The Internet is still a new concept. Social media is even newer. There is a distinct lack of official online behavioral expectations, nevermind official HIPAA social media guidelines.
With the absence of the usual cues for appropriate communication, it’s easy to accidentally share too much information - which means HIPAA violations for your private practice.
HIPAA Challenges in a Digital World
Information is now portable, accessible, and shareable like it never has been before. That means it’s easier to lose in transport, give the wrong people access, and have others share the wrong information virally. Here are some seemingly innocent culprits:
- Social media
- Unlocked mobile devices
- Cloud storage
- Portable storage devices
- Private messengers
So how do you ensure you and your staff are staying as HIPAA compliant as possible online? With these HIPAA social media guidelines & self-monitoring tips.
13 HIPAA Social Media Guidelines & Online Compliance Tips
- Personal social media accounts should be COMPLETELY separate from practice accounts.
- Private social media accounts are still accessible to users who aren’t friends or followers. If you wouldn’t say it to a patient or your boss, it should not go on social.
- Once content is in cyberspace, it’s there forever. Deleting it only removes it from immediate view - it is still easily accessible with the right tools. Do not share media or text.
- Staff and patients SHOULD NOT be directly connected on social media.
- Staff must have some type of lock on their mobile devices (including personal devices if there are no separate business devices).
- All staff must know all 18 HIPAA personal identifiers that cause compliance issues. Even offhand remarks about medical cases can identify patients.
- Posts that a patient makes about their own medical situation should not be interacted with in any way.
- Staff should not provide medical advice online. Patients who ask for medical advice on social media should be directed to an appropriate clinic or physician.
- Staff do not have the right to send or share images of patients and patient files. Staff do not have the right to take pictures of patients or patient files with their mobile devices. This includes patients or files accidentally captured in photos of something else.
- Content related to the practice needs to be approved by an internal compliance review entity.
- Create a specific plan outlining types and frequency of social media posts that will go on the practice social pages.
- No one wants to be a snitch. However, it’s a healthcare employee’s responsibility to report any possible violations by peers. This is for the wellbeing of themselves, their patients, and their organization.
- If there are compliance issues, all individuals involved should be re-trained on HIPAA compliance and proper social media usage & practices.
What else can you do to prevent HIPAA violations online?
Step one is creating a clear policy for employee use of social media, mobile devices, and other technologies. This includes a clear distinction between acceptable and unacceptable content forms and messages, policies for device protection, reporting lost or stolen devices that may contain private information, and so on.
Additionally, there are options for expert healthcare social media management - agencies who are experienced in online HIPAA compliance and human resources management. These companies can help you make the most of social media for your practice, and handle HIPAA training for staff (both online and offline).