If you’re a healthcare professional, the allure of growing your practice with Facebook is too strong to resist. And while other businesses have free reign over their Facebook activity, it’s not the same for healthcare. You have the burden of keeping Facebook posts HIPAA compliant hanging over your head.
However, your practice can still have fun, enjoy the benefits of Facebook, and remain HIPAA compliant. The rules of engagement on Facebook still remain. Be polite, don’t get into petty fights, and as always, think before you post. For a healthcare professional, there’s another level of cautiousness you need to uphold. Here are a few guidelines to keep your Facebook posts HIPAA compliant:
Everything you post on social media is a reflects on your practice
Social media is a very casual place, and that’s just putting it lightly. As a health professional, it’s easy to get carried away by it all. But remember that your name bound to your practice or the agency you’re working for. When writing a comment, think of the impact it brings to your practice before hitting ‘Post.’
So how do you walk the tightrope of professionalism but without sounding stiff and cold on Facebook? If a patient tags you or engages you in a comment, don’t be afraid to respond. Just don’t mention their treatment or diagnosis.
Educate staff on HIPAA’s social media rules
If your busy schedule prevents you from handling your Facebook page full-time, you might have someone in your staff who does it for you. As a healthcare professional, you’re well-versed on HIPAA’s privacy rules. But do your staff know how to act on behalf of your practice?
To keep your Facebook posts HIPAA compliant, educate your staff on everything HIPAA. Your Facebook handler should be aware of the most common HIPAA social media violations:
- Posting a patient’s images and videos without their written consent
- Sharing gossip about patients
- Making Protected Health Information (PHIs) public on comments and posts
- Posting or sharing photos of your clinic where patients or PHIs are visible
- Posting or sharing a patient’s photos, videos or health information on a private group on social media
The thing is, Facebook’s casual environment makes you forget to stop and think about whether or not a post is appropriate. For example, a nursing assistant got fired for sharing a video of an Alzheimer’s patient in their underwear. In the investigation, the nursing assistant reasoned that it was “funny.”
Social media thrives on humor, and in seeking likes and comments, a post’s propriety often gets thrown out the window. But the healthcare industry has heavy penalties for this momentary lapse in judgment – the nursing assistant in the case lost their job.
To make it clear what kind of posts are allowed, give them an example to follow. Better yet, create a post template that they can quickly fill out to lessen the risk of violations. Develop in your staff the spidey senses to figure out if a Facebook post is HIPAA compliant or not.
Be knowledgeable about HIPAA’s Protected Health Information (PHI
Preventing private patient information from leaking should be your number one concern when posting on social media.
If you’re keeping your Facebook posts HIPAA compliant, check if they contain any Protected Health Information. These are information that can identify a patient based on their past, present, or future health status. Removing these identifiers does not violate HIPAA’s privacy rule. The 18 PHI’s are:
- Names (full or last name)
- Geographic locations should remain at the state level. Anything more specific than that is a violation
- Dates associated with a patient
- Phone numbers
- Fax numbers
- E-mail addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle license plates and serial numbers
- Device identifiers and serial numbers
- IP addresses
- Biometrics like fingerprints, retinal scans, and voiceprints
- Full face photographs
- Any other unique identifying number, characteristic, or code except the unique code
It’s easy to spot violations on captions and signs, but you can accidentally reveal a patient’s identity with photos. Maybe there’s an open patient file or a reflection on a mirror, or something on the background. Have someone in your clinic double-check for anything you might have missed.
Follow HIPAA’s social media guidelines to keep Facebook posts HIPAA compliant
Despite your best efforts, a violation can still slip through your very-tight social media screening procedure. To protect yourself, your practice and your staff from breaking HIPAA rules, follow these guidelines:
- Educate your staff on the risk of violating HIPAA rules.
- For the offender, this could mean termination, loss of license, and criminal charges.
- Don’t engage in social media discussions with patients who have disclosed their PHI online.
- Have your handler moderate comments on your page. It’s their call to delete incriminating posts or comments.
- Patrol your Facebook ad collaterals like images, videos, or lead forms for violations.
- Keep your social media team tight. Don’t allow them to share Facebook passwords outside the team. This prevents authorized access to your clinic’s Facebook account. In the event of a violation, this keeps the list of suspects short.
- At first, your staff will be paranoid for any HIPAA violations, but as they get used to HIPAA-compliant guidelines, they’ll become lax. To fight against this, hold a refresher training once a year to ensure the social media rules fresh in their minds.
Every action you take on Facebook reflects on your practice. Don’t let a careless post ruin your positive reputation. The final words from us at Sowers Media: think before you post, and when in doubt, don’t post at all.