Social media can be a minefield for any business to navigate. When it comes to the combination of patient privacy and social media, healthcare organizations and other HIPAA-covered entities need to tread carefully.
As a HIPAA-covered entity, you should use social media (Facebook, Twitter, and Pinterest to name three examples) for the same reason other companies do:
- Share information about products and services to educate existing clients
- Attract new customers
- Branding and advertising
- Creating connections by sharing tips and insights about health news
At the same time, your employees may also be active on social media, sharing tweets or Facebook status updates about their workday like the tens of millions of other social media users.
They just need to follow HIPAA rules about sharing patient information.
Be careful when sharing Protected Health Information (PHI)
Even though HIPAA was written and enacted before social media became popular and a source of education and entertainment, the rules extend to these sites as well. Fortunately, with education and training, staying within the boundaries of HIPAA to protect clients’ PHI while taking advantage of the benefits social media offers, is achievable.
The HIPAA Privacy Rule says you cannot share PHI except for Treatment, Payment or Operations (TPO) without the written consent of the patient. Many doctors will share photos of various procedures to educate clients. They may post messages about patients. Unless you have explicit permission, do not share any information about a patient.
How Healthcare Providers Can (and Should) Use Social Media
There are many ways in which social media can benefit both providers and patients. There’s no reason for healthcare providers to refrain from using social media to educate, inform, and keep in touch with patients or to attract new business. The following are a few examples of things you can share on social media as a covered entity:
- Events that a patient might be interested in
- Research updates, findings, and even analysis of what it means in your area of expertise
- Staff introductions and profiles, videos, and/or bios
- Promotions regarding your services
- Health tips and advice
- Advertisements for your services (pay-per-click ads on Google, Facebook ads, etc.) that don’t violate patient confidentiality and privacy
All of these things can be shared to provide better patient service without conflicting with HIPAA guidelines.
Social Media Rules for Employees on Both Professional and Personal Platforms
For employees of a covered entity, social media rules related to patient interactions need to extend to their personal use of social media as well. In a nutshell, any information about a patient is protected, from nicknames to numbers (phone, social security, age, etc.) to treatment information to biographical details (marital status, siblings, etc.).
You cannot share any text about specific patients. However, images and video that could result in a patient being identified should also be avoided. For instance, if you take a photo of your dental office to use on your website you need to be sure there are no patients in the photo. Or, if there are, ensure that you have their written permission to use the photo.
Employee interactions with patients on social media can be problematic. Employees of covered entities must be careful in their work-related posting. Here are three actions all employees should take on social media:
- Employees who have identified themselves as an employee of a covered entity need to state that any views expressed are their own and do not represent their employer
- If a patient posts a picture with a “tag” that makes a picture appear in your timeline, remove that tag
- Respond to comments, for example on a business’ Facebook page, but do not mention or allude to any treatment given
These four actions are things your employees should never do:
- Talk about your work day as it relates to your job or activities interacting with patients
- Post photos or videos of patients, even if the patient cannot be identified in the photo
- Gossip about a patient, even if a name isn’t given
- Post to a patient’s social media account
Texting Protected Health Information
Texting apps aren’t often considered as part of social media. In short, a texting app “could” be HIPAA-compliant if it has a number of features such as encryption and a record of the conversation.
In general, while using secure phone texting solutions to confirm upcoming appointments and to send reminders is fine; using text or text apps like Facebook Messenger or SnapChat, is discouraged as they lack features that would render them HIPAA compliant. We’ll dive into more detail on texting PHI in a December blog post. Subscribe here so you don’t miss it!
Here are three tips for staying HIPAA-compliant on social media.
Develop a Social Media Policy
Every covered entity should have a policy to guide employees on the do’s and don’ts of social media relevant to patients and PHI, including those mentioned earlier in this post.
Your social media policy and guidelines should include a definition of social media, which should aim to include future social media platforms yet to be released.
Whatis.com defines social media as follows:
Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, and wikis are among the different types of social media.
A best practice is to revisit this policy yearly and revise as needed.
After developing a social media policy, you must train employees to follow it. Ongoing employee training is crucial to reinforce the importance of following HIPAA privacy guidelines. All employees should receive social media training before they begin their job or as quickly as possible afterwards to minimize the chance of a HIPAA privacy violation.
Social media violations on social media happen. Recently, a dental practice revealed PHI when responding to a patient’s Yelp review. The penalty was $10,000. You can read about the PHI disclosure here.
Use Social Media Wisely
Healthcare providers and other covered entities can use social media for the same reasons as other businesses -- educating and attracting existing and new clients for their services.
As long as they follow the HIPAA privacy rule in their social media communications, covered entities can have a robust social media presence that does not violate HIPAA guidelines.