Long gone are the days when social media consisted solely of Myspace and Facebook, accessible only by logging in through a desktop computer at home or personal laptop. With every single social media platform readily available on personal cellular devices, HIPAA violations through social media outlets are becoming a frequent problem for healthcare providers and individual employees alike. In fact, social media platforms like Snapchat® and Instagram® that offer users the opportunity to post “stories” or send their friends temporary “snaps” seem to be a large vehicle for HIPAA violations, specifically amongst the millennial generation.
In a recent poll by CNBC of the younger-end of the millennial generation, CNBC found that a majority of teens ranked Snapchat and Instagram among their top three favorite apps. One teen claimed that they enjoyed the “instant gratification” of having a quick conversation, and another teen even stated that “Snapchat is a good convenient way to talk to friends (sharing pictures) but you can say things you would regret later because they disappear (I don’t do that though).”
This dangerous and erroneous mentality, while prevalent in teens, exists to some extent among the younger generation of nurses, residents, and other employees working for healthcare providers. With just a few taps and swipes, an employee can post a seemingly innocuous disclosure of PHI. Interns and residents of the younger generation may innocently upload a short-term post (be it a picture for two-seconds or an eight-second long video) of a busy hospital room or even an innocent “selfie” without realizing that there is visible and identifiable PHI in the corner. Two major categories of HIPAA violations have become apparent to me in relation to Snapchat and Instagram Stories and HIPAA: (1) The innocent poster, as described above, who does not realize there is PHI in their post; or (2) The poster who knows that their picture or video could constitute a HIPAA violation, but posts it anyway because they think it’s “temporary”.
The first category of violators are employees who do not realize that they’re violating HIPAA but can still be punished for such behavior. Think of a resident deciding to post a picture on their “Snapchat story” of a cluttered desk during a hectic day at work, not realizing that there are sensitive documents in clear view. Again, whether the resident meant to or not, he or she still violated HIPAA.
The second category of violators think that they’re safe from HIPAA violations, but don’t realize that their posts may not be as temporary as they think. Let us imagine a nursing assistant, working at an assisted-living facility, “snapping” a video of an Alzheimer’s patient because the patient “was playing tug of war with her and she thought it was funny.” The story only lasts 24 hours on the nursing assistant’s Snapchat “story”, but it is still a clear breach of HIPAA. In this case (a true story), the nursing assistant was fired from the facility and a criminal complaint was filed against her.
Violations in this category do not even need to be as severe as the one in the scenario with the nursing assistant. An employee at a hospital taking a “snap” with one of their favorite patients and sending it to just one friend on Snapchat directly (instead of posting it on their “story”) is a violation because that friend could easily take a screenshot of the “snap”. In fact, any “snap” is recordable by a receiving party; all the receiving party would have to do is press and hold the home button in conjunction with the side button on their iPhone. Voila, now a third-party has PHI saved on their phone, and worse yet, that third-party can distribute the PHI to the world on any number of social media outlets.
Snapchat posts and Instagram stories are not temporary. In fact, in 2014, Snapchat experienced a security breach that released 100,000 Snapchat photos. The hack – cleverly called “The Snappening” – involved hackers who released a vast database of intercepted Snapchat photos and videos that they had been amassing for years. In that instance, the hackers acquired the files from a third-party site called “Snapsave.com”, which allowed users to send and receive “snaps” from a desktop computer and stored them on their servers. Snapchat argued back then that it was not in fact their own server which was hacked, but currently the app does allow users to save “snaps” on their phone and on the application before sending them to their friends or stories. This change was made in 2016. Where are those pictures being saved? Could hackers get their hands on them?
The appeal of “instant gratifications” and “temporary conversations” is what makes social media platforms such as Snapchat and Instagram dangerous to healthcare providers. To avoid HIPAA violations of this nature, it is important to inform and educate employees, especially of the millennial generation, of the dangers of posting pictures that they think are temporary. I have an anonymous friend at the age of 26 who is a resident at a hospital that completely disabled her ability to access G-mail through her phone. While this method is a severe solution to a growing issue, and not absolutely necessary, healthcare providers should definitely consider other creative ways to keep their younger employees off their social media apps.