HIPAA Social Media Guide For Doctors & Dentists
This applies to any healthcare practice that deals with patient data. Patient or client (in the case of medical spas and aesthetics practices) are considered the same, whether they are are a prospect patient or an active patient or a past patient. You must protect patient information.
Guide to HIPAA Social Media Rule
There are many benefits for a medical practice when they use social media. A medical practice can use social media channels to promote their services, educate their community about health issues, and give tips on how their patients can have healthier life. However, social media is not a “gray area” regarding HIPAA privacy rules. A medical practice must protects the personal health information of their patients when posting on social media channels or risk heavy fines.
How does HIPAA impact social media?
HIPAA, also known as the Health Insurance Portability and Accountability Act, was signed into law on August 21st, 1996. This was 8 years before Facebook launched, 10 years before the first tweet on Twitter, and 14 years before the first Instagram post. Despite the law being passed before the concept of social media was even considered, the rules in that law apply to social media posts. What medical practices can and can not do are spelled out and have been clarified over the years. Those who violate HIPAA willingly or with malice face fines and possible loss of license or prison time. For these reasons, compliance with HIPAA when using social media is crucial. To remain on the right side of HIPAA, a medical practice must not publish any PHI (personal health information) on any social media channels unless permission is explicitly granted to them by the patient.
What is PHI or personal health information?
For a medical practice to follow HIPAA rules and maintain compliance by not publishing any PHI, they need to know what it is to avoid it. PHI is any information about a patient that could be used to identify them. Some of the most common PHI data points include:
- Social media profiles
- References to locations
- Appointment dates
- Treatment durations
- Personal email address
- Work email address
- Home phone number
- Cell phone number
- Work phone number
- Personal website
- Work website
- Social Security numbers
- Driver’s license number
- Health insurance plan number
- Vehicle Description
- Vehicle license plate
- Voice recordings
- Rental scans
This list should be considered only a partial list, as there are many other ways to identify a patient. However, a medical practice should keep PHI in mind when posting content online. They should not risk any chance of any information being posted that could identify a patient.
A medical practice can share PHI in social media posts only after a patient has given explicit written permission. With that said, the patient must understand how the information will be used and why their personal health information is being used. This written agreement must be signed and kept on file at a medical practice for future reference. A verbal confirmation is not good enough, and a HIPAA violation could occur unless there is physical proof (like a written agreement).
What are some things that are not allowed in social media posts for a medical practice?
There are various ways a medical practice can violate HIPAA privacy rules if they are not careful. Below are some things to keep in mind when posting on social media channels.
Social Media Channel Posts
The social media channel for a medical practice can not share details of a patient’s treatment, photos of them, or any of the other mentioned PHI indicators or data points mentioned above. In addition, a medical practice needs to make sure none of their staff on their social media channels post any personal health information. It does not matter if they have a private profile and only chat with a few people. This information can not be on their profiles as well. A medical practice should avoid posting details from reviews or posts patients have made on their own. Even if a medical practice does not mention the name or demographic of a patient, a detailed description of the results, treatment, and diagnosis of their visit could expose their identity. When sharing details, it is best to speak in general terms and not use specifics. Finally, medical practice and their staff can not repost or reshare things from another patient’s social media profile unless they have explicit written permission.
Comments on social media posts
A common mistake medical practices make is that they breach HIPAA privacy rules by replying or posting comments that disclose personal health information or acknowledge information published elsewhere. These comments can be posted in response to posts made by a medical practice or by a patient in their posts or replies to their comments to other posts. Even if the patient posted detailed medical information about themselves, a medical practice should not comment on in any way that discloses information or acknowledges information that was already posted. This includes the “business” commenting on posts and other staff members, including providers and doctors.
Replying to Patient Posts
Any medical practice wants to see engagement on their social media channels, and they want to see their patients leave reviews. Good social media practices say that a medical practice should also engage with anyone who engages with them. Acknowledging a post from a patient, be it writing a response themselves or giving it a thumbs up, can go a long way to encourage future engagement. However, a medical practice must be careful that these replies do not violate HIPAA by revealing too much information. Many medical practices may need to realize that this can include referencing a patient’s clinic visit, using the reviewer’s name, or even defending the choices a medical practice made in a negative review. While it may seem necessary and natural to defend what a medical practice considers false information or an incorrect view, it still must protect personal health information. When in doubt, say less. A medical practice can always state that the federal HIPAA law does not allow them to respond to a comment and invite the patient to call for more information or clarification. This will show other potential patients that comments are read and feedback is taken seriously.
Messaging Patients Through Social Media
Many social media channels allow users to message others and businesses privately. For example:
- Facebook – Facebook Messenger
- Instagram – Instagram Messenger
- Twitter – Direct Messaging
- Google My Business – Private Messaging Feature
Social media channels allow businesses, including medical practices, to turn these features on or off. If a medical practice chooses to let patients message them, there are guidelines they need to follow. As with public posting, a medical practice is not allowed to disclose any personal health information in these private chats. While these chats are “private,” they do not have the security measures to make them HIPAA compliant. These messaging systems can not verify the person on the other end is who they say they are, and data can not be secured on that end, making it impossible for it to be HIPAA compliant. Once that information is sent, there is a risk it can be exposed, putting the medical practice in legal jeopardy when it comes to HIPAA. If specific health information needs to be discussed with a patient, the a safer course of action is to have a private, offline one on one conversation with that patient. Alternatively, there are HIPAA-compliant Text Message Systems available from PatientGain.com
What is a medical practice allowed to do on social media that will enable them to remain in compliance with HIPAA?
There are so many rules regarding HIPAA and social media that it may seem like it is not worth spending time on this marketing channel. However, social media is still a powerful online marketing tool that medical practices should use, and there are several ways these social media channels can be used and stay within compliance. Below are some helpful hints for medical practices to stay on the right side of HIPA.
Posting on social media channels and remaining within HIPAA compliance
There are several ways to post on social media channels and share information without violating HIPAA by disclosing personal health information. One of the most popular posts that medical practices make is informational posts or advice posts that apply to many different patients. This information can be posted across social media channels and blogs without risking HIPAA issues. These posts could be research or other articles about health conditions or tips and advice from doctors that could apply to any patient.
The most important aspect of these posts is not referencing actual cases or patients that have visited a medical practice. As long as a medical practice does not explicitly mention an experience with one of their patients, it can be generally accepted that they comply with HIPAA. Remember, this goes beyond just naming a patient or sharing their pictures. For example, a medical practice could say, “Here are some tips to prevent muscle strains and sprains while working out,” but would not be able to say, “Here are some tips to prevent muscle strains and sprains we shared with a patient on Saturday who came in after a baseball game with a sore knee.” As you can see, the 2nd statement is sharing too much and violates HIPAA privacy rules.
Another popular type of post is promoting a special event in a medical practice is participating in. These can include:
- Marking milestones (such as an anniversary or 10,000th patient)
- Participating in a local event, like a Community Day or Spring Festival
- Receiving a business award
- Receiving special recognition from the local government
- Receiving special recognition from other colleagues
- Local news article featuring a provider at the medical practice
Finally, the last type of post that promotes good engagement without any HIPAA problems is posts that introduce providers and staff to a community. These types of posts help put faces with the names of the people treating patients. This helps increase familiarity with patients and staff, which can generate future appointments and other patient needs for a medical practice. Some things to share when introducing staff and sharing bios:
- How long they have worked at the medical practice
- How long have they done their duties in their position, such as how long they have been a doctor or a medical assistant
- Where they received their education
- Their favorite hobbies, movies, and music
- Recent professional accomplishments, such as certifications
- Recent accomplishments, such as running in a marathon or volunteering to build houses
Responding to reviews of medical practices
Reviews are crucial to the success of medical practice. Online reviews from other patients can make or break the success of a practice. They are immensely valuable, and many medical practices wisely spend time trying to get as many positive views as possible. With that said, it is equally vital for a medical practice to refrain from responding to reviews that share personal health information or PHI. A medical practice needs to be careful when responding to positive or negative reviews. The safest way to reply to reviews that allows a medical practice to remain in compliance includes:
- Thanking the patient for their review
- Suggesting that a patient contact a medical practice if they have concerns, questions, or need clarification
- Offer to meet with a patient who has had a bad experience to rectify their issues
These responses to reviews will show current and possible future patients that a medical practice takes feedback seriously. It will show them that an owner will go the extra mile to ensure that a patient is satisfied with their care.
Who must follow HIPAA Privacy Rules?
HIPAA rules apply not only to the social media accounts of medical practices but also to the accounts of staff and providers. Any staff member with access to personal health information must comply with the rules HIPAA lays out to protect patient privacy. This means that the doctors and staff of a medical practice can not share PHI on their personal social media accounts. They can share official HIPAA-compliant posts from a medical practice’s social media accounts, but they can not make any posts that may reveal the identity of any patients.
A medical practice should establish and enforce a social media policy for their employees. These policies should instruct their staff to exclude any work-related posts on their personal social media accounts. The policy should also denote restrictions on public conversations, controversial opinions, and friendships with patients. There should be consequences for employees if their actions violate HIPAA privacy rules. A medical practice should refresh current and new employees on these policies and monitor them for compliance.
The experts at PatientGain.com are available to help you create a high-performance healthcare website and assist your providers and staff in using social media without violating HIPAA guidelines. Contact us today and let us show you what we have done for other practices across the country!