Back in 1996 when HIPAA was created, social media consisted of chat rooms. No one at the time could have imagined social media’s future impact. Although the HITECH Act of 2009 updated some of HIPAA’s sections to better handle technology, it still didn’t address social media.
The lack of clear guidelines may leave you feeling vulnerable. If you do interact with patients on social media, you may wonder if your interactions are HIPAA compliant or not. In fact, it can be surprisingly easy to cross the line without realizing it.
But the relationship between HIPAA and social media isn’t a mystery. Here’s what you need to know about complying with HIPAA on social media.
HIPAA and social media in a nutshell
“30% of adults are likely to share information about their health on social media sites with other patients, 47% with doctors, 43% with hospitals, 38% with a health insurance company and 32% with a drug company.”
Under HIPAA, medical practices need to safeguard protected health information (PHI). A large part of this includes limiting access to information — it should only be available on a need-to-know basis. You must protect PHI from anyone who doesn’t have a right to access it, including well-meaning family members.
On social media, you need to avoid posting any of the following:
- Images and videos of patients, even with the faces blurred out.
- Gossip about patients, even if it doesn’t use their names or images.
- Any information that could identify a patient — for example, if you filmed a surgery without showing the person’s face but the patient had an identifiable feature that made it possible for them to be recognized.
- Photos or videos of patients inside your practice. Even if they’re in the lobby but no PHI is visible, their presence suggests that they are patients, which is also a violation.
- The patient’s information, even when the patient initiated the discussion or you have written permission.
It should be clear to anyone managing social media accounts to “never share PHI.” But there is an exception you need to know about.
HIPAA has a marketing exception that can benefit your practice. It’s a good way to improve public perception and grow your practice. It can also help you get a higher ROI when using social media to market your practice.
HIPAA’s marketing exception
“60% of consumers say they trust doctors’ social media posts.”
According to the Health and Human Services (HHS) website, “A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or healthcare operations or otherwise permitted or required by the Privacy Rule.” HHS specifies that this includes authorization for the purpose of marketing. Moreover, HHS defines marketing as “any communication about a product or service that encourages recipients to purchase or use the product or service.”
How does this work in practice? Let’s imagine that you’re a cosmetic dentist. The best way to promote your services is by showing before-and-after images. But you might hesitate because of HIPAA.
Don’t worry. You can share these images on social media. You can even include whole, smiling faces. But first you need to have the patient sign a release form.
The same applies to medical practices, hospitals, nonprofits, and any other organization that’s required to stay HIPAA compliant. You can use images, stories, and testimonials. However, the patient must sign a HIPAA medical information release form. Doing so will protect both the patient’s privacy and your practice.
How to create a HIPAA-compliant form for social media
It’s important to realize that not just any release form will do. To be compliant, the form itself must be HIPAA-compliant.
The form should include
- The information that will be shared: location, medical condition, treatment, outcome, age, etc.
- Exactly how the information or images are to be used. Will they appear in an advertising campaign? Will you make them part of a blog post?
- How long the information or images will be used. Give it an expiration date. You can renew later if the patient agrees.
- A statement that the patient can revoke the authorization for any reason at any time.
- A statement that the patient can obtain a copy of the form upon request.
- Easy-to-understand wording and explanations.
Be as clear and detailed as possible. Being vague to keep your options open isn’t a smart business practice. You could be breaking the law if the patient feels you used their information in a way they didn’t intend.
In addition to the details, any forms should be transferred and stored in a HIPAA-compliant way. You can make sure this happens by creating and enforcing a social media policy.
How to create a HIPAA-compliant social media policy
Every business that has access to PHI needs a clear social media policy. There should never be any confusion regarding what can be shared and when it can be shared.
- Create an electronic filing system. You should be able to sort forms by expiration date and quickly retrieve them so that the scope of the authorization can be reviewed before any information is shared.
- Develop policies and procedures. Your policies should explain how forms are obtained and stored. They should clearly state what is off-limits without a HIPAA authorization form. Your procedures should also include verifying that you have HIPAA and social media authorization every time PHI is to be shared.
- Set up an audit system. Your policy should include how you ensure that others are following protocol regarding HIPAA and social media. Having an audit trail for your forms and any content published on social media will help you see whether or not the policy was followed.
Doing HIPAA compliance and social media right
Social media can have many downsides in healthcare. Misusing patient information and sharing it in public or private discussion groups can lead to fines, a bad reputation, and potentially a lawsuit. To avoid this, you need to have well-trained employees and the right procedures in place.
There are positive ways to use social media in healthcare, such as growing your practice through marketing initiatives, before-and-after photos, and testimonials. You just need to make sure you get HIPAA-compliant authorization forms filled out by the patient before you share anything on social media.