Social Media & Compliance

Social Media: Is it Friend or Foe?

The friendly aspect is the ability to reach a variety of people immediately. Social Media is one of the most cost-efficient methods of marketing. It is a great way to connect to people in your area and attract new patients, but it can become your foe if you, as a healthcare provider, ignore your obligations to protect health information.

For your social media activity to be compliant, you need to have a thorough understanding of what is considered protected health information (PHI) and the rules for obtaining a Business Associate Agreement. Protected Health Information can be something as simple as first name, last name, and email address if it is combined with the provider’s name and/or clinic. There are 18 identifiers for Individually Identifiable Health Information that must be considered when using social media applications.

The other consideration is the Business Associate Agreement requirement. The HIPAA Privacy Rule requires that a covered entity (provider) obtain satisfactory assurances from vendors (business associates) that ensure they will appropriately safeguard any PHI they receive on behalf of the clinic. It must be in writing in the form of a Business Associate Agreement. The agreement must state that the vendor has implemented a program similar to yours to identify PHI, protect it, and manage any risk. DO NOT share PHI or provide access to PHI to someone outside of your workforce without a signed agreement in place.

According to a recent AMA report on Social Media  titled Why Can’t We Be Friends, “The use of social media in the healthcare setting raises a number of professionalism issues including concerns related to privacy and confidentiality; professional boundaries; recruitment; the integrity, accountability, and trustworthiness of health care professionals; and the line between professional and personal identity.”

How can you grow your social media presence?

Growing your social media presence is not impossible, nor is it wrong, but you must control the content and the interactions with customers (patients). Everyone on your staff should have a clear understanding of what can and cannot be posted on your social media site. Review the 18 identifiers with your staff and role-play different scenarios using a variety of posts and responses. We find that most providers are careful not to post PHI but fall short when responding to and commenting on posts made by others.

Some tips for building a compliant social media account:

• Never discuss a patient’s past or pending treatment.
• Avoid addressing an individual directly; rather, use broad statements such as ‘most patients’ or ‘most individuals.’
• Do not use your social media page to contact or respond to a patient, even if it’s just about an appointment.
• Interact and respond to posts using a compliant platform such as your practice management secure portal messaging or by sending an encrypted email.
• Remember, if the information can be linked back to the individual patient, you have failed to protect PHI.

What can you share?

Simply put, anything that does not identify an individual patient. Go ahead and post that wellness tip! If you have a new staff member, introduce them on social media. If you are offering a new type of treatment or service, go ahead and post it. If you are offering additional services such as vitamin supplements, Pilates, or yoga—this is a great place to share that information.

Be aware that the following social media applications will not sign Business Associate Agreements: Facebook, Instagram, LinkedIn, Twitter, Yelp, and Facebook Pixel. Most of these companies add their own disclaimer that you must acknowledge, such as, “You are responsible for your use of the Services and for any Content you provide, including compliance with applicable laws, rules, and regulations.” We recommend that you tread lightly when it comes to responding to Yelp comments or Google reviews. We have found most of the costliest HIPAA violations for providers reside there.

Social Media can be your friend IF you develop clear marketing policies and guidelines for those responsible for managing your account(s). Your plan should include a variety of scripts, optional responses, posting, and review times. Make sure you manage your account access as you would your practice management software. It will help you minimize the chance of a rogue employee posting items on your social media page that have not been approved. Keep in mind that all HIPAA violations have some impact on your clinic, but a mistake on social media can be devastating to your reputation. Be very careful to prepare your posts according to HIPAA guidelines.

Jill Foote currently contracts with KMC University as a subject matter expert. She has developed a wide variety of curriculum for KMC University and has provided training to state associations and Chiropractic colleges in several states. As she worked with doctors on a national level in her previous employment as Senior Manager of Coding and Practice Management at the American Chiropractic Association, she saw a growing need for training in HIPAA compliance, especially as it relates to the IT world. She holds a certification as a HealthCare IT Specialist and is currently the owner of Easy Tech Compliance. Her ‘hands on’ yet practical approach to HIPAA implementation has resulted in establishing successful HIPAA compliant clinics as well as business associates, nationwide. You may reach her by email through info@kmcuniversity.com or by calling (855) 832-6562.