How to stay HIPAA compliant when using social media

Now that posting on Facebook, Twitter, Instagram, and various websites is almost a requirement for medical practices, the Health Insurance Portability and Accountability Act (HIPAA) has become infinitely more complicated than it was when patient communications were restricted to face-to-face or telephones, faxes, and emails.  

The 1996 HIPAA included federal privacy protections for patient health information (HHS HIPAA). Adopted in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act strengthened the HIPAA privacy rules as they pertain to electronic transmission of health information, including on social media (HHS HITECH).

Essentially, these laws stated that patients have control over their own health and medical information, and prohibit health providers from releasing or sharing a patient’s medical information without patient authorization.¹

The same privacy rules that apply to standard communication methods in your practice (eg, face-to-face, telephone, fax, email) also apply to your practice’s social media activities. But in an era in which social media presence is so crucial to the success of your practice, you cannot afford to let fear of HIPAA prevent you from embracing social media and getting the word out about who you are, what you do, and how well you do it.¹

• As a health care provider, there are steps you can take to maintain your share of voice on social media while ensuring that you remain compliant with HIPAA privacy protections.¹
• Review your code of conduct with your staff and make sure they understand that it extends to social media platforms.
• Post your patient privacy policies prominently on all of your social media platforms.
• Review your social media accounts on a daily basis so you can respond quickly to any potential problems and build strong and trusting relationships with patients and the community at large.

But be forewarned: However closely you may monitor your practice’s official social media accounts, it is nearly impossible to police what your staff and employees say and do on their own social media accounts. It is no longer realistic to try to banish social media from your office, because clinicians and staff will bring their own mobile devices to work. The ubiquity of laptops, tablets, and smart phones places an ever-increasing burden on IT administrators charged with the task of providing secure access to networks that contain protected patient information.²

Moreover, any attempt simply to ban social media from the health care workplace does not eliminate the risk of violating HIPAA security protections. Rather, your medical practice needs to have a written HIPAA-compliant social media policy employment statement, as well as procedures for implementing the policy and a mechanism for tracking the results.³

“Although the health care benefits may be many, social media must be viewed through a legal lens, recognizing the accompanying burdens of compliance, ethical, and litigation issues,” wrote Richard E. Moses, DO, JD, Temple University, James E. Beasley School of Law, Philadelphia, Pennsylvania, and colleagues.

“Social media usage within the medical community is fraught with potential legal issues,” wrote Moses and fellow authors in The American Journal of Gastroenterology. “We must continue to educate about the issues involved with the intersection of HIPAA and social media usage.”³

References

1. Travers RL. Social media in dermatology: Moving to Web 2.0. Semin Cutan Med Surg. 2012 Sep;31(3):168-173. doi: 10.1016/j.sder.2012.06.003.

2. Bottles K, Kim J. Evolving trends in social media compliance in medicine. Physician Exec. 2013 Sep-Oct;39(5):96-98.

3. Moses RE, McNeese LG, Feld LD, Feld AD. Social media in the health-care setting: benefits but also a minefield of compliance and other legal issues. Am J Gastroenterol. 2014 Aug;109(8):1128-1132. doi: 10.1038/ajg.2014.67. Epub 2014 Jul 1.