The question becomes: how can healthcare professionals use social media channels like Facebook without violating HIPAA privacy and security requirements?
What Can You Post on Social Media?
When it comes to HIPAA and social media, the most important thing to remember is that social media content should NEVER include information that can be used to identify individual patients or their medical records. This kind of data is considered protected health information (PHI) under HIPAA.
PHI is any demographic information that can be used to identify one of your patients. This includes names, full face photos, dates of birth, addresses, Social Security numbers, medical data, and financial information, among others. PHI is strictly protected under HIPAA regulation, outlined in both the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA regulation forbids the use of PHI in marketing or social media campaigns, so this should be avoided at all costs to protect your patients’ privacy.
But that doesn’t preclude your practice from having a social media presence. Creating social media accounts for your practice is actually a very effective way to attract new clients and advertise your services.
Below, we list some of the things you can post on social media:
- Health tips that patients might find useful
- Upcoming events patients might like to attend
- New research or findings related to your field
- Honors or awards your organization has been granted
- Profiles or bios of your staff
- Advertisements of your services as long as they DO NOT CONTAIN THE PROTECTED HEALTH INFORMATION of any of your patients (including names, photos, or any other personally identifiable information)
- Discounts or special offers on services you provide
HIPAA Policies and Procedures
Over the past few years, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued extensive guidance on HIPAA compliance and social media. Numerous policies and standards have been broadly distributed that outline exactly how healthcare professionals can ensure that their practice is HIPAA compliant.
One of the most effective ways to protect your practice against HIPAA violations is to have policies and procedures in place to address each of the HIPAA regulatory standards. These policies and procedures should be unique to the needs of your practice–which is why HIPAA policy binders often aren’t enough.
Policies and procedures should be documented and updated year after year to account for changes to the scope, size, or operations of your business. It’s essential that staff members are trained on these policies and procedures as well HIPAA standards in order to protect your practice from liability in the event of a breach.
Social media and marketing policies are key factors to document in your own practice. By standardizing the way that marketing and social media efforts are maintained, you ensure that no sensitive health information will be improperly disclosed on the web. HIPAA social media guidelines are vital for ensuring that PHI remains protected, avoiding potential fines.
Find out more about how a total HIPAA solution can give you the policies, procedures, employee training, and everything else required under the law to make your practice compliant!