Social Media and Patient Privacy: Four Things You Need to Know
Imagine: You manage the social media for a popular medical practice. A patient posts a beautiful comment praising the doctors for how they helped her with her diabetes and blood pressure. It’s a perfect testimony! You proudly forward it to various outlets, hoping to further the online reputation of the medical practice.
Not so fast.
Although the patient volunteered the information, if you forward it, you are in danger of making a HIPAA violation. In fact, even leaving the post on the page could cause the “HIPAA police” to levy huge fines against you. We’ve compiled some important information on social media and HIPAA to help you navigate the murky waters of patient privacy in a very public forum.
HIPAA Penalties
HIPAA stands for the Health Insurance Portability and Accountability Act. Essentially, this means your medical information is private and protected. Those who can access your private information include doctors, hospitals, those involved with your care, or the police (in the case of an assault, suspected abuse, or a gunshot wound). Insurance companies and workers’ compensation carriers are also exempt from HIPAA. Violations result in fines that can be as high as $11,000 per incident.
The writing on the wall
The good news: You’re not liable if a patient posts personal medical information on your social media pages. The bad news: If you don’t make a diligent effort to remove these personal posts, you could be found negligent.
The laws aren’t always clear, according to David Harlow, a health care lawyer and consultant. Harlow states that private health care information is subject to higher standards, and overlapping regulations can easily cause confusion. Play it safe and have a designated time to “scrub” your social media pages.
social media don’ts
Are your patients aware they shouldn’t post private information to social media pages? Some don’t realize there’s no such thing as privacy when posting on a public internet page. It’s important that you publish a notice explaining that patients shouldn’t write personal health information on your wall. You may wish to write a blog post about it and link to it from your social media pages. Having a policy placed in a prominent spot demonstrates you’re implementing due diligence.
Release forms
Patient testimonials are often powerful and effective stories that can have a dramatic and emotional effect on potential clients. When considering a patient testimonial, it’s critical that you have a signed HIPAA consent form. (An example of one can be found here.) Realize these forms must be housed in a secure location. Often, it’s best to have the medical practice place the form in the patient’s file.
If you want to use anonymous testimony, be careful. HIPAA doesn’t consider information truly anonymous unless it has been removed of 18 patient identifiers. Even in large cities, it’s not too difficult for friends and relatives to piece together information to discover the patient’s identity.
Responding to negative reviews
No one wants to have a negative review “hanging” on the internet. However, be careful when responding to the review. If a patient complains that her allergies were not treated properly and the medical practice responds publicly, it is confirming two things: 1) this person is a patient and 2) the patient has a certain medical condition.
So how do you avoid this? It’s safe to make general statements in regard to office policies, even though it’s often difficult to keep these messages from sounding “canned.” Essentially, it’s important to acknowledge that the patient has been heard and has a way to address his/her issue. In addition, solicit positive patient reviews to offset the negative reviews, or hire a firm to help you with monitoring social media sites.
An example of a response to a patient complaint that does not violate HIPAA could be phrased:
At our medical practice, we strive for the highest levels of patient satisfaction. However, we cannot discuss specific situations due to patient privacy regulations. We encourage those with questions or concerns to contact us directly at [phone number].
You may also be interested in reading the American Medical Association’s policy on social media. If you’d like help on how to navigate this delicate terrain of patient privacy on social media, contact us! We have years of experience and a HIPAA expert on staff ready to help.