Let’s bust some myths about Social Media and HIPAA compliance.
Myth: HIPAA rules are so complicated that I should avoid using Facebook and other social media.
Reality: Your practice CAN have a Facebook page. You simply need to adjust the privacy settings on your Facebook page to limit how patients share information.
Facebook has many settings, so familiarize yourself to stay in compliance. Note – Similar guidelines apply to Instagram (owned by Facebook), Twitter, LinkedIn, and other social media sites – the key is to use the privacy settings to limit patient postings.
Myth: If a patient voluntarily posts a comment or a review on my Facebook page they have consented to their name being published, so this doesn’t violate HIPAA.
Reality: There is no such thing as “voluntary consent” in HIPAA. The only recognized consent is a written “Authorization” in advance. Covered Entities under HIPAA, such as health care providers, are the guardians of patient privacy and are required to obtain a written Authorization from a patient before allowing disclosure of the patient’s identity. A valid HIPAA Authorization has specific requirements. Using a general “consent” or “release” without the HIPAA requirements is not enough.
Myth: If I advertise on Facebook but don’t have a Facebook page for my practice, I can’t control whether patients leave comments, reviews or recommendations on the ad, so I don’t need to worry about HIPAA.
Reality: You may advertise on Facebook and not violate HIPAA as long as you don’t include testimonials or allow for comments or recommendations from patients UNLESS those patients have given you an Authorization in advance.
What about independent review sites such as Yelp?
Review sites are different than social media sites such as Facebook because you own your Facebook page and are legally responsible for all its content, even posts by others. As long as you don’t publicly respond to a patient post on Yelp, you are not responsible for patient information disclosed there.
Concluding:
- Adjust privacy settings to either a) permit visitor comments but moderate them prior to publishing, or b) turn off visitor comment posting. Also disallow others to tag or mention your page.
- If you choose to moderate visitor comments, you can either scrub out any Protected Health Information (PHI) such as names, dates of service, etc. or reach out to the patient for an Authorization before publishing.
- Facebook has recently changed “Reviews” to “Recommendations.” As a health care provider, you should turn Reviews/Recommendations off to protect patients from accidentally violating their own privacy (and making you responsible as the page owner). Patients may still publish “posts,” on your business page, as long as you review them in advance to scrub out identifiable information or seek a valid Authorization.
If you need help with HIPAA rules about social media, contact us for answers – step by step guidance shows you HIPAA is easy to follow once you know the steps.