fbpx
Blog October 15, 2019

It’s Time to Add Social Media to Your HIPAA Compliance Checklist

Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their current customers and attracting new ones. They have to. These customers are what keeps them in business, allowing them to do what they do.

Social selling (i.e., using social media platforms to develop deeper relationships with customers and attract new ones) is gaining in popularity because it works. According to research conducted by the Aberdeen Group, roughly half (49%) of sales teams hit their collective team quota. However, when sales teams effectively incorporated social selling into their strategies, quota attainment rates hit 64%.

Yet, even the most aggressively social organizations recognize that there still needs to be a few dos and don’ts associated with social media usage. Most of these are common-sense guidelines and closely reflect the kinds of behaviors you’d expect people to exhibit in the office. Others, such as not airing workplace grievances in public, are especially important. Even seemingly mundane complaints have the potential to go viral on platforms like Twitter and Facebook.

The Dangers of Social Media in Healthcare

In a healthcare setting, social media policies take on an added importance because it’s easy for employees to accidentally violate HIPAA by sharing PHI (Protected Health Information) on a public platform.

In fact, as I write this, the Department of Health and Human Services’ Office for Civil Rights has just fined a dental office $10,000 for disclosing PHI on Yelp. For those of you not familiar with it, Yelp is a platform where people can post reviews about local businesses. In responding to the review, the dental practice disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information. (Hat tip to HIPAA Journal for the original story.)

You’d think that gut instinct and employee training would kick in to prevent this from happening, but apparently not. To make matters worse, it wasn’t the first time a disclosure of this sort on social media had taken place. The fact that the dental practice’s fine was only $10K is something of a wonder, but evidently, their willingness to cooperate with investigators worked in their favor.

7 Tips for Using Social Media in Healthcare

If you’ve been reading our HIPAA-related posts, you know that we often use HIPAA violations in the media as “lessons learned.” This case is a perfect example.

In their ruling, the OCR determined the dental practice had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms. Using that as a lesson, let’s look at a few guidelines for leveraging social media in a healthcare setting.

#1 Don’t respond to reviews. This is good advice for any organization, not just healthcare. A counterargument to a bad review just looks bad, even if the customer is completely off-base with their comments.  If the customer specifically asks for assistance in a review, take it offline. Either give them a number to call or contact them directly, if appropriate.

#2 Control social media contributions. For most businesses, the more employees on social media, the better. That’s not always the case for healthcare providers because it increases the likelihood that PHI will be shared.

If you want to use social media to promote your organization, create a company account that is managed by someone in the organization trained in social media usage – and HIPAA regulations. It helps if you choose someone who is not in a customer-facing role as they shouldn’t have access to PHI.

#3 Create guidelines for personal accounts. You can’t ban individuals from having a personal account, nor should you. However, you should establish very clear guidelines on social media expectations, especially if they plan to associate themselves with your organization online (e.g., include their employer/role in their profile).

Whether or not you can fire someone for violating these guidelines isn’t the point. (The verdict is a bit murky on this.) Most people want to do well at work, so knowing what is expected of them helps.

#4 Make HIPAA guidelines crystal clear. Your social media guidelines for personal accounts should include several examples of impermissible PHI disclosure. Give employees pre-crafted messages they can use to direct people to the right offline resource, should they be asked a work-related question on their personal account.

Also, make sure employees know there is a personal liability risk associated with HIPAA violations as well. Though it doesn’t happen often, people have gone to jail over impermissible PHI disclosures. These are usually cases where the employee had malicious intent, and no doubt, your employees are all honest, but make sure they understand their personal liability anyway. Just in case.

#5 Don’t use social media for customer service. You should never use social media to provide customer service such as to answer billing/insurance questions, set appointments, answer health questions, etc., unless it is a secured platform designed for that purpose.

For example, one of our customers, ePreop, has created an online tool specifically geared toward engaging patients and providers in pre- and post-operative care. This proprietary solution is hosted in a secured Azure environment, managed by Connectria. They could never provide this level of service on a public platform, not even if that platform claims to provide a secured area/method for private communications.

#6 Create a written version of your policies and post it in a prominent place. To be effective, social media policies must be written and effectively shared with employees. Like all employee training, reinforcement is also needed. Posting these in a prominent place and regularly holding refresher sessions are two good ways to keep HIPAA compliance top of mind for those employees who use social media.

#7 Monitor mentions. Finally, as part of your overarching HIPAA compliance efforts, you should monitor mentions of your brand on social media. Many of the most popular platforms have basic monitoring tools built-in, but you can also invest in more sophisticated brand monitoring tools for even tighter control. Knowing how/when your employees are engaging with customers online will help you adjust your social media practices to better meet HIPAA requirements.

The Good That Social Media Can Do

Yes, you can use social media to promote your healthcare practice. You can increase visibility and create goodwill in the community. In some cases, you can even use it to do some good, e.g., letting people know about an air-born illness that’s going around and how they can protect themselves. Social media is an effective way to reach people in this day and age, but like all powerful tools, it should be used with caution.

We don’t advise clients on social selling policies as a matter of course, but the example of the dental practice’s HIPAA violation caught our eye, in part, because we’re big social media users ourselves. But more than that, a large part of our business is providing HIPAA-compliant hosting and managed cloud services to healthcare providers. If you’re interested in learning more about the services we provide, you can reach out to us on the web…or on social media, of course!

Related Resources

 
The Best Ways to Find HIPAA-compliant Cloud Storage
The healthcare cloud computing market is forecast to reach $15.50 billion by 2024. That’s not surprising given the number of healthcare companies signing on for the…
 
Can HIPAA Data Be Stored in the Cloud?
Healthcare organizations are increasingly being tasked with securely handling the vast amount of electronic protected health information (ePHI) they obtain through multiple forms of technology.…
 
Are Smartphones HIPAA Compliant?
According to Pew Research, 81% of Americans now own a smartphone, and many employers are implementing BYOD (Bring Your Own Device) policies, which allow workers…