Key Facts About HIPAA Compliance – What You Need to Know – Part 8

Key Facts About HIPAA Compliance – What You Need to Know – Part 8

by ih-coc admin

Our series is designed to explain best practices about HIPAA compliance, HIPAA settlements, and the various requirements an organization must have in place under the HIPAA Security & Privacy Rules. 

HIPAA and Social Media

Recently, a dental practice agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  This violation occurred when the practice responded to a Yelp social media review by disclosing the patient’s last name and details of the patient’s health condition.  Whatever the intent of the dental practice, this is considered an impermissible disclosure and obviously should not have occurred.

What Are Best Practices for the use of Social Media?

In formulating your organization’s social media policy, start with the 3 W’s: Who, What and Where. 

  • Who – Determine who is permitted to post material on social media on behalf of the organization. Designate a specific person as the organization’s official social media administrator.
  • What – Determine what can be posted. The policy should include how to handle an individual that posts a medical question on a social media platform. Never respond if an individual asks specific questions about a medical condition on your Facebook page.  You can suggest the individual to contact the office to discuss the specific concern.
  • Where – Determine where and on what platforms posting will occur. The policy must clearly state which social media sites the organization will use. 

Guidelines issued by the American Medical Association regarding social media say, “Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.” The guidelines also say to “maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.” This means following all the applicable standards of the HIPAA Privacy Rule.

Helping Organizations Achieve HIPAA Compliance™

Our goal at Colington is to help keep your organization one step ahead in making sure those tasked with maintaining or implementing a HIPAA compliance program understands the requirements.  

Have a question about HIPAA compliance? Let us know and we would be pleased to discuss it with you and perhaps also address it in this series.