HIPAA and Social Media: What are the Rules?

by ih-coc admin

by Jay Hodes, President - Colington Consulting   

The use of social media in today’s society continues to grow as more Americans interact through one or more social media platforms. Whether writing a blog article, posting on Facebook or tweeting on Twitter, many users see social media as a primary means to communicate. According the Pew Research Center, as many as 46% of users “discussed a news issue or event” on a social media platform.

As more healthcare providers use or consider using social media for business purposes, HIPAA plays a more significant role in what can be said in a Facebook post, a tweet or a blog article. There are some clear challenges when it comes to meeting the requirements of the HIPAA Privacy Rule. But those challenges do not need to be obstacles, as long as there is proper guidance on what can or cannot be posted. 

My advice when it comes to the use of social media in a healthcare organization is to have a comprehensive, written policy and procedure. The less discretion the better, meaning there is always structured guidance to follow with little to no wiggle room.

In formulating your organization’s social media policy, start with the 3 W’s: Who, What and Where.  

  • Who – Determine who is permitted to post material on social media on behalf of the organization. Designate a specific person as the organization’s official social media administrator.
  • What – Determine what can be posted. The policy should include how to handle an individual that posts a medical question on a social media platform. As an example, if a patient can ask specific questions about a medical condition on your Facebook page, how does your organization address it? I caution from a possible liability standpoint that it may be inappropriate to respond with advice. A better response would be to ask the individual to contact the office to discuss the specific concern.
  • Where – Determine where and on what platforms posting will occur. The policy must clearly state which social media sites the organization will use.  

Guidelines issued by the AMA on social media say, “Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.” The guidelines also say to “maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.” This means following all the applicable standards of the HIPAA Privacy Rule.

Another area of concern is the use of patient testimonials. This is a somewhat newer trend in the healthcare provider marketing strategy. Any patient testimonials used by a healthcare organization must comply with the HIPAA Privacy Rule. A healthcare provider, as a covered entity, must obtain the written authorization of the patient prior to any use or disclosure of the individual’s protected health information for marketing purposes.

In a recent case, a California physical therapy practice paid a settlement of $25,000 to the HHS Office for Civil Rights for a HIPAA privacy violation. There were allegations that the practice posted patient testimonials to its website without legal, HIPAA-compliant authorization. This is not a situation you want to find yourself in.

If your organization embraces social media as a method to market or provide information, have robust policies and procedures in place and follow them. You can be social, but be safe.