It’s Time to Add Social Media to Your HIPAA Compliance Checklist
Connectria
Author
Date
October 15, 2019
Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their current customers and attracting new ones. They have to. These customers are what keeps them in business, allowing them to do what they do. Social selling, the use of social media platforms to develop deeper relationships with existing and new customers, is gaining in popularity because it works.
Yet, even the most aggressively social organizations recognize that there still needs to be a few dos and don’ts associated with social media usage. Most of these are common-sense guidelines and closely reflect the kinds of behaviors you’d expect people to exhibit in the office. Others, such as not airing workplace grievances in public, are especially important. Even seemingly mundane complaints have the potential to go viral on platforms like Twitter and Facebook.
The Dangers of Social Media in Healthcare
In a healthcare setting, social media policies take on added importance because it’s easy for employees to accidentally violate HIPAA by sharing PHI (Protected Health Information) on a public platform.
In fact, as I write this, the Department of Health and Human Services’ Office for Civil Rights has just fined a dental office $10,000 for disclosing PHI on Yelp. For those of you not familiar with it, Yelp is a platform where people can post reviews about local businesses. In responding to the review, the dental practice disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information. (Hat tip to HIPAA Journal for the original story.)
You’d think that gut instinct and employee training would kick in to prevent this from happening, but apparently not. To make matters worse, it wasn’t the first time disclosure of this sort on social media had taken place. The fact that the dental practice’s fine was only $10K is something of a wonder, but evidently, their willingness to cooperate with investigators worked in their favor.
7 Tips for Using Social Media in Healthcare
If you’ve been reading our HIPAA-related posts, you know that we often use HIPAA violations in the media as “lessons learned.” This case is a perfect example.
In their ruling, the OCR determined the dental practice had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms. Using that as a lesson, let’s look at a few guidelines for leveraging social media in a healthcare setting.
1 Don’t respond to reviews
This is good advice for any organization, not just healthcare. A counterargument to a bad review just looks bad, even if the customer is completely off-base with their comments. If the customer specifically asks for assistance in a review, take it offline. Either give them a number to call or contact them directly, if appropriate.
2 Control social media contributions
For most businesses, the more employees on social media, the better. That’s not always the case for healthcare providers because it increases the likelihood that PHI will be shared. If you want to use social media to promote your organization, create a company account. Make sure it is managed by someone internally, trained in social media usage, and HIPAA regulations. It helps if you choose someone who is not in a customer-facing role as they shouldn’t have access to PHI.
3 Create guidelines for personal accounts
You can’t ban individuals from having a personal account, nor should you. However, you should establish very clear guidelines on social media expectations. Especially, if they plan to associate themselves with your organization online.
4 Make HIPAA guidelines crystal clear
Your social media guidelines for personal accounts should include several examples of impermissible PHI disclosure. Give employees pre-crafted messages to direct people to the right offline resource, should they be asked a work-related question on their personal account.
Also, make sure employees know there is a personal liability risk associated with HIPAA violations as well. Though it doesn’t happen often, people have gone to jail over impermissible PHI disclosures. These are usually cases where the employee had malicious intent. Ensure your employees understand their personal liability.
5 Don’t use social media for customer service
You should never use social media to provide customer service such as to answer billing/insurance questions, set appointments, answer health questions, etc., unless it is a secured platform designed for that purpose.
For example, one of our customers, ePreop, has created an online tool specifically geared toward engaging patients and providers in pre- and post-operative care. This proprietary solution is hosted in a secured Azure environment, managed by Connectria. They could never provide this level of service on a public platform.
6 Create a written version of your policies and post it in a prominent place
To be effective, social media policies must be written and effectively shared with employees. Like all employee training, reinforcement is also needed. Regularly holding refresher sessions is a good way to keep HIPAA compliance top of mind for those employees who use social media.
7 Monitor mentions
Finally, as part of your overarching HIPAA compliance efforts, you should monitor mentions of your brand on social media. Many of the most popular platforms have basic monitoring tools built-in. However, you can also invest in more sophisticated monitoring tools for even tighter control. Knowing how and when your employees are engaging with customers online will help you adjust your social media practices to better meet HIPAA requirements.
The Good That Social Media Can Do
Yes, you can use social media to promote your healthcare practice. You can increase visibility and create goodwill in the community. In some cases, you can even use it to do some good. Social media is an effective way to reach people in this day and age, but like all powerful tools, it should be used with caution.
Contact Connectria for more information. We don’t advise clients on social selling policies, but a large part of our business is providing HIPAA-compliant hosting and managed cloud services to healthcare providers.
Keep Reading
Prepare for the future
Tell us about your current environment and we’ll show you the best path forward.
Fast track your project. Give us a call.