Facebook – The Health Care Privacy Time Bomb

A reporter asked me not that long ago how frequently health care providers post patient health information (PHI) that would permit a reasonable person to identify the patient (even without a name included). I hear rumors of such now and again, and I’ve had my share of clients panic over something posted by an employee. As of yet, though, there has been no big PHI breach headline related to Facebook or other social media (miraculously enough). My response to the reporter was that Facebook is a very large health care privacy disaster waiting to happen.

Last quarter, Facebook passed 1.19 billion monthly active users. With those kinds of numbers, it’s highly likely that there’s a fair amount of identifiable patient health information floating around on Facebook that simply hasn’t identified as a breach of unsecured patient information – yet. The only delay in identifying those breaches is the highly difficult, if not impossible, task of auditing Facebook posts.

My advice: Remember that once information is out there in cyberspace, it’s not coming back. You need a formal social media program, associated policy(s), and above all, employee training about appropriate social media use. It’s not just about those posts that go up during working hours. It’s even more often about posts that occur after business hours.

Many users are still under the mistaken impression that limiting posts as visible to a few good friends doesn’t violate anyone’s health care privacy. That’s simply not true. Even the most well-meaning friend could cross-post information that employees share about themselves, their family, a co-worker or a recently seen patient’s personal health information (PHI).

This all comes down to an oft-repeated recommendation: Have a very sound, well-communicated social media program and policy. The social media policy and its training should:

  • Reference required sanctions for violating social media policy.
  • Include employee training as relates to what they post during AND after they clock out for the day.
  • Strongly caution employees that when posting information about themselves or others on their personal Facebook page: Everyone may be looking.

Article first appeared in Apgar and Associates blog in 2012. Updated to reflect current FB statistics and trending PHI risk issues.

 Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. For all of your privacy and security compliance consulting needs, call the HIPAA experts at Apgar & Associates: 877-376-1981.