5 Ways to Stay HIPAA Compliant When Using Social Media

More consumers than ever are turning to social media to provide them with education and information about their health.

According to one study, more than 40% of those surveyed said that information found via social media affects the way they deal with their health, and 90% of respondents in a different survey noted that they would trust medical information if it were shared via social media.

Aside from getting their healthcare information online, 30% of adults also post about their own health-related concerns using social media sites, and 47% of doctors use social media for both professional and personal dissemination of healthcare-related information.

This means that healthcare providers are also feeling the pressure to use social media as a resource to connect with patients and address healthcare topics.

But a doctor, healthcare office or even hospital using social media is not the same as a traditional user. There are several compliance issues that healthcare professionals must address before posting things online, one of the biggest being HIPAA.

Doctors and other healthcare providers need to understand what’s appropriate to say online and how to use social media without violating patient privacy.

What to Know About HIPAA and Social Media

It’s important to be aware of both HIPAA and state laws when it comes to disclosing patient protected health information online. Even posting something as simple as a photo or patient name can incur fines and other penalties.

According to Healthcare Compliance Pros, a few of the most common HIPAA violations in regards to social media include:

• Posting verbal “gossip” about a patient to unauthorized individuals, even if the name is not disclosed
• Sharing of photographs, or any form of personal healthcare information without written consent from a patient
• Sharing of seemingly innocent comments or pictures, such as a workplace lunch which happens to have visible patient files underneath

It’s also possible for private posts to unintentionally be made public, forget to be deleted, or get saved by a third-party without the poster’s knowledge, leading to HIPAA violations that the healthcare provider is otherwise unaware of.

Staff may also accidentally disclose private healthcare information on their personal accounts, which in some cases may leave the healthcare office liable.

Giving healthcare advice over social media can also be a minefield for compliance issues, especially if patients use their real names on social media to contact physicians or ask healthcare-related questions.

How to Prevent Social Media HIPAA Violations

Unfortunately, it can be relatively easy to infringe on a patient’s personal information using social media. But as they say, an ounce of prevention is worth a pound of cure. Here are a few things healthcare providers should know about preventing HIPAA violations before they happen.

1. Don’t post patient information or situational details. This may seem like a no-brainer, but it does happen. In one instance, a nurse unintentionally identified a man being treated for a gunshot wound after she posted about him on Facebook (she was later fired). Even if you don’t include a patient name, assume that anyone patient’s information can still be traced if you post about the circumstances.

2. Don’t assume information is private. If something is online, chances are that it will stay online in one form or another. Deleting a tweet or removing a Facebook post doesn’t guarantee that you’re in the clear, so it’s essential that healthcare providers catch HIPAA violations before they ever make it online.

3. Do create an office-wide social media policy. According to the Institute for Health, 31% of healthcare organizations have specific social media guidelines in writing. Having a written policy ensures that everyone in the office is on the same page and that staff is aware of any limitations before a violation occurs.

4. Do put someone in charge that understands HIPAA. The fewer people that post to social media on behalf of your office, the better. It’s generally a good idea to only have one or two people in charge of social media for your clinic. Choose staff that understand HIPAA’s rules and can monitor accounts for any potential violations.

5. Do get written permission from patients first. There may be certain circumstances where you wish to share a patient testimonial or answer a question. It’s important to have the patient’s written consent before posting, and even after receiving consent to keep as much personal information private as possible.

If a HIPAA violation has occurred, providers should delete any related social media posts and consult with a legal advisor about next steps to protecting the patient’s rights.

Tips for Healthcare-Related Social Media Posts

Being cautious of what you post on social media shouldn’t stop you from posting completely, however. There are many great ways healthcare providers can use social media to connect with patients and provide education to those searching online. Here are a few tips to ensure that your posts remain HIPAA-compliant in the process.

Give staff members examples. In your social media policy, provide employees with examples of HIPAA violations so they can see what’s okay to post and what’s not. They should understand that certain circumstances can trigger HIPAA violations even if patient names aren’t directly released.

Have a strategy and plan ahead. Planning your social media posts ahead of time and having someone review them before they go online can help minimize any potential risks of violations. Don’t allow staff members to respond directly to patients online unless they fully understand the policies you have in place.

Watch your social media accounts. Making sure to regularly check your social media account activity can help you catch potential violations when they happen so posts can be removed quickly. Wherever possible, save and capture any social media posts that fall in a gray area in case they need to be addressed later.

Maintain appropriate boundaries with patients. Be careful about addressing complaints or giving medical advice directly on social media. Point patients back to your website or invite them to contact a doctor if they have healthcare-related questions that may violate HIPAA if answered online.

Keep business and personal accounts separate. Many doctors and physicians use one account for both personal and professional posts, but this increases the odds of encountering a violation. As much as possible, attempt to keep personal and professional accounts separate. Just remember that you could still be held liable for violations on your personal account, too.

Talk about conditions, treatments and research. Even if you’re wary of posting testimonials or advice, you can still provide education related to healthcare. Writing about various medical conditions, treatment options, research, or other topics can help educate patients while improving your online visibility without running into any major compliance issues.

Find out 5 more ways you can share HIPAA compliant content on you social media platforms. Download our free resource to learn more.

Final Thoughts

Remember that what happens online often stays online, so it’s better to prevent HIPAA violations from happening rather than deal with the aftermath of one. Taking steps to address these issues (by creating office policies and monitoring accounts, etc.) can keep your clinic compliant.

If you have said policies in place, feel free to use social media as a tool for educating patients about important medical issues. While HIPAA compliance is a big deal, it shouldn’t stop you from using social media all together.

Consider putting one or two people in charge of your office’s social media accounts that understand HIPAA and know what’s okay to post and what’s not. Make sure to plan ahead and consult with compliance experts as often as needed to keep patient information secure.