Social media has become an essential part of promoting business, but you must consider how HIPAA and social media intersect as a healthcare provider or company. Whether responding to an online patient review or increasing patient engagement through social media posts, misunderstandings in managing social media can be detrimental to your practice. How can your practice use social media without violating HIPAA requirements? HIPAA compliant social media use comes down to a few things – know what information you are allowed to share and who you can share it with, and inform your employees of such.
HIPAA and Social Media: What Can Be Shared and With Whom?
The most important thing to remember is that social media content should never include patient information when it comes to HIPAA and social media. Patient information, or protected health information (PHI), must be kept private and confidential. Healthcare providers can share PHI for healthcare provisions – staff members who need access to perform their job, other physicians treating the patient, and the patient’s health plan. The only exception to this rule is when patients sign an authorization form for disclosure to other parties.
Your practice may want to share patient testimonials on your website or social media pages about social media. HIPAA allows this only when patients provide prior written consent. Without consent, sharing PHI in public forums is a HIPAA violation. Although you cannot share PHI on social media, it can still be a valuable tool for promoting your practice. Some ways you can use social media include:
- Providing health tips that patients might find useful
- Promoting upcoming events patients might like to attend
- Sharing honors or awards your practice has been granted
- Posting profiles or bios of your staff
- Advertisements of your services as long as they do not contain PHI (including names, photos, or any other personally identifiable information)
- Discounts or special offers on services you provide
Is Facebook HIPAA Compliant?
As arguably the most popular social media platform, one of the first questions asked about HIPAA and social media is about Facebook. Is Facebook HIPAA compliant? Well, that depends on its use. If your practice uses Facebook to promote your services to a general audience, HIPAA isn’t a factor. However, once PHI is introduced to the platform, the use of Facebook violates HIPAA. Why would you want to input PHI into Facebook?
Facebook is often used for advertising to “look-a-like” audiences. These are audiences that represent your current client base demographics. Look-a-like audiences are built by uploading your clients’ demographic information to Facebook. HIPAA strictly forbids this practice because Facebook will not sign a business associate agreement (BAA), leaving PHI vulnerable to unauthorized use or disclosure.
Additionally, your practice should not send friend requests to patients as it undermines their confidentiality – the use of the Facebook Messenger and Calling features are also not HIPAA compliant. The answer to the question “is Facebook HIPAA compliant” is no under most circumstances. The only ways to use Facebook and maintain your compliance are through ads targeting a generic audience or sharing patient testimonials (but only with their explicit permission first).
HIPAA and Social Media Training for Employees
HIPAA compliant social media use ultimately comes down to employee training. When employees are unaware of HIPAA’s restrictions on social media, they can expose your practice to HIPAA violations and costly fines. Small practices have been fined for social media violations like responding improperly to patient reviews and posting patient images without their consent. Avoiding these types of incidents is straightforward – train employees on best practices. See TBHI’s Training course HIPAA Compliant Social Media for Professionals: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice.
Suppose your practice uses Facebook to attract new patients, respond to online reviews, or post patient testimonials. In that case, the employees managing your social media accounts must understand HIPAA-compliant social media practices. Even employees who aren’t charged with managing your social media should understand what is and is not allowed. This is especially true when smartphones and social media have become the norm at work.
See TBHI’s upcoming webinar for more information: HIPAA Compliant Social Media for Professionals: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice.
This Article is Contributed by the HIPAA Compliancy Group
Need assistance with HIPAA compliance? The Compliancy Group can help!
HIPAA Compliant Social Media for Professionals
Tips and tricks for using social media to grow your practice without violating legal requirements.