HIPAA Social Media Rules: A Guide
Social media is such an integral part of our daily lives. For individuals, it’s how they share their daily ups and downs, both personal and professional. For organizations, it’s how they promote themselves, interact with existing and prospective clients, and share news with the public.
It can be easy to view social media interactions as innocent, but for healthcare providers, it can be a dangerous blind spot in your duty to patient privacy.
As a healthcare worker or organization, how do you stay compliant with HIPAA laws while still being active on social media? Continue reading to find out.
IMPORTANCE OF PATIENT PRIVACY ON SOCIAL MEDIA
There are a lot of reasons to have strict policies regarding patient privacy on social media.
People’s health is a deeply private subject for most individuals. If someone in your organization shares this information online – officially or unofficially, accidentally or not – then it can cause a big backlash. Not only could the individual be angry or embarrassed, but the sentiment would spread to others who wouldn’t want their information shared.
This can hurt your reputation, make your organization look unprofessional, and damage the trust of the public in an industry where trust is absolutely vital to your function.
Then there’s the fact that it’s illegal.
Violating HIPAA’s Privacy Rule by sharing Protected Health Information (PHI) comes with serious legal and professional consequences, whether you’re an organization or an individual. Depending on the nature of the violation, you could face fines, termination, license revocation, and even jail time.
WHAT IS HIPAA?
The Health Insurance Portability and Accountability Act was passed in 1996 to create various reforms for the healthcare industry.
The most prominent is to guard the privacy and security of sensitive health information from being linked to an individual by unauthorized parties.
HIPAA was written before social media became so prominent in our lives, but it was designed with electronic communication in mind.
RELEVANT PROVISIONS OF THE HIPAA PRIVACY RULE
HIPAA’s Privacy Rule protects the confidentiality of all information about patients, their care, and information that can expose their identity, including:
- Names, nicknames, or social media handles
- Any information that hints at a location, up to and including addresses
- Specific dates, from appointments and treatment duration to birthdays
- All personal contact information, including phone, fax, email, or URLs/links
- Identifying numbers like social security, account number, medical record, or health plan number
- Photographs, scans, fingerprints, voice recordings, and other identifying multimedia
- Vehicle descriptions or license plates
- Anything else that could give hints regarding the patient's identity
You can see why there’s an inherent conflict between HIPAA privacy and social media. While other businesses can tag clients, post pictures, communicate through chat, and share success stories with relatively little issue, all those activities are fraught in the healthcare industry, even when you have written permission.
This is partly because, as we’ve all learned, “the internet is forever.” Once you post something on social media, it can be screen-captured, copied, and reposted. If your patient changes their mind and revokes their permission, the damage will already be done.
EXAMPLES OF COMMON HIPAA VIOLATIONS ON SOCIAL MEDIA
Since you can’t legally provide any hints or identifying information about a patient, it’s shockingly easy to cross the line. That means you could violate HIPAA just by:
- Posting videos or photos of a patient, even outside the context of treatment
- Providing updates about a medical event that made the news
- Discussing a patient (even casually) with colleagues via text or private message
- Posting or sending gossip to a friend about who just walked into the office
- Responding to a post where a patient or their representative discloses medical information
SOCIAL MEDIA BEST PRACTICES FOR HEALTHCARE
Since HIPAA has no specific social media rules, it’s best to err on the side of caution.
The easiest way to comply with HIPAA social media guidelines is to avoid any possible HIPAA violation. That means:
- No patient pictures, including any celebrities
- No success stories, patient anecdotes, or case information that uses real data
- No acknowledging, “liking,” reposting, or commenting on patient posts that disclose health or treatment information, even if they tag you first
- Replying to reviews on Yelp, Google, or social media by thanking the reviewer for their feedback (You can ask them to contact your office to resolve problems, but you shouldn’t argue or address specifics)
- Referring all private messages to official and private means of communication
- Setting similar social media policies for employees’ private accounts and enforcing them strictly
- Sending regular reminders to staff of “what not to do”
Otherwise, the only route to healthcare social media compliance requires you to obtain a valid patient authorization specific to social media. It needs to describe how and why PHI will be disclosed or used, disclose that they’re allowed to revoke permission, and it must be signed by the patient.
For social media, you’ll want to be overly descriptive, specific, and thorough in terms of what they should expect to reduce the chance of buyer’s remorse after a social media post has already gone up. In other words, you’ll want to give them exact wording and imagery to agree to. Once authorization is obtained, you can’t depart from those conditions without getting additional authorization.
BRUSH UP ON HIPAA COMPLIANCE WITH ONLINE TRAINING
HIPAA compliance is not only complicated but also woven into every part of a healthcare provider’s business, from marketing and customer service to daily operations.
It’s a lot to keep track of, and there’s a reason HIPAA requires annual refresher training for anyone who has access to PHI.
As a regulatory training provider with over 20 years of experience, our HIPAA compliance training is thorough and effective. It’s also online, self-paced, and mobile-friendly for your convenience.
Enroll today to protect your business from HIPAA violations!
