If you’re a healthcare professional, the allure of growing your practice with Facebook is too strong to resist. And while other businesses have free reign over their Facebook activity, it’s not the same for healthcare. You have the burden of keeping Facebook posts HIPAA compliant hanging over your head. 

However, your practice can still have fun, enjoy the benefits of Facebook, and remain HIPAA compliant. The rules of engagement on Facebook still remain. Be polite, don’t get into petty fights, and as always, think before you post. For a healthcare professional, there’s another level of cautiousness you need to uphold. Here are a few guidelines to keep your Facebook posts HIPAA compliant:

Everything you post on social media is a reflects on your practice

Social media is a very casual place, and that’s just putting it lightly. As a health professional, it’s easy to get carried away by it all. But remember that your name bound to your practice or the agency you’re working for. When writing a comment, think of the impact it brings to your practice before hitting ‘Post.’ 

So how do you walk the tightrope of professionalism but without sounding stiff and cold on Facebook? If a patient tags you or engages you in a comment, don’t be afraid to respond. Just don’t mention their treatment or diagnosis.

Educate staff on HIPAA’s social media rules

If your busy schedule prevents you from handling your Facebook page full-time, you might have someone in your staff who does it for you. As a healthcare professional, you’re well-versed on HIPAA’s privacy rules. But do your staff know how to act on behalf of your practice?

To keep your Facebook posts HIPAA compliant, educate your staff on everything HIPAA. Your Facebook handler should be aware of the most common HIPAA social media violations:

  • Posting a patient’s images and videos without their written consent
  • Sharing gossip about patients
  • Making Protected Health Information (PHIs) public on comments and posts
  • Posting or sharing photos of your clinic where patients or PHIs are visible
  • Posting or sharing a patient’s photos, videos or health information on a private group on social media

The thing is, Facebook’s casual environment makes you forget to stop and think about whether or not a post is appropriate. For example, a nursing assistant got fired for sharing a video of an Alzheimer’s patient in their underwear. In the investigation, the nursing assistant reasoned that it was “funny.” 

Social media thrives on humor, and in seeking likes and comments, a post’s propriety often gets thrown out the window. But the healthcare industry has heavy penalties for this momentary lapse in judgment – the nursing assistant in the case lost their job.

To make it clear what kind of posts are allowed, give them an example to follow. Better yet, create a post template that they can quickly fill out to lessen the risk of violations. Develop in your staff the spidey senses to figure out if a Facebook post is HIPAA compliant or not. 

Be knowledgeable about HIPAA’s Protected Health Information (PHI

Preventing private patient information from leaking should be your number one concern when posting on social media. 

If you’re keeping your Facebook posts HIPAA compliant, check if they contain any Protected Health Information. These are information that can identify a patient based on their past, present, or future health status. Removing these identifiers does not violate HIPAA’s privacy rule. The 18 PHI’s are:

  1. Names (full or last name)
  2. Geographic locations should remain at the state level. Anything more specific than that is a violation
  3. Dates associated with a patient
  4. Phone numbers
  5. Fax numbers
  6. E-mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle license plates and serial numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses
  16. Biometrics like fingerprints, retinal scans, and voiceprints
  17. Full face photographs 
  18. Any other unique identifying number, characteristic, or code except the unique code

It’s easy to spot violations on captions and signs, but you can accidentally reveal a patient’s identity with photos. Maybe there’s an open patient file or a reflection on a mirror, or something on the background. Have someone in your clinic double-check for anything you might have missed. 

Follow HIPAA’s social media guidelines to keep Facebook posts HIPAA compliant

Despite your best efforts, a violation can still slip through your very-tight social media screening procedure. To protect yourself, your practice and your staff from breaking HIPAA rules, follow these guidelines:

  • Educate your staff on the risk of violating HIPAA rules.
  • For the offender, this could mean termination, loss of license, and criminal charges.
  • Don’t engage in social media discussions with patients who have disclosed their PHI online.
  • Have your handler moderate comments on your page. It’s their call to delete incriminating posts or comments.
  • Patrol your Facebook ad collaterals like images, videos, or lead forms for violations.
  • Keep your social media team tight. Don’t allow them to share Facebook passwords outside the team. This prevents authorized access to your clinic’s Facebook account. In the event of a violation, this keeps the list of suspects short.
  • At first, your staff will be paranoid for any HIPAA violations, but as they get used to HIPAA-compliant guidelines, they’ll become lax. To fight against this, hold a refresher training once a year to ensure the social media rules fresh in their minds.

Every action you take on Facebook reflects on your practice. Don’t let a careless post ruin your positive reputation. The final words from us at Sowers Media: think before you post, and when in doubt, don’t post at all. 

Schedule A Free Demo

Schedule A Free Demo

consectetur adipiscing elit, sed do eiusmod tempor incididuntut labore et dolore...

You have Successfully Subscribed!