The Rheumatologist
COVID-19 NewsACR Convergence
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Gout Resource Center
      • Axial Spondyloarthritis Resource Center
      • Psoriatic Arthritis
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

July 1, 2014 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF

You Might Also Like
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
Explore This Issue
July 2014
Also By This Author
  • Legal Issues Around Retiring, Shuttering Your Medical Practice
You Posted What?

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, websites, Google+, LinkedIn. What do all of these social media outlets have in common? Each of these avenues can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws and state medical laws, to name a few of the applicable laws. It seems that, all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and many of which could have been avoided.

Physicians should be aware of the intersection of social media use—for both personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

PHI is defined under HIPAA, in part, as health information that (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Under HIPAA, a physician may use and disclose PHI for treatment, payment or healthcare operations. Generally, using or disclosing PHI through social media does not qualify as treatment, payment or healthcare operations. If a physician were to use or disclose a patient’s PHI without permission, this would violate HIPAA (and likely state law).

To use or disclose a patient’s PHI without obtaining the patient’s consent, a physician must de-identify the information and ensure there is no reasonable basis to believe the information can be used to identify the patient. One option under HIPAA is to retain an expert to determine “the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively (and more often the case), a physician seeking to use or disclose patient PHI can remove the following identifiers from the PHI:

  1. Name(s);
  2. Geographic information;
  3. Dates (e.g., birth date, admission date, discharge date, date of death);
  4. Telephone numbers;
  5. Fax numbers;
  6. E-mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. URLs;
  15. IP address numbers;
  16. Biometric identifiers (e.g., finger and voice prints);
  17. Full-face photographic images and any comparable images; and
  18. Other unique identifying numbers, characteristics or codes.

Identifier No. 18 is the most difficult to comply with in light of the significant amount of personal information available on the Internet, particularly through Google and other search engines. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly more difficult to comply with the de-identification standards under HIPAA. Even if Identifier Nos. 1–17 are carefully removed, the broadness of Identifier No. 18 can turn a seemingly harmless post on social media into a patient privacy violation.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Pages: 1 2 3 | Single Page

Filed Under: Information Technology, Legal, Professional Topics, Technology Tagged With: HIPAA, Internet, lawsuits, Legal, PHI, privacy, rheumatologist, TechnologyIssue: July 2014

You Might Also Like:
  • HHS Enforces Stricter Rules on HIPAA
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • Health Data Breaches on the Rise

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

American College of Rheumatology

Visit the official website for the American College of Rheumatology.

Visit the ACR »

Meeting Abstracts

Browse and search abstracts from the ACR Convergence and ACR/ARP Annual Meetings going back to 2012.

Visit the Abstracts site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use / Cookie Preferences

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2023 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)