Can We Post This? What You Need to Know About HIPAA and Social Media
Social media has become a powerful communication tool that many industries use to build brand awareness, engage customers, and facilitate marketing and sales, as well as fundraising activities. When healthcare organizations leverage social media to advance their business goals, they must be careful to avoid HIPAA compliance violations pertaining to the privacy and security of protected health information. The following sections explore what healthcare organizations can and cannot do on social media by offering strategies for using the medium appropriately and compliantly.
What Are Healthcare Organizations Allowed to Do on Social Media?
Although healthcare organizations may be very limited by HIPAA in how they can use social media, there are a few permissible activities such as sharing videos with the patient’s full permission, using de-identified, grouped data to communicate about trends, and telling hypothetical stories without using patient names or details.
Even within these activities, however, organizations must be cautious and take steps to prevent an inadvertent data breach. For example, before sharing videos, baby pictures, or other patient visuals, an organization must obtain and document the patient’s or guardian’s permission in writing. When acquiring permission, the organization should outline the media platform(s) on which the picture or video will appear, and in what context.
If an organization wants to tell a story about a patient care episode to make a point or communicate an overarching message, it must make sure that the story is generalized enough that it cannot realistically be tied back to an individual. If there is any chance that people, including the patient, would recognize that the story is about that particular patient, then the organization will need to obtain written permission before posting about the incident.
What Are Healthcare Organizations NOT Allowed to Do on Social Media?
A key action that healthcare organizations should closely monitor is responding to social media reviews. More and more patients are using the internet to research providers, and there are many opportunities for patients to comment on the experiences they’ve had with an organization. Patients are well within their rights to do this, however, if a healthcare organization chooses to respond, it cannot in any way indicate that the patient visited the facility or was treated by the provider. Even thanking a patient for visiting the office would most likely be considered a HIPAA violation. Regarding patient reviews, organizations can either refrain from responding altogether or offer a professional and cordial response, keeping it general and policy based. Some sample responses could include:
- “Thank you for your review. Per our policy, we try our best to see patients as efficiently as possible without sacrificing our commitment to provide quality health care.”
- “Thank you for your kind words. Our practice strives to perform at the highest standards of our policy to provide quality medical services.”
- “It is our policy to protect patient information and discuss important matters offline. Please call us at [888-888-8888] so that we can help right away.”
If an organization responds inappropriately, the patient has the right to file a complaint with the Office of Civil Rights, indicating that the organization wrongfully disclosed protected health information and violated HIPAA standards. This can result in an investigation and severe penalties.
One type of customer review that organizations may start to see more regularly pertains to information blocking—a concept stemming from the 21st Century Cures Act that requires organizations to offer patients easy and unfettered access to their health information. As people become more familiar with the new rule, they may feel that delays—even those that are considered reasonable—constitute information blocking, and they may choose to comment about it on social media sites. It’s important to remain consistent in responding to these complaints. The organization should treat those reviews in the same way it treats all others, keeping responses generic and professional.
Although the occasional unflattering review is not unusual, if an organization starts to see multiple, negative reviews that seem to reflect a pattern of an individual or individuals using social media as a weapon, organization leaders should alert legal counsel and receive guidance on how to appropriately protect the organization and its providers from slander. There are vendors available that may be able to help restore a practice’s reputation in such cases.
Can Staff Post about a Patient Interaction, Even if Names Are Not Mentioned?
Staff should never independently post anything about a patient on social media, even if they don’t specifically mention the patient’s name. If it’s discovered that a staff member has posted about a patient on a public or private social media page, it will be considered a HIPAA violation, and the healthcare organization can be cited for failing to adequately train and manage its staff. For most organizations, this type of action is considered a staff terminable offense.
How Can Organizations Prevent Social Media HIPAA Violations?
First and foremost, organizations should be extremely careful about what they post on social media and have a defined policy that explicitly outlines what is and is not allowed. Depending on the organization, this may be a stand-alone document or one that is part of a broader email, texting, and Internet use policy. Such a document should be crafted in conjunction with an expert who is familiar with the nuances of HIPAA and how the regulations relate to social media. Although organizations may have such a resource on staff, most will need to work with an outside compliance expert like Stericycle. We can provide sample policies that offer clear direction on how to sustain reliable compliance.
In conjunction with the policy, organizations should regularly educate and train staff on social media use and HIPAA. Like other types of training, staff should receive information at new hire orientation and annually during refreshers. It is also a good idea to periodically provide education at other times during the year, such as at staff meetings or in company newsletters. Training should make it clear what staff can and cannot do, and their role in preserving patient privacy and security. It may be worth emphasizing the importance of not responding to negative comments on social media or having scripted responses that are within the limits of HIPAA. Negative comments or feedback can be a point of frustration for staff, especially if the comments are unfounded. That said, it is critical that staff either refrain from responding to patient comments altogether or respond in an appropriate manner that prevents improper disclosure of protected information.
Learn more about how Stericycle can help your organization ensure consistent and reliable HIPAA compliance.