Answer Common HIPAA Questions
How can our practice use social media under HIPAA?
Social media can be an exciting and valuable tool when used wisely; however, it can also put a practice at risk. If you haven’t done so already, create a social media policy for your practice, and seek to understand how employees and providers are using social media, both during and outside of work hours.
A “Social Media Policy” Provides Direction (and Cover)
To ensure you’re protecting your practice from the perils of social media, while still maximizing its potential, designate a social media policy to guide you and your employees’ use of this tool. How you plan to use social media sites for marketing your practice should be clearly defined. Make sure your employees understand what they can post on social media websites from their personal accounts. For instance, what if a patient sends a friend request to one of your employees or providers on Facebook or another online site? Practices can have a policy that restricts “friending” of patients or family members. This allows the provider or employee to politely decline the request, stating that it would be against practice policy.
Resource: See Form A (on the next page) for a Social Media Policy from the Physicians’ Ally, Inc. HIPAA Policy and Procedure binder to use as a guide in creating your own policy.
Patient Privacy Is Paramount
Perhaps the most worrisome concern relative to social media is violating patient privacy protections under HIPAA. Patient privacy should always be a concern when putting information online, even when a practice believes that all patient identifiers have been removed and the information is “de-identified” (i.e., not subject to HIPAA because the information can’t be attributed to any one individual). Often, seemingly de-identified patient case studies or stories can be linked to the specific individual by using commonly available information. One example is a news agency that wanted to cover a story on a teenager who had died from taking a certain medicine. The news agency was able to match details provided by the medical provider in a blog with obituary information to identify the patient and contact her family for a story.
There are countless examples of providers taking seemingly harmless photos of patients’ tattoos, skin piercings, or other seemingly unidentifiable body parts and posting them online, only to learn later that the patient filed a complaint. Medical boards have also disciplined providers for unprofessional behavior related to social media blogs, posts, communications, and images. Disciplinary actions range from a letter of reprimand to revocation of a provider’s license to practice medicine.
Tips to Protect Privacy and More
- Patient privacy and confidentiality must be protected at all times, especially on social media and social networking websites. When using the Internet for social networking, employees and providers should use privacy settings to safeguard patient information to the highest extent possible. They should also realize that privacy settings are not absolute and that when information exists online, it will likely be there for a long time (if not permanently). Most importantly, your social media policy should be very clear that providers and employees are prohibited from posting any identifiable patient information online.
- Have patients authorize the use of their personal information online, including for use in testimonials, success stories, photos, videos, etc. If a practice wants to use pictures or videos for promotions or other reasons, make sure the patients sign a valid HIPAA authorization form. These forms are required before a patient’s image can be used in any medium for educational, promotional, advertising, or other purposes.
Resource: Use Form B (on the next page)as a guide for you to create your own “Authorization Form for Media Events,” provided by Physicians’ Ally, Inc.
- Train providers to apply the same ethical and professional conduct online as they use in their daily actions offline.The American Medical Association published a policy to guide providers in the use of social media entitled “Professionalism in the Use of Social Media.” Recommendations include:
Providers who interact with patients on the Internet must maintain appropriate boundaries of the patient/physician relationship in accordance with professional ethical guidelines, just as they would in any other context;
Providers should consider separating personal and professional content online;
Providers should recognize that actions online and content posted can negatively affect their reputations among patients and colleagues, and may have consequences for their medical careers.
- Social media can enter into what HIPAA regulates as marketing to patients. HIPAA has new rules on what is considered “marketing,” and what practices can do to market to patients. HIPAA requires patients to sign a valid authorization form declaring their permission before a practice can market to that patient. This authorization form must be kept by the practice for six years. (See June 2014 Healthcare Business Monthly, “Answer Common HIPAA Questions” pages 62 -63, for more information on marketing under HIPAA).
- Ensure that vendors who assist you in social media activities sign a business associate agreement. HIPAA has new rules on what types of vendors are considered business associates under HIPAA. Practices must sign business associate agreements with these vendors that obligate the vendor to safeguard the patient information it maintains or has access to. Software vendors, such as “Constant Contact” and others who have access to your patient list, are considered to be business associates and must sign agreements with a practice to maintain compliance with HIPAA. (See May 2014 Healthcare Business Monthly, “Answer Common HIPAA Questions,” pages 46-47, for more information on business associates under HIPAA).
A Few “Never” Reminders
- Never defend the practice or respond to a patient’s negative comments online. Take this conversation offline. Seemingly innocent comments such as, “We dismissed this patient from our practice,” can get the practice in big trouble with the federal government under HIPAA.
- Never post photos of patients — or any part of patients, no matter how unidentifiable they seem — online. There have been many cases where individuals were sanctioned or sued by patients, friends, and family members who recognized the patient from the online post. (Source: Office of Civil Rights website)
- Never text patient information without ensuring a secure (i.e., encrypted) method for doing so. The practice, not the patient, is responsible for ensuring the safe transmission of patient information over open networks.
Marcia L. Brauchler, MPH, CMPE, CPC, CPC-H, CPC-I, CPHQ, is the president and founder of Physicians’ Ally, Inc., a full service healthcare company, where her and diverse staff provide advice and counsel to physicians and practice administrators, and education and assistance on how best to negotiate managed care contracts, increase reimbursements to the practice, and stay in compliance with healthcare laws. Brauchler’s firm sells updated HIPAA policies and procedures at www.physicians-ally.com. She is a member of the South Denver, Colo., local chapter.