In our ongoing series on the Health Insurance Portability and Accountability Act (HIPAA), we have examined provisions of this sweeping act and what types of medical practices and ancillary businesses are affected. If your business relates in any way to HIPAA and patient information security, you need to know how to ensure your business is HIPAA-compliant.
The world of social media presents a sort of Pandora’s box to physicians, dentists and any of the many other ancillary businesses involved in the use of Protected Health Information (PHI). It’s very important to remain aware of what you can and cannot say about your patients or customers, in order to avoid violation of HIPAA policies.
HIPAA privacy policies apply to healthcare providers and others who support them (data transmission providers, data processing firms, document shredding companies, medical equipment companies, audit consultants, medical transcription services, etc.). Here are general tips for these businesses and individuals to follow concerning patient confidentiality.
Keep things general.When interacting with others on various social media platforms, always speak as generally as possible – especially regarding patient conditions, treatments, demographics or populations. While it’s permissible to talk about medical treatments or research in general, you should never mention a patient’s name without their written consent.
Offer no medical advice. Should a patient contact you via Twitter, Facebook or another platform, the best policy is to thank them for getting in touch and refrain from offering medical advice. Anyone seeking specific advice should be advised to schedule an office appointment.
Be aware of the “tone” of your posts. Whether you’re a physician or an office manager for a medical supplier, you should always be aware of how you come across in your tweets, posts and updates. Complaining about patients is, of course, in bad taste and should be avoided at all times. As for humorous messages, it’s probably a good idea to run your “joke” by a colleague before posting online. Not everyone may be amused by what you have to say.
Maintain professional and personal accounts. Anytime there’s a blurring of the line between your profession and your personal life, trouble may ensue. Experts advise setting up separate accounts on Facebook and elsewhere, and keeping discussions in their appropriate place.
Another Facebook warning: if a patient asks to friend you, redirect them to your office page. Engaging in an online relationship with a patient (or customer) can lead to ethical issues and difficulties down the road.
And never disclose any PHI on Facebook—that’s a clear violation of HIPAA privacy rules!
Don’t post patient photographs or testimonials without permission. Some medical practices benefit from sharing photographs of patients (before and after treatment), and the same goes for some related businesses. Always get written permission before posting a photograph or sharing a patient/customer testimonial on social media.
Educate employees. Again, whether we’re talking about nurses, receptionists, transcriptionists or accounts management in a pharmaceutical business, everyone should understand the importance of PHI and what they can and cannot do (and say) online. As the employer, you’re responsible for any HIPAA violations, so it’s best to establish social media policies and procedures and to be sure your staff understands and follows them.
Social media is a great way to share general information, build professional relationships and attract patients (and customers) – as long as you follow a few common-sense policies and respect the sanctity of patient information.