In the traditional sense, Twitter is not HIPAA compliant. Why? Twitter does not sign business associate agreements (BAAs) with users.
Twitter’s Terms of Service state: “You are responsible for your use of the Services and for any Content you provide, including compliance with applicable laws, rules, and regulations. You should only provide Content that you are comfortable sharing with others.”
Signed BAAs are a crucial part of HIPAA as they ensure that the business associate (in this case, Twitter) protects the privacy and security of patient information following HIPAA standards.
That doesn’t mean you can’t use Twitter to promote your healthcare practice. It means you cannot share protected health information (PHI) or upload patient lists on Twitter.
Twitter for Healthcare Professionals
HIPAA and Twitter don’t mix. So, how can you use Twitter to promote your practice without violating HIPAA? Use Twitter to build awareness and your brand.
You can post things such as:
- Health tips that patients might find useful
- Upcoming events patients might like to attend
- New research or findings related to your field
- Honors or awards your organization has been granted
- Profiles or bios of your staff
- Discounts or special offers on services you provide
- Advertisements of your services as long as they DO NOT contain the PHI of any of your patients (including names, photos, or any other personally identifiable information)
What shouldn’t you post on Twitter:
- Don’t create ads or posts using patient information or PHI (including names, photos, or treatment information) without obtaining explicit permission from the patients involved.
- Don’t allow staff members to take photos within the practice if there is the potential that PHI (such as documents, fax sheets, print-outs, or computer screens) will be visible.
If you are going to use Twitter to promote your practice, it is vital that staff members who manage your social accounts know how they can and cannot share information. To do so, you should create HIPAA marketing policies and procedures for social media use by employees, capturing the necessary regulatory standards, with limitations on what they can and cannot post.
Patient Testimonials and Authorization
If you’d like to share patient testimonials or success stories on Twitter, you can, but only with patient authorization. You need signed patient consent before you share any of their information on social media. The patient authorization form must explicitly state what their information will be used for. If you’d like to use their information for a different purpose, you must have them sign another authorization form that states that purpose.