Handling PHI over social media can be tricky. While the rules can be confusing, you may want to err on the side of caution to avoid HIPAA violations.
Question: What if someone contacts a provider through social media and asks questions? Can they reply in the same way and still be HIPAA compliant?
Answer: One interpretation of HIPAA is if someone uses social media to ask you a question, this is implied consent to reply in that way, says Jim Sheldon-Dean of Lewis Creek Systems in Charlotte, Vt. But that isn’t necessarily a sound way to address this situation.
According to Sheldon-Dean, if someone contacts you via social media, your first reply should be: “Are you sure you want to communicate this way? Do you realize it’s not secure? Your information could be exposed. Do you want to continue communicating anyway?”
Sometimes, organizations are inclined to simply reply in the same manner in which a person is inquiring. “But I think when it comes to social media particularly, I think you want to make sure that you ask some questions and make sure [patients] understand what they’re doing and not just dive into it head-first,” Sheldon-Dean says.