Does your Medical practice use social media? It’s a reliable way to reach, educate, communicate, and draw in new clientele. However, if your business falls into the health and medical care category, you must follow HIPAA social media rules for all online actions. These rules outline what you can and cannot share, say, or post on both business and personal pages of the establishment and all staff.

Unfortunately, many private facilities shy away from any form of social media engagement due to fear of violating HIPAA rules. This leaves these businesses missing out on valuable audiences that are not only listening, but looking for them online.

Consider the following: 

• - 80% of internet users search for health information, and almost 50% would like information about a specific doctor.
• - 60% of consumers say they trust doctors’ social media posts.
• - More than 75% of Americans use social media to research their health symptoms.

Do you run or work for a business in the health care sector and are ready to take your visibility online? Follow along to discover how to be HIPAA compliant on social media and what this looks like for your pages.

HIPAA and Social Media

When it comes to health care, social networks play an important role in everything from information gathering, to connecting with people going through similar experiences. 

The Health Insurance Portability and Accountability Act (HIPAA) established in 1996 works to protect the privacy and health information of patients to ensure complete confidentiality. This act came into play long before the introduction of social media but clearly impacts what health institutions can and cannot share online.

When in breach of the HIPAA social media guidelines, violators face lofty penalties which could include a fine or even loss of license. For this reason, the importance of HIPAA compliance on social media is crucial for both the institution and patients alike.

HIPAA outlines that any and all PHI must be kept off of social media platforms unless express permission has been granted by the patient.

What Is PHI?

In order to follow the HIPAA social media rules and maintain compliance, individuals must first understand what’s classified as PHI.

PHI stands for personal health information. This includes all information about a patient, their care, and any details that could expose their identity.

This includes but is not limited to:

— Names, including nicknames social media handles

— Address or location hints

— Dates such as birthdate, appointment dates, treatment duration dates

— Phone or fax number

— Email address

— Web URLs or social media links

— Social security number and any other account numbers

— Medical record or health plan number

— Photographs and scans

— Vehicle description or number plates

— Fingerprints, retinal scans, or voice recordings

— Anything that could give hints regarding the patient’s identity

The only time in which any of this information can be shared on social media pages is when a patient has given express written permission. However, the patient must have a clear understanding of exactly how the information will be used and the purpose of sharing their details.

A signed agreement including clear indications of how the information will be used must then remain on file. This is essential to confirm the patient’s willingness to participate. Verbal agreements are not sufficient permission. Lack of physical proof of permission may result in HIPAA violations.

What’s Not Allowed

So what does this look like for your online sharing? The PHI information outlined above must not be divulged in any way, shape, or form on a digital platform for all health and medical field professions. This includes all posts, comments, replies, or online messaging.

Posts:

A medical business account and any associated personal accounts may not share any photographs of the patients, details of their treatment, or any other PHI indicators (without a signed agreement that is kept on file).

Even if you do not mention the patient’s name or demographics, giving a detailed description of their condition, the treatment, and even the results could expose the identity of the individual and breach their privacy rights. Even if the patient has shared their story on their own page, you must gain express permission before sharing any details.

You also cannot repost anything they have posted on their account, as this would give direct reference to the individual.

▪️This applies to any posts on social media, as well as blogs, forums, and any other online platforms.

Comments

A simple mistake that could breach HIPAA compliance on social media is the acknowledgment or disclosure of information in comments. These comments could be either on your own post or another user’s social media account.

Even if the information is available elsewhere, the business is not permitted to disclose details. This includes stating that they treated that particular case, when it happened, and mentioning who was involved.

▪️This applies to news posts, patient posts, other medical professionals, and any other online resources.

Replies

Businesses are encouraged to respond to comments on both social media platforms and sites such as Google My Business. Responding to comments and reviews is a great way to build relationships and boost engagement for your establishment.

Unfortunately, a HIPAA violation can occur when replies reveal too much information. This can include calling the reviewer by name, making reference to their treatment, or even defending the actions of the clinic by explaining the details of a situation.

Seeing as it is human nature to defend or acknowledge details, responding to feedback can be a difficult area in the healthcare profession. If you are ever unsure about what you can and cannot communicate in a reply, it’s always best to offer less.

If a comment has asked questions or stated information that you cannot safely reply to, you can always leave a comment stating that privacy laws do not permit you to disclose certain information, and where they can contact you if they have any concerns.

Online Messaging

Online messaging platforms have made group messaging and communication easier than ever. However, if you choose to use these online messaging platforms for work applications, there are guidelines you will need to follow.Just follow the same guidelines we mentioned above in ‘replies’. 

When online messaging, you are not permitted to share any PHI in direct messages or private chats. As per HIPAA, this applies to any online and offline conversations with individuals who are not privileged to the information.

Furthermore, any online conversations with other staff members or practitioners may not disclose PHI or reveal details. Because these conversations are now part of the digital cloud of social media, the conversations run the risk of being exposed.

Also, when discussing specifics of a patient, treatment, or in-office situation, all conversations should be private and offline.

What Is Allowed

While these social media rules may feel limiting, there are still several post formats and engagements you can partake in. 

Just like any other business, health care accounts are still encouraged to engage with individuals online. Your practice can do this by offering helpful information and insights with their posts, comments, and replies.

Content ideas that you can post about on social media 

• -Share mental health tips that may help your specific client-base

• -Link to new research related to your specialty

• -Share inspirational or motivational quotes

• -Let clients know about upcoming events your practice will be hosting or participating in, that will be open to the public.

• -Brag about any awards your practice has received.

• -Let clients get to know you better with staff bios and photos

• -Offer discounts or special offers.

• -Promote posts from your website's blog

• -Announce new business partnerships

• -Post your reviews anonymously 

You Can Post With Compliance

Without disclosing information, there are several posts that you are permitted to share online. Any patient-generic information or advice that could benefit your patients may be posted on both social media and blogs.

This could include tips and advice about health conditions or even research articles about a relevant concern. The key to these information pieces is not referencing actual cases. As long as you do not mention your own experiences with treating clients or the cases you have observed, you will not be in breach of any social media rules.

You may also share information about events you will be taking part in. This could include upcoming specials, promotions, or celebrations. You can even brag about accomplishments such as receiving a business award or specialist certificates.

Many practices find it beneficial to introduce their staff and practitioners online with a brief bio and photograph. This encourages familiarity for clients who wish to seek treatment from your facility and serves as a business promotion for lead generation.

You Can Respond to Reviews

Reviews have become as valuable as a personal recommendation for potential clients. How you respond to your reviews could make or break your growth. Of course, as discussed above, even information revealed in reviews does not permit you to share PHI.

When responding to both positive and negative reviews, the safest options for HIPAA compliance include:

Thanking the reviewer for their feedback:

-Ask the reviewer to contact your office for questions, clarification, or to resolve problems. 

-You can also offer a solution to problems via an in-person consultation or a free appointment.

Responding ensures your audience that you care about the client’s concerns. They will see that you value feedback and that your office takes measures to provide the best possible service and experience.

You Can Engage in Conversation

When you are online with a business account, you are representing the views of your establishment with every interaction. This means the posts you like, comments you leave, and shares you save are all reflecting on your business.

It is important to consider all online actions and understand what messages they will send to consumers. This is applicable for any industry but especially true in the health sector.

You can reply directly to comments on your posts, but make sure to do so without mentioning names or disclosing information. 

You can also comment on posts by other professionals and even share their posts on your own page with appropriate credit.

If your posts follow HIPAA social media guidelines, your practice has the opportunity to grow considerably. Just remember, if you wish to share photos of events and celebrations, make sure that all individuals who appear in the content sign a release form.

Benefits of social media for your practice

As we all know, the majority of individuals partake in social media, which means that people are likely to look up your organization on these platforms. 

It can also increase your patient volumes, help you control the accuracy of health-related information available online, strengthen your relationships with current patients, and broaden your exposure to potential patients. 

Another perk is that patients are able to easily find your office online, view any information that you post, read online reviews left by other patients and be kept up-to-date on any changes to office hours, personnel, or protocols. 

In a nutshell, using social media platforms will enable you to promote your business easier and faster than just word of mouth and traditional advertising. 

HIPAA Compliance on Social Media Conclusion

Think of social media as your digital bedside manner - and gain a competitive edge for your medical practice. When used correctly, social media can take a medical practice to the next level by utilizing the existing platforms to reach current and potential patients already accessing social media daily. So don’t shy away from posting! 

Now that you understand the purpose of HIPAA social media rules and guidelines, you can ensure your social media activity is never in breach. From understanding what you may and may not share, you can rest assured that your business will never face fines or license suspensions due to your online presence.

Are you ready to take the next step and expand your medical organization’s social media footprint? Our award-winning digital marketing team at ModFXMedia is standing by to show you how you can do just that. Contact us today to schedule your discovery session.

 🔸CHECK THIS OUT! Why you're here, read how your Medical practice can Make 30K in just 30 Days! We share with you our 10 important Key Factors that we have personally used to help other practices accomplish this!