HIPAA @ 20: Staying Compliant while Using Social Media

HIPAA @ 20: Staying Compliant while Using Social Media

150 150 Rob Lovitt

hipaa, privacy, social media

It’s a dilemma for anyone hoping to engage with patients in today’s always-on, always-connected culture. On the one hand, you have HIPAA, the 20-year-old statute that’s all about protecting privacy; on the other, social media, which is essentially a forum for sharing on a global scale. Is it any wonder that some medical professionals have had trouble honoring the former while using the latter?

Consider the lawsuit recently filed after a nurse in Chicago sent out several tweets, including one with a photo of blood-soaked bandages, after a local man, Mikal Johnson, had been brought in with a gunshot wound to the chest. As the Chicago Sun-Times reported, none of the tweets named the man, but the suit says they “were reasonably identifiable as referring to Mikal Johnson or his family.”

Whether or not the nurse’s tweets divulged PHI will be determined by the courts, but the case serves as a timely reminder that every medical practice and facility should have a social media policy in place. That’s especially true given the rise of quick-hit social sites like Twitter and Snapchat and the proliferation of mobile devices, which promise to create even more opportunities for trouble.

Fortunately, help is available. The AMA, American College of Physicians, and Federation of State Medical Boards have all created sample guidelines for the appropriate use of social media, some of which are summarized below:

Implement a comprehensive social media policy and ensure all employees understand it

Any social media policy should communicate company expectations regarding the use of social media, including what kind of content can be shared on what sites, who can and cannot access them, when and how to respond to comments from others, and the consequences — disciplinary action, potential legal and financial consequences, etc. — of noncompliance.

Before you post, strip out all PHI

The HIPAA regulations list 18 characteristics that can be used to identify patients. Some (names, email addresses, etc.) are obvious; others (license plates, IP addresses, etc.), not so much. When posting photos, ensure you have the patient’s consent to do so and, whenever possible, use generic file names (e.g., Patient 1 butt lift, not Jane Doe butt lift) and black or blur out eyes or faces for non-facial procedures.

Maintain dual citizenship

The benefits of engaging with patients via social media are undeniable — some patients actually consider doctors who don’t participate in the online conversation suspicious — but that doesn’t mean you have to share everything with them. Share new offerings, case studies (with consent or appropriately anonymized), and other professional information via a public profile/practice page, but use a separate account to share personal opinions, professional conversations, etc. — and back it up with the highest privacy settings available.

When in doubt, apply the elevator test

Technically speaking, there’s nothing wrong with discussing specific cases in social settings, as long as you anonymize the patient’s information appropriately. If you’ve been in practice for any length of time, you’re no doubt familiar with the elevator test — if you wouldn’t share information in a crowded elevator, don’t share it via social media — but your employees may not be. Share it with them; encourage them to seek experienced advice when they have questions, and caution them that if they have any doubts about posting, the safest course of action is to take no action at all.

Of course, given the consequences of getting any of the above wrong, some doctors may take the opposite approach and forgo social media altogether. But that’s a mistake for multiple reasons. For one thing, social media is where potential patients gain insights into the procedures they’re considering, not to mention the doctors who perform them. For another, doctors who share their expertise help debunk the lurid stories and medical misinformation provided by others. And finally, as noted above, aesthetic consumers remain skeptical about doctors who don’t participate in social conversations.

The takeaway? HIPAA-compliant social media is not a contradiction in terms. Approached with the above guidelines in mind, it helps aesthetic consumers become more confident in their healthcare choices; it helps practices gain exposure to those consumers, and it will only become more important in the years to come.

Rob Lovitt

Rob Lovitt is a longtime writer and editor who believes every good business has a great story to tell. He has written for dozens of magazines and websites, including NBCnews.com, Expedia.com and the inflight magazines of Alaska, Horizon and Frontier airlines.

All stories by:Rob Lovitt