Like other forms of electronic communication, social media websites present strong marketing opportunities and the chance to reach patients directly.
Unfortunately, social media websites also present risks such as violating HIPAA by sharing patient information online.
Knowing the risks of using social media can help you stay in compliance with HIPAA and make the most of social media’s benefits.
Anonymous is not enough
Many practices know that patients’ names should be kept private, but HIPAA privacy requirements go beyond protecting patient names. In fact, you should avoid revealing any information that may allow others to guess the patient’s identity. ¹ Controlling who sees information you post is difficult online and readers who are familiar with the patient may see what you post—keeping the patient anonymous does not necessarily protect their personal identity.
According to the Boston Globe, one physician unintentionally posted information revealing a patient’s identity on a social media website and was subsequently fired from her position and reprimanded by the state’s licensing authority. The patient was anonymous, yet information about his condition allowed community members to guess who he was. ²
In practice, it is possible to de-identify patient information but impossible to completely prevent others from identifying the individual. ¹ In fact, the U.S. Department of Health and Human Services notes that information about an individual’s five-digit zip code, birthdate and gender is probably enough to uniquely identify over half of America’s population. ¹ In theory, sharing a few demographic facts about your patient on social media may be enough to disclose their identity online and violate HIPAA. If your patient has an unusual medical condition, occupation or other uncommon characteristics, disclosure risks may be even higher.
To be absolutely sure that your social media use is not releasing personally-identifiable information about patients, you should do your own research and create a social media policy to protect your practice.
Make a social media plan
An article in Compliance Today, the journal of the Health Care Compliance Association, suggests weighing the risks of social media, outlining specific uses and purposes for your practice’s social media accounts and assigning specific employees to those accounts while monitoring these websites for compliance. ³
The article’s authors, Jim Sheldon-Dean and Dr. Vidya Phalke, PhD, suggest you take steps to reduce your risks of violating HIPAA, including: ³
- Social media policies—Your practice should identify how social media will be used, who is permitted to use your clinic’s social media accounts and what types of information may be shared. You should carefully consider what risks exist and how you will respond to them if they happen. For example, consider whether or not personal pages may “friend” patients and how clinical information should be protected.
- Employee training—If your office has employees, you should regularly train them on HIPAA compliance and your social media policy.
- Verify compliance—Know how HIPAA protects patient privacy and understand what HIPAA violations look like. Familiarize yourself with how patient identities may be accidently revealed on your social media accounts, then monitor the use of those accounts.
Be careful when communicating with individual patients
Since the risk of accidently releasing personal information on social media is high, you may want to be careful about contacting individuals. While it may be permissible under HIPAA to privately communicate via social media with a patient, you need to be absolutely sure your patient approves of communicating on social media and understands both the risks and possible outcomes of a data breech. ³
It would be wise to restrict the types of information you discuss, even in a private message because the text of your conversation may be accessible by others, such as the company that owns the social media website. Explain this possibility and other risks to your patient before beginning to discuss personal information. ³
HIPAA regulations may change, so be sure to do your own research before using social media to communicate with your patients. The U.S. Department of Health and Human Resources offers a HIPAA for Professionals resource where you can find more specific guidance.
Use social media while protecting your patients
Social media allows you to market your practice, connect with new patients and interact with the chiropractic community so for your practice, these benefits may outweigh the risks of social media. If you are careful and do your own research, you can reduce these risks and benefit from social media’s possibilities.
- The Boston Globe. “For doctors, social media a tricky case.” http://www.boston.com/lifestyle/health/articles/2011/04/20/for_doctors_social_media_a_tricky_case/?page=full. Published April 2011. Accessed December 2015.
- S. Department of Health and Human Services. “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.” http://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#safeharborguidance. Accessed December 2015.
- Compliance Today. “Social media and HIPAA compliance: Balancing benefits and risks.” http://www.hcca-info.org/Portals/0/PDFs/Resources/Compliance_Today/0213/CT_0213_SheldonDean-Phalke.pdf. Published February 2013. Accessed December 2015.