Health Information Compliance Alert

Published on Tue Oct 15, 2019 PDF

Hint: Involve staff in the social media policy making.

Having an online presence can certainly boost name recognition and bring in new patients. But unchecked cyber babble that exposes protected health information (PHI) can have long-term ramifications — including HIPAA violations, fines, state actions, civil cases brought by the patients, loss of medical license, and more.

Put a HIPAA Social Media Plan Into Action

Before you click “like,” upload your practice’s services to the web, or respond to questions, queries, and comments, you may want to consider asking yourself and your team why and how you plan to implement, utilize, and promote social media in your office.

 Reasoning: What you post says a lot about you as a provider, so outlining your objectives is always a wise decision from both a marketing and compliance standpoint. And the reason this is critical is because it is very easy to cross the line during digital discourse.

“I think there is a residual level of ignorance about HIPAA among many providers, when it comes to everything from social media to simple provision of individual access to medical records,” informs HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Some just don’t seem to understand the rules until they’re faced with an enforcement investigation.”

Whether your staff are seasoned Instagram posters or can’t tell Twitter from Tumblr, you should include them — and ensure they’re adequately trained — on the intersection of HIPAA and social media.

Consider adding these tips to your social media protocols:

• Define who will have access to the practice’s social media accounts.
• Nominate or hire a vetted employee to manage social media posting.
• Outline the Privacy Rule regulations fully for staff, including what constitutes PHI.
• Establish privacy requirements for your practice that are compliant with state and federal privacy and security standards.
• Train both administrative and clinical staff on HIPAA and social media.
• Ensure individual staff know what social media protocols apply to them.
• Create a staff policy on using social media at work and stick to it.
• Prohibit staff from posting pictures, opinions, practice logos, and clinical information on their personal accounts.
• Acquire written authorization from patients before taking photos, uploading images, or explaining procedures on the practice social media.
• Execute an enforcement plan for staff who don’t follow the rules.
• Institute social media incident response and breach policies and make sure all staff know them.
• Incorporate username and password protocols to ensure insider threats are a minimum.
• Audit practice social media interactions often to ensure compliance and update policies accordingly.

Don’t Forget About Medical Board Repercussions

Physicians must be incredibly careful about what they post online. When a provider relates positive results from a landmark surgery, innovative procedures, or coordinated services with another organization on a social media site, patients’ written authorizations must be documented, no matter the circumstances.

Most are aware of HIPAA, but physicians must also consider the Stark Law, state privacy rules, and medical board regulations.

The Federation of State Medical Boards (FSMB) offers many resources for physicians to remain compliant with their respective state’s medical boards. They offer these crucial reminders on how missteps on social media can have outsize consequences for practices, up to and including physician license revocation.

“State medical boards have the option to discipline physicians for inappropriate or unprofessional conduct while using social media or social networking websites with actions that range from a letter of reprimand to the revocation of a license,” warns the FSMB.

Resource: Investigate the FSMB’s social media use suggestions at  www.fsmb.org/Media/Default/PDF/FSMB/Advocacy/pub-social-media-guidelines.pdf.