Are You Subject to HIPAA Privacy Rules when Publishing Confidential Health Information on a Social Network?

It’s unlikely the social networking sites are health care providers, so HIPAA’s privacy rule doesn’t apply; but other privacy business practices are likely to affect you. First, tackle the HIPAA Privacy question by responding to the following questions.

» Are you a healthcare provider that conducts transactions electronically?
» Are you a healthcare clearinghouse? (Do you process healthcare claims?)
» Are you a health plan? (insurance payer)

If you answered no to these questions, you are not a covered entity under HIPAA’s Privacy Rule. That said, you probably are more concerned about users sharing health information online that if stolen, could be used in identity theft.

Consumers (patients) often use social networking sites to keep friends and family members updated on health conditions. Or, using secure patient portals, patients (consumers) may create their own confidential and secure personal health records (PHR). These records typically contain information such as medications including dosages, allergies, health insurance plan, if applicable, emergency contact, current medical conditions – typically all the things you have to answer again and again on paper every time you see a doctor. Our nation is rapidly heading into an environment where consumers (patients) can store their health information on smart phones, online patient portals, or in portable devices, such as USB drives so that you can quickly provide information to an Emergency Room physician or your own doctor.

Patients are not covered entities, but they are responsible for creating, maintaining and sharing their own health information, a very smart thing to do, but it should be done on a secure PHR service, not on social networking sites. To find PHR companies, search online using keywords, “Personal Health Record software.”
Finally, we applaud social networking sites that demonstrate concern for their users privacy. With the rapid uptick in use, we recommend you put a notice on your site warning users to be cautious about providing identifiable information, such as date of birth (especially year), address, telephone number, or social security number.

If you are considering offering a patient portal service, first consult the services of a health law attorney.

Carolyn Hartley, Healthcare Authority & EHR Consultant