HIPAA and social media use can lead to some of the most common misunderstandings that health care professionals face. Employees who aren’t properly trained on HIPAA and social media can expose your organization to potential HIPAA violations and costly fines.
Whether your practice is using Facebook to attract new clients, or your employees are posting about their workday on Twitter, improper use of social media can lead to major problems for health care professionals.
The question becomes: how can health care professionals use social media without violating HIPAA privacy and security requirements?
What Can You Post on Social Media?
When it comes to HIPAA and social media, the most important thing to remember is that social media content should NEVER include information that can be used to identify individual patients or their medical records. This kind of data is considered Protected Health Information (PHI) under HIPAA.
PHI is any demographic information that can be used to identify one of your patients. This includes names, full face photos, dates of birth, addresses, social security numbers, medical data, and financial information, among others. PHI is strictly protected under HIPAA regulation, outlined in both the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA regulation forbids the use of PHI in marketing or social media campaigns, so this should be avoided at all costs to protect your patients’ privacy.
But that doesn’t preclude your practice from having a social media presence. Creating social media accounts for your practice is actually a very effective way to attract new clients and advertise your services.
Below, we list some of the things you can post on social media:
- Health tips that patients might find useful
- Upcoming events patients might like to attend
- New research or findings related to your field
- Honors or awards your organization has been granted
- Profiles or bios of your staff
- Advertisements of your services as long as they DO NOT CONTAIN THE PROTECTED HEALTH INFORMATION of any of your patients (including names, photos, or any other personally identifiable information)
- Discounts or special offers on services you provide
HIPAA Policies and Procedures
Over the past few years, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued extensive guidance on HIPAA compliance and social media. Numerous policies and standards have been broadly distributed that outline exactly how health care professionals can ensure that their practice is HIPAA compliant.
One of the most effective ways to protect your practice against HIPAA violations is to have policies and procedures in place to address each of the HIPAA regulatory standards. These policies and procedures should be unique to the needs of your practice–which is why HIPAA policy binders often aren’t enough.
Policies and procedures should be documented and updated year after year in order to account for changes to the scope, size, or operations of your business. It’s essential that staff members are trained on these policies and procedures as well in order to protect your practice from liability in the event of a breach.
Social media and marketing policies are key factors to document in your own practice. By standardizing the way that marketing and social media efforts are maintained, you ensure that no sensitive health information will be improperly disclosed on the web.
Find out more about how a total HIPAA solution can give you the policies, procedures, employee training, and everything else required under the law to make your practice compliant!