Avoiding HIPAA Violations on Social Media

Medical professionals can face disciplinary proceedings before their respective licensing boards and agencies for various reasons. In today’s world, almost everyone uses some version of a social media platform, and medical professionals are no exception. However, when using social media, medical professionals must refrain from running afoul of the laws that govern their profession, including the federal Health Insurance Portability and Accountability Act (HIPAA). 

An experienced license defense lawyer can represent your interests in any disciplinary proceedings regarding alleged HIPAA violations or other forms of misconduct. We can review your case, explain your potential options, and work to achieve a reasonable solution with your licensing board to reach a mutually acceptable resolution. 

Understanding HIPAA

HIPAA is a federal law that protects patients’ personal health information (PHI). This Act contains enforcement mechanisms that penalize doctors and other medical professionals who violate them by disclosing PHI. A HIPAA violation is subject to penalties, even if accidental or unintentional. 

The precipitous rise in social media usage, with over 800 million people using at least one social media platform, has resulted in increased HIPAA violations. However, HIPAA contains no specific rules related to social media, as the law was passed years before social media platforms existed. Whether doctors or other medical professionals use social media platforms personally or medical practices use social media platforms to reach out to and disseminate information to existing and prospective patients, they must be mindful of HIPAA and its implications when using social media. 

Covered entities and business associates may not use or disclose PHI without an individual’s authorization, including publishing PHI in the public domain via a social media platform. Medical professionals must also remember that PHI does not solely relate to medical information. 

HIPAA Authorizations

To the extent medical professionals wish to use PHI on their social media platforms, such as by providing a patient review or story, they first must obtain a HIPAA-complaint release following the patient authorization rules found in §164.508 of the HIPAA Privacy Rule. Valid patient authorizations must contain the following elements:

  • A meaningful description of the information to be used or disclosed;
  • A meaningful description of the purpose of the use or disclosure;
  • An explanation that the information may be further disclosed;
  • The individual’s right to revoke the authorization; and
  • An expiration date for the authorization.

Penalties for HIPAA Violations by Medical Professionals

The U.S. Department of Health and Human Services, Office of Civil Rights (OCR), and state attorneys general can issue penalties against medical professionals for HIPAA violations. These penalties are civil fines and corrective action plans to avoid future HIPAA violations. The amounts of the penalties are based on the number of “general factors” and the seriousness of the HIPAA violation. 

The OCR relies on four categories that make up the penalty structure for HIPAA violations, as follows:

  • Tier 1: A violation that the covered entity was unaware of, and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules – Minimum fine of $100 per violation up to $50,000
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules) – Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation– Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days– Minimum fine of $50,000 per violation

However, these penalties are adjusted for inflation each year. As of the last update issued by OCR, the minimum penalty per violation was $127, and the maximum was $1,919,173.

Disciplinary Consequences for HIPAA Violations by Texas Medical Professionals

The Texas Medical Practice Act prohibits “unprofessional and dishonorable conduct that is likely to deceive, defraud, or injure the public.” Under 22 Tex. Admin. Code § 190.8(2)(N), unprofessional and dishonorable conduct includes violating patient confidentiality. Doctors who make posts on social media that allow others to identify their patients, even if they do not specifically use their patients’ names, could violate this rule. Furthermore, using any PHI in social media posts is a HIPAA violation. 

The Texas Medical Board (TMB) investigates and disciplines doctors if a complainant alleges that they have violated the Texas Medical Practice Act or TMB Rules, including any HIPAA violations. If the TMB investigates and determines that a violation has occurred, it can take disciplinary action against the doctors. As a result, they can impose sanctions against the doctor and administrative penalties. In most cases, the parties can agree on the appropriate sanctions. However, if they cannot agree, formal disciplinary proceedings may ensue, and an administrative law judge may hold a hearing to issue recommendations to the TMB.

If the TMB determines that a professional has violated the Act, they can impose one or more sanctions and administrative penalties. In most cases, these sanctions derive from the parties’ agreement in the form of an Agreed Board Order. However, when the parties cannot reach an agreement, they come by order of the TMB following formal disciplinary proceedings. 

Click to contact our professional license defense lawyers today

Sanctions in TMB Disciplinary Proceedings for HIPAA Violations

22 Tex. Admin. Code § 190.14(9) provides a standard range of sanctions for different violations. Breach of confidentiality by a doctor, which constitutes unprofessional conduct likely to injure the public under 22 Tex. Admin. Code § 190.8(2)(N), the potential sanctions range from:

  • A remedial plan that provides for the completion of eight hours of risk management CME, including HIPAA, and a $500 administration fee; up to
  • An Agreed Order or public reprimand, completion of CME in risk management and HIPAA, a $3,000 fine per occurrence, and the JP exam;

Get Assistance Defending Your Professional License Today 

Be sure to get legal assistance if you face disciplinary action against your medical professional license. Contact a Texas license defense attorney immediately if you receive or anticipate receiving notice of disciplinary proceedings.

Call or text (512) 476-5757 or complete a Case Evaluation form