Where Facebook Meets HIPAA: Social Media Guidelines for Healthcare Providers

Social media is an important tool for anyone trying to grow a practice, but as with any other use of social media in a professional realm, there’s a risk of making major and significant mistakes on a public stage. Medical professionals have to worry about HIPAA, and just one careless Facebook post can accidentally reveal protected health information.

Social media, once all but verboten for healthcare professionals, is now recognized as a great tool for providing information, establishing expertise, educating and interacting with current and prospective patients, and establishing a brand — a particularly important function for anyone trying to grow a practice. But, as with any other use of social media in a professional realm, there’s a risk of making major and significant mistakes on a public stage.

For medical professionals, in particular, social media advice goes beyond “Don’t post too many times in a day” (when do you have time anyway?), “Don’t make every post about self-promotion” (no one wants to hear you talk about yourself all the time), and “Know the difference between ‘it’s’ and ‘its’” (the first one is a contraction, the second one is a possessive). Medical professionals have to worry about HIPAA — and one careless Facebook post can accidentally reveal protected health information with the click of a mouse.

Five tips for avoiding privacy violations when using social media:

2010: An ER doctor in Rhode Island posts patient information on Facebook. She thinks that by leaving the patient’s name out, she’s made the patient unidentifiable. She’s wrong. Others in the community are able to identify the patient based on other information in the post, and the ER doctor is fired and fined $500 by the state medical board.

Don't talk about patients.

Posting about cases is one thing — common or uncommon conditions, novel treatments, unexpected complications. But when you cross the line between the case and the actual patient, your chances of revealing privileged information skyrocket.

HIPAA lists 18 identifying features for PHI, one of which is essentially “any other identifying feature.” The information provided in your social media profile itself — names, locations, photos, dates — combined with even minimal information from the post could paint a surprisingly clear picture of PHI with minimal detective work.

Don’t friend current or former patients.

(And definitely keep your personal and professional social media accounts separate.) Social media is a casual and personal way of communicating, but it’s still crucial to maintain a certain amount of professional distance.

Remember that anything you post on a patient’s Facebook wall is visible to all of their friends; you might think that a particular story is funny, or that a particular message is innocuous, but it might not be the kind of thing your patient wants their friends to see.

Even if the patient is posting every minute detail about their treatment on their wall, you’re still beholden to privacy laws.

2013: An OB-GYN in Missouri complains on her personal Facebook wall about a chronically late patient who has shown up late for her induction. In comments, she clarifies that she has “put up with it” because of a prior stillbirth. Someone posts a screenshot of the doctor’s post on the hospital’s Facebook page. Hospital administrators determine that no patient privacy laws were broken, but the doctor does get a well-earned reprimand — and her Facebook wall gets a good combing-over to check for any other potential HIPAA violations.

Don't post patient-related gossip.

Even if you think you’ve disguised their identity. If the patient in question could recognize themselves with the information provided in your post, that’s enough to leave it out. Venting and joking are best saved for the break room. If you wouldn’t say it in line at Starbucks, don’t say it on social media. New patients aren’t going to be attracted to the doctor who likes to gossip (or allows staff to gossip) about existing patients.

Look at photos carefully.

Is that a patient in the background of your office selfie? Is that a patient file under your artistically arranged plate of sushi at a working lunch? Scan your photos like a detective on a police procedural to make sure you haven’t unintentionally caught anything inappropriate or privileged.

Set an office social media policy, write it down, and make sure everyone stays up to date.

Resist the urge to hand your social media passwords to the youngest (and tech-savviest) person in the office to post for you. Make sure that everyone — of any age, in any position — knows to watch for possible violations before they post anything online.

The image you portray on social media might be the only image a prospective patient will see of you.

One more HIPAA-unrelated but essential piece of advice. Make sure that every post, share, retweet, and “like” conveys something about you and/or your practice that you want people to know. Be the person online that patients can expect — and will want — to meet when they come to office for the first time.

Get a Free Practice Scan

Get an instant assessment of your practice's online marketing, visibility, and website performance.

PatientPop is the proven practice growth platform built for healthcare providers to grow, modernize, and streamline their practices.

© Copyright 2014-2018 Patientpop inc.