The Internet is still a relatively new concept, and social media is even newer. There is a distinct lack of official online behavioral expectations, especially when it comes to HIPAA compliance on social media.
With the absence of the usual cues for appropriate communication, it’s easy to accidentally share too much information - which could mean HIPAA violations for your private practice.
After you learn how to stay HIPAA compliant, be sure to check out our post on the benefits of using social media for healthcare marketing!
HIPAA Challenges in a Digital World
Never in history has information been as portable, accessible, and shareable as it is today. This means it is easier to lose in transport, give the wrong people access, and have others share the wrong information with the wrong people. Here are some seemingly innocent culprits:
- Social media
- Unlocked mobile devices
- Cloud storage
- Portable storage devices
- Private messengers
So how do you ensure you and your staff are staying as HIPAA compliant as possible online? With these social media guidelines & self-monitoring tips, your practice will be well on its way to HIPAA compliance.
13 HIPAA Social Media Guidelines & Online Compliance Tips
- Personal social media accounts should be COMPLETELY separate from practice accounts.
- Private social media accounts are still accessible to users who aren’t friends or followers. If you wouldn’t say it to a patient or your boss, it should not go online.
- Once content is on the internet, it’s there forever. Deleting it only removes it from immediate view - it is still easily accessible with the right tools. Do not share media or text.
- Staff and patients SHOULD NOT be directly connected on social media.
- Staff must have some type of lock on their mobile devices This includes personal devices if there are not separate business devices.
- All staff must know all 18 HIPAA personal identifiers that cause compliance issues. Even offhand remarks about medical cases can identify patients.
- Posts that a patient makes about their own medical situation should not be interacted with in any capacity.
- Staff should not provide medical advice online. Patients who ask for medical advice on social media should be directed to an appropriate clinic or physician.
- Staff do not have the right to share images of patients and patient files, or to take pictures of patients or patient files with their mobile devices. This includes patients or files accidentally captured in photos of something else.
- Content related to the practice needs to be approved by an internal compliance review entity.
- Create a specific schedule outlining the content and types of posts that will go on the practice's social media accounts.
- While no one ever wants to be a snitch, it is still a healthcare employee’s (extremely important) responsibility to report any possible violations by peers. This is for the well-being of themselves, their patients, and their organization.
- If there are compliance issues, all individuals involved should be re-trained on HIPAA compliance and proper social media usage & practices.
What else can you do to prevent HIPAA violations online?
The first step to successful HIPAA compliance is creating a clear policy for employees that contains guidelines for social media, mobile devices, and general technology usage. This must include a clear distinction between acceptable and unacceptable forms of messages and content, policies for device protection, and procedure for reporting lost or stolen devices that may contain private information.
Additionally, there are options for expert healthcare social media management agencies who are experienced in online HIPAA compliance and human resources management. These companies can help you make the most of social media for your practice, and handle HIPAA training for staff, both on and offline.