HIPAA, PHI and Blogging

There has been an exponential growth of social media and medical blogging in recent years. This exponential growth makes it imperative for physicians to understand the complex intersection of the Health Insurance Portability and Accountability Act (HIPPA) and Internet blogging. The intersection of HIPPA and Internet bloggers puts physician at risk for liability.

Friction exits between HIPPA and Internet blogging because HIPPA seeks to protect patient information and blogging attempts to share information. This tension compels an understanding of the competing goals. This understanding mandates knowledge of what is Protected Health Information (PHI) and what is blogging.

PHI means individually identifiable health information that is conveyed by electronic media, preserved in electronic media or is transmitted or maintained in another medium. Health information is defined as any information, chronicled in form or medium, that is created or received by a health care provider, health plan, employer, health authority, life insurer, university, or health care clearing house and relates to present, past or future physical or mental health of an individual, or the past, present, or future payment for the provision of health care to an individual. Individually identifiable information is defined as information that is a subset of health information, including demographic information that is collected from an individual [1].

A blog is an online forum typically created by an individual who self publishes his or her commentary, opinions, description of events, videos and pictures using the Internet as medium of free exchange. Bloggers often seek to promote its services or products. Blogs often allow readers to join in on online conversation. Blogging allows an individual to have a voice and to create a dialogue that allows a following that may be impacted in their thinking about a subject, issue, or dispute. Here in lies the power of social media.

Physicians must understand how to traverse the intersection of HIPPA and blogging through social media. A covered entity may use PHI for treatment, payment or health care operations [2]. In the social media context blogging would not fall under the purview of treatment, payment, or health care operations. Therefore, a blog should not include any information about a patient that would qualify as PHI without a patient’s written authorization. The usage of PHI without patient consent a user must erase it personal nature by de-identifying the information of PHI.

HIPPA provides that “health information that does not identify an individual with respect to which there is no reasonable basis to believe that information can be used to identify an individual is not individually identifiable information” [3].

A covered entity may de-identify Protected Health Information (PHI) by engaging a qualified expert with appropriate knowledge and experience in generally accepted scientific principles and methods for rendering information not individually identifiable [4]. Another method available to a covered entity is the removal of specific identifiers from PHI before publication in blogs or other public content. These identifiers include names; geographic subdivisions; all date elements such as birth dates, admission dates, discharge dates, and dates of death; telephone and fax numbers; email addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle and device identifiers and serial numbers; IP addresses; web URLs; biometric identifiers including fingerprints and voiceprints; facial images or comparable images; and any other unique identifying number, characteristic, or code [3].

The increasing use of social media and the widespread generation of user-created content shared online provide an extensive and interconnected source of identifying information. Even seemingly insignificant details, such as an airplane seat number, may be sufficient to rapidly reveal an individual’s identity [4].

Physicians and medical staff must remain sensitive and vigilant to the poetical risks of sharing innocuous information a medical blog that may be combined with the mega Internet databases that could enable a third party to discover a patient’s identity in violation of HIPPA.

According to Congress, the purpose of HIPAA is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes” [5]. One of these additional purposes is the protection of individuals’ privacy rights concerning their confidential medical information.

Ignorance is not a defense