Social media can be a minefield for any business to navigate. When it comes to the combination of patient privacy and social media, healthcare organizations and other HIPAA-covered entities need to tread carefully.
As a HIPAA-covered entity, you should use social media (Facebook, Twitter, and Pinterest to name three examples) for the same reason other companies do:
At the same time, your employees may also be active on social media, sharing tweets or Facebook status updates about their workday like the tens of millions of other social media users.
They just need to follow HIPAA rules about sharing patient information.
Even though HIPAA was written and enacted before social media became popular and a source of education and entertainment, the rules extend to these sites as well. Fortunately, with education and training, staying within the boundaries of HIPAA to protect clients’ PHI while taking advantage of the benefits social media offers, is achievable.
The HIPAA Privacy Rule says you cannot share PHI except for Treatment, Payment or Operations (TPO) without the written consent of the patient. Many doctors will share photos of various procedures to educate clients. They may post messages about patients. Unless you have explicit permission, do not share any information about a patient.
There are many ways in which social media can benefit both providers and patients. There’s no reason for healthcare providers to refrain from using social media to educate, inform, and keep in touch with patients or to attract new business. The following are a few examples of things you can share on social media as a covered entity:
All of these things can be shared to provide better patient service without conflicting with HIPAA guidelines.
For employees of a covered entity, social media rules related to patient interactions need to extend to their personal use of social media as well. In a nutshell, any information about a patient is protected, from nicknames to numbers (phone, social security, age, etc.) to treatment information to biographical details (marital status, siblings, etc.).
You cannot share any text about specific patients. However, images and video that could result in a patient being identified should also be avoided. For instance, if you take a photo of your dental office to use on your website you need to be sure there are no patients in the photo. Or, if there are, ensure that you have their written permission to use the photo.
Employee interactions with patients on social media can be problematic. Employees of covered entities must be careful in their work-related posting. Here are three actions all employees should take on social media:
These four actions are things your employees should never do:
Texting apps aren’t often considered as part of social media. In short, a texting app “could” be HIPAA-compliant if it has a number of features such as encryption and a record of the conversation.
In general, while using secure phone texting solutions to confirm upcoming appointments and to send reminders is fine; using text or text apps like Facebook Messenger or SnapChat, is discouraged as they lack features that would render them HIPAA compliant. We’ll dive into more detail on texting PHI in a December blog post. Subscribe here so you don’t miss it!
Here are three tips for staying HIPAA-compliant on social media.
Every covered entity should have a policy to guide employees on the do’s and don’ts of social media relevant to patients and PHI, including those mentioned earlier in this post.
Your social media policy and guidelines should include a definition of social media, which should aim to include future social media platforms yet to be released.
Whatis.com defines social media as follows:
Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, and wikis are among the different types of social media.
A best practice is to revisit this policy yearly and revise as needed.
After developing a social media policy, you must train employees to follow it. Ongoing employee training is crucial to reinforce the importance of following HIPAA privacy guidelines. All employees should receive social media training before they begin their job or as quickly as possible afterwards to minimize the chance of a HIPAA privacy violation.
Social media violations on social media happen. Recently, a dental practice revealed PHI when responding to a patient’s Yelp review. The penalty was $10,000. You can read about the PHI disclosure here.
Healthcare providers and other covered entities can use social media for the same reasons as other businesses -- educating and attracting existing and new clients for their services.
As long as they follow the HIPAA privacy rule in their social media communications, covered entities can have a robust social media presence that does not violate HIPAA guidelines.