Social media is quickly becoming one of healthcare’s best marketing tools.
Over 75,000 healthcare professionals use Twitter for everything from sharing news about their practices to discussing treatments and answering patient questions.
Other social sites, like Facebook, are also growing in popularity, as live video is transforming how doctors and other practitioners interact with their patients directly.
But medical advice shared online walks the borders of sensitive issues, like privacy and HIPAA — how much social sharing is too much?
Here’s what every healthcare provider on social media should know about its uses and best practices.
1. Know What Constitutes a HIPAA Violation on Social Media
The same HIPAA rules that apply to the office apply to social media, but social media can sometimes feel more inviting for those that love a little gossip.
There’s a level of anonymity about posting on sites like Twitter that makes it easier to share sensitive information.
People who are shy in real life often have an easier time sharing their thoughts in a Facebook update, for example, or “liking” or commenting on posts they would ignore if they were real life conversations.
Because of this, it’s important that any staff that post to social media or answer questions from the office remain vigilant about what they post.
A few common examples of potential HIPAA violations on social media include:
- Gossip about patients, even if the name is excluded
- Sharing of photos with patients included in them without the patient’s permission or written consent
- Sharing photos or videos with visible patient information, such as writing on a whiteboard or files sitting on a desk
Violations for these types of posts (under the HIPAA Privacy Rule) include fines that range from $100 – $1,500,000, or Criminal Penalties that result in fines up to $250,000 and up to 10 years in prison. Additionally, clinics and practitioners can face lawsuits and termination over inappropriate postings.
So the first step to making sure you’re HIPAA compliant is to remember that HIPAA still applies to photos, posts and comments on social media, too.
You can learn more about social media related HIPAA policies on the HHS website.
2. Train ALL Staff Members on Proper Uses of Social Media
Just because a staff member posts from a private social account, or posts to social media outside of work hours, doesn’t mean they’re not liable for the content posted.
All staff members and practitioners understand should know that the clock never stops for them when it comes to violating HIPAA.
If possible, create guidelines for social media use that you can hang around the office as well as print out for staff to take home with them as a reminder.
Constant reminders of social etiquette will go a long way to preventing unnecessary or harmful social media blunders.
3. Limit Information Shared When Answering Patient Questions
Because patients may use their personal social media accounts to ask questions, it’s important to protect their privacy by limiting the amount of information you share in front of other users.
For example, if someone asks a question about a personal condition (e.g. “I have a rash, help!”) answer in broad terms.
Here’s an excellent example from a registered nurse answering the question, “What should I do if doctors do not know what is causing my rash?” on Quora:
She provides clear instructions for what the questioner should do next (find symptoms, contact a specialist, do some research) without asking further invasive or personal questions.
A wrong approach would have been to ask, “Can you describe your symptoms?”
Asking potential patients to give symptoms publically may put you in hot water with HIPAA if you’re not very careful.
But answering the question to the best of your understanding, without sharing or asking for additional private information, is often a safe approach.
4. Use Private Communication Methods If Questions are Too Specific
In the above example, the questioner wasn’t asking for advice from a specific provider, however.
What happens if someone contacts your clinic, or you personally as a practitioner?
The best thing to do in this situation is to invite the user to privately message (PM) or direct message (DM) you on the social site, so they can ask questions away from prying eyes.
You can then give them more detailed answers to their questions, or, better yet, give them a way to contact your clinic and invite them to see you if the situation calls for it.
One word of caution: Be sure that your private messages are private.
No one else at the practice (who is unauthorized to use the account) should have access to private messages between the social media account holder and the patient or potential patient.
You should also double check that conversations are being held privately and not in a comment section.
Facebook, for example, has several ways to reply to users depending on the situation.
You can respond to comments on public or private posts, send a PM/DM to Facebook Messenger, respond to questions on forums (Private Pages or Public Pages) or post answers directly to a personal page.
Only one of those things is truly confidential, so it’s important to keep that in mind (hint: Facebook Messenger. Though a secure email connection is better).
5. Do host Q&A Sessions on Social Media
While much of what is said here should have you thinking, “Safety first!” you shouldn’t be scared of answering questions on social media.
You just have to know which information to protect (again, read through HHS guidelines here).
There are several social media platforms that are perfect for hosting Q&A sessions.
Twitter has “Twitter Chats,” which Hootsuite describes in their Twitter Chat Guide as “like hosting an open house for neighbors to discuss a local issue.”
Using a hashtag like #AskaDoctor or #AskANurse (plus your clinic name) can help you connect with current or potential patients with questions. Just remember to answer questions broadly or ask users to PM/DM you.
Reddit Ask Me Anything (AMA) sessions are also popular among many social media users, as well as Quora.
Reddit and Quora can both be used to give general healthcare advice without needing to reveal or ask patients personal information (like the example from #3), which make them perfect for providers who want to participate but are nervous about HIPAA violations.
In terms of content, feel free to get creative. Just remember to keep things secure.
Social media can be a great space for healthcare professionals to answer questions and address patient concerns.
The key to avoiding HIPAA violations is to watch what you post and to ensure staff understand that HIPAA rules apply after hours, too.
But don’t be afraid to have fun with it.
Use Twitter or Facebook Live to host Q&A. Respond to questions on Quora. Or host an AMA on Reddit.
Don’t be shy of using social media to spread awareness of important issues and respond to real questions. Just make sure that patients know to PM/DM you important details.
And don’t be afraid of giving them your professional email instead.