HIPAA & Social Media, Mobile Devices, Email and Faxes
In this lesson, we'll be covering HIPAA law as it applies to social media, mobile devices, email, and faxes. And at the end of the lesson, we'll provide you with a brief Word about guidelines for properly disposing of protected health information, or PHI.
HIPAA Law & Social Media
HIPAA law covers all PHI in electronic formats (also known as ePHI). This includes the following social media platforms:
- Snapchat
- Any and all others
Pro Tip #1: While we as a society find it absolutely necessary to share everything on social media these days – including contrary opinions and meals we're about to consume – never under any circumstance should you disclose patient information, like names and treatments, on any social media platform.
Remember, though we're sure you know better, common sense is not all that common, which is why these things need to be said. And why we have to also note that if you do any of the above, you could be personally liable financially and criminally for disclosing any protected health information on social media platforms.
HIPAA Law & Mobile Devices
Mobile devices include but are not limited to:
- Smartphones
- Tablets
- Laptops
Pro Tip #2: While disclosing PHI on social media is always a no-no, mobile devices can be used to share protected health information IF appropriate safeguards are in place. What does IF mean?
In short, we're referring to encryption. If you are sharing PHI on mobile devices, you have to use an encrypted texting or chatting platform. You cannot simply just pick up your phone and text PHI to a doctor, nurse, health plan, insurance company, etc.
Why can't you do this? Because standard texting platforms:
- Have only limited encryption
- Are not HIPAA compliant
- Use a cloud that stores all text messages
HIPAA Law & Email Platforms
Standard email platforms are also not compliant according to HIPAA, and these include:
- Gmail
- Hotmail
- AOL (which may or may not be extinct)
- Yahoo!
- Any local IT provider's email platform
All emails sent through the above free platforms are subject to automated processing. Your email and sensitive patient data will be scanned for targeted advertising when using those platforms.
Pro Tip #3: It's important to note that while Google has chosen to not sign a business associate agreement (BAA) when using their Gmail platform, their paid service – G Suite – has signed BAAs. Other paid email platforms may also be acceptable, like Microsoft Office 365. The key is the provider's willingness to sign a business associate agreement.
HIPAA Law & Faxes
Faxes are an approved and HIPAA compliant means of sending PHI. However, you still need to be mindful when doing so. This means always using a cover sheet before sending a fax that contains protected health information.
What if you send a fax containing PHI in error?
If this happens, you need to contact the receiver and notify them to destroy the fax. Likewise, if you receive a fax containing PHI in error, you must notify the sender and also destroy the information.
A Word About guidelines for Properly Disposing of PHI
Disposing of PHI is of the utmost importance, particularly in our modern digital world where deleted tweets aren't really ever gone. The following PHI disposal guidelines should ensure that you and your organization remain HIPAA compliant.
- Shred all hard copies containing PHI when the copies are no longer needed
- Place hardcopies to be recycled in locked recycle bins if available
- Delete all soft copy files containing PHI from your computer and from the server when the information is no longer needed within the record retention requirements
- Destroy all disks, CDs, etc., that contained PHI before disposing of them
- Do not reuse disks or CDs that contained PHI without sanitizing them first
- Contact your IT department before transporting or transferring equipment for proper procedures to move equipment and to sanitize hard drives and other media
- Return the PHI to the sender, if this requirement is stipulated in any contractual agreements
Related Q&A
Is Facetime HIPAA compliant?
It depends whom you ask. This is unfortunately a complicated answer, and one for which you will find differing opinions if you search the web. Apple is not willing to sign Business Associate Agreements with Covered Entities. However, if Apple's Facetime service can be considered a conduit under the Conduit Exception Rule, then a BAA is not strictly required as long as the service is used in a HIPAA compliant manner. Whether or not Facetime is considered a conduit is what is hotly debated. The US Department of Veteran Affairs has authorized Facetime for use internally for telemedicine and thereby gives its stamp of approval. Nonetheless, there are other peer-to-peer video services who are willing to sign BAAs, so our recommendation would be to use one of those services instead.
Is Zoom HIPAA compliant?
Yes, Zoom is HIPAA compliant. In order to use Zoom in a HIPAA compliant manner, the covered entity must enter into a business associate agreement with Zoom prior to using the platform. You can learn more and request a BAA on the Zoom for Healthcare website.
Please be aware that it is possible to violate HIPAA Rules while using Zoom. Users must be properly trained on their responsibilities regarding patient privacy and permitted sharing of PHI only with authorized individuals. It is the covered entity's responsibility to ensure Zoom is used in a HIPAA compliant manner and that staff are all adequately trained.