity and even when . . . [such information includes an] IP handle or geographic location, [but] doesn’t embody particular therapy or billing data.”[1]

OCR has additionally emphasised that it’s monitoring the web actions of regulated entities and can intervene the place acceptable. Particularly, in December 2022, OCR introduced a settlement with a observe over the alleged inappropriate disclosure of PHI in responses to on-line evaluations.[2] Particularly, OCR initiated an investigation after receiving a criticism that the observe inappropriately disclosed PHI, together with affected person names, therapy, and insurance coverage data, whereas responding to affected person evaluations on a public platform.[3] OCR additionally decided that the observe failed to include the suitable parts inside its Discover of Privateness Practices and likewise didn’t implement adequate insurance policies and procedures governing use and disclosure of PHI.[4] Along with quite a few corrective actions, the observe agreed to supply breach notices to all affected people.[5]

In assessing whether or not to answer a publish, HIPAA-regulated entities ought to contemplate whether or not they’re disclosing greater than the minimal quantity of PHI vital, whether or not the knowledge identifies a affected person, in addition to whether or not the knowledge is especially delicate or was already disclosed by the affected person in his/her publish, amongst others. Sadly, OCR has not but adopted a transparent, vivid line customary for what varieties of interactions are permissible, and in consequence, any interplay carries danger.

As OCR is taking a severe have a look at HIPAA and its utility to social media platforms, it’s extra necessary than ever that HIPAA-regulated entities assess their compliance obligations. Even the place a regulated entity feels {that a} response is warranted, HIPAA could not permit that disclosure – in that occasion, a regulated entity ought to seek the advice of with their Privateness Officer or counsel to think about various technique of communication that higher align with HIPAA’s necessities. You probably have any questions on HIPAA or its influence on you or your corporation’s on-line actions, please contact a member of the Sheppard Mullin Healthcare Staff.


[1] Use of On-line Monitoring Applied sciences by HIPAA Lined Entities and Enterprise Associates, HHS (Dec. 1. 2022), Use of On-line Monitoring Applied sciences by HIPAA Lined Entities and Enterprise Associates | HHS.gov.

[2] HHS Civil Rights Workplace Enters Settlement with Dental Follow Over Disclosures of Sufferers’ Protected Well being Data, HHS (Dec. 14. 2022), HHS Civil Rights Workplace Enters Settlement with Dental Follow Over Disclosures of Sufferers’ Protected Well being Data | HHS.gov.

[3] New Imaginative and prescient Dental decision Settlement and Corrective Motion Plan, HHS (Dec. 14. 2022), New Imaginative and prescient Dental Decision Settlement and Correction Motion Plan | HHS.gov.

[4] Id.

[5] Id.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments