Social Media and HIPAA
The use of social media by workforce members is subject to the restrictions outlined in this policy. These restrictions are in place to protect the privacy of patient information and to comply with applicable legal and regulatory requirements, including the HIPAA Privacy Rule.
Reason(s) for the Policy
To provide guidelines to be followed by all Columbia University Healthcare Component (CUHC) workforce members related to their personal and professional use of social media.
Primary Guidance To Which This Policy Responds
The Health Insurance Portability and Accountability Act (HIPAA)
Who is Governed by This Policy
All CUHC workforce members.
Who Should Know This Policy
All CUHC workforce members including faculty, staff and students.
The confidentiality of patient information is governed by federal and state laws.
If any provision of this policy is in conflict with applicable law or regulation, the applicable law or regulation that affords the patient with the greatest privacy will govern.
- Posting patient information, commentary, or photographs on professional or personal social media sites requires written authorization from the patient using the CUIMC HIPAA Media Authorization form. The Office of Communications can be contacted at [email protected] to obtain the authorization form. A copy of the form is provided to the patient and the original authorization is placed in the medical record.
- Photo, tape or video recording in CUIMC patient treatment areas is permitted only after obtaining permission from the Practice Manager, Program Director in addition to CUIMC Communications.
- Patients in treatment areas/practice locations are prohibited from photo, tape or video recording without prior permission from the provider, program or practice manager.
- Patient authorization may also be necessary if photos, tape, or video recording contain other patients’ images or information.
- Faculty, staff and students are prohibited from taking personal photos, video or audio recordings in patient care areas to avoid inadvertently capturing patients or patient information.
- Photos, images or a narrative thought to be de-identified by a workforce member may be recognizable by the individual or others, and would not meet the definition of de-identified per the HIPAA Privacy Rule and thus permission should be obtained from the Privacy Office prior to posting photos, images or narratives (e.g., case reports) involving patients or patient information even if they are thought to be de-identified.
- Faculty and staff may photograph, video or audio record patients for treatment purposes with authorization from the patient and must use an electronic device that meets CUIMC Information Security requirements.
- All workforce members should report any questionable patient information found on social media, as well as any suspected unauthorized photographing, filming, or recording, to the Privacy Office.
Interacting with Patients on Social Media
Faculty, staff, and students should not connect with patients or patient family members using social media. It is recommended that workforce members use the same judgment regarding any other type of social interaction with patients.
Communications and Public Affairs
Departments, programs and centers that maintain a social media presence must adhere to CUIMC social media guidelines. For additional information contact CUIMC’s Office of Communications and Public Affairs at [email protected].
- Review and comply with the policy
- Report any unauthorized use of social media or violations of this policy to the Privacy Office
Social Media - Internet-based applications which support and promote the exchange of user developed content. Social media can take many different forms including:
- Blogs and micro-blogs such as Twitter
- Social networks, such as Facebook and Instagram
- Professional networks, such as LinkedIn
- Video sharing, such as YouTube and blogs (video weblogs)
- Audio sharing, such as podcasts
- Photo sharing, such as Flickr and Photobucket
- Social bookmarking, such as Digg and Reddit
- Public comment sections on webpages (such as those for online news sites)
- User created web pages such as Wikis and Wikipedia
- Any other internet-based social media application similar in purpose or function to those applications described above
Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.