The world of social media can be a danger zone if you don’t understand the risks
SOCIAL MEDIA IS A POWERFUL TOOL FOR SHARING HEALTH INFORMATION, educational products, testimonials, experiences and for building your business. A National Center for Biotechnology Information survey of 4,000 physicians found more than 90% use social media for personal reasons, and 65% use it for professional reasons. As for patients, according to Doctor.com, 63% of patients choose one provider over another based on the physician’s strong online presence.
As with all tools, the more powerful they are, the more safety precautions you must have in place. Entering the world of social media can be a danger zone if you do not understand the risks and necessary safeguards. The first step or safeguard is basic, yet it is the most overlooked by providers nationwide: Many providers do not know what type of information is considered protected health information (PHI). And many do not know how their state defines personally identifiable information in their data privacy laws.
The 18 identifiers of PHI
Before a provider enters the world of social media, we recommend the practice goes back to basics. Start with identifying what is considered PHI. The Health Insurance Portability and Accountability Act (HIPAA) defines PHI as “individually identifiable health information transmitted by or maintained in electronic media or any other medium/form.” Some providers think PHI is only the medical record, a treatment note or similar type of medical documentation. Health and Human Services (HHS) makes it simple by listing the following 18 PHI identifiers:
- Dates (dates of birth, admission, discharge, death)
- Telephone numbers
- Fax number
- Email address
- Social Security number
- Medical record number
- Any other characteristic that could uniquely identify the individual
- Health plan beneficiary number
- Account numbers
- Certificate or license numbers
- Vehicle identifiers
- Web URL
- Internet protocol (IP) address
- Biometric identifiers (voice, fingerprint)
- Photograph (not limited to face)
- Device identifiers and serial numbers
The next step is to track PHI in your clinic’s workflow; you cannot protect something if you do not know where it resides. During this process, a provider may identify applications used to communicate with patients, such as a text reminder service, email reminders, office emails and personal cell phone text messages. When they properly track PHI, they may find it in their online social media presence, such as Facebook, Instagram, Twitter, LinkedIn or in Google review postings. Providers should create a team approach to protecting patient information by training all staff to identify PHI without hesitation.
Social media misinformation
HIPAA was established more than 25 years ago when social media did not exist. Even though a provider may not find a black-and-white rule about social media, both the Privacy Rule and Security Rule have standards that apply to social media regarding authorized PHI disclosure.
Misinformation #1: It is not considered an impermissible disclosure as long as the patient’s name is not posted.
There have been several reportable breaches along with penalties for doctors who posted on social media or in a Google review but did not mention the patient’s name. In most cases, they forgot about the other identifiers of PHI. In some situations, there were enough details about the issue or condition that others in the community could identify the patient. In one instance, a provider had no idea the application automatically filled in the patient’s social media handle on the response and made it possible to identify the patient.
Misinformation #2: If a patient initiates the conversation, they are accepting the risk and authorizing the provider/clinic to respond.
This common piece of misinformation can sink your HIPAA compliance. HHS does state, “Patients may initiate communications with a provider using email. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) email communications are acceptable to the individual.”1
Unfortunately, this does not apply to social media. Social media postings must not include PHI, regardless of who initiated the conversation. If a provider wants to post something about a patient, such as a testimonial, they will need a signed authorization from the patient to disclose PHI. The authorization should include how and why the PHI will be disclosed. So how can a provider know for sure that the intent of this law about emails does not apply to social media? The proof is in the Office of Civil Rights (OCR) investigations.
Social media mishaps
Providers often defer to what their colleagues are doing or to the accepted norm when posting on social media. It is a dangerous approach to HIPAA compliance. When providers cannot find a scenario to help interpret a law or rule, they can look at how the law is enforced. Based on the following HIPAA violations, we can see how the OCR feels about social media postings.
HHS OCR reaches agreement with New Jersey health care provider that disclosed patient information in response to negative online reviews: “New Jersey psychiatry practice pays $30,000 to settle complaint about impermissible disclosure of protected health information of a patient when the entity posted a response to the patient’s negative online review. In addition to the patient who filed the complaint, OCR’s investigation found that [the] center impermissibly disclosed the protected health information of three other patients in response to their negative online reviews.”
HHS OCR enters settlement with dental practice over disclosures of patients’ protected health information: “The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. [The] practice paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation.”
Responding to a social media post
Understandably, a provider may feel hesitant about engaging with patients via social media. However, growing a social media presence is possible if the provider controls the content and the interactions with patients. All staff should have a clear understanding of what can and cannot be posted on the office’s social media site. One of the biggest dangers of social media regarding HIPAA is commenting on posts made by patients. It is natural to want to respond to positive comments, but those good intentions could get a doctor in hot water.
A positive post from a patient can put an extra spring in the doctor’s step, but it can also spring them into a HIPAA violation. The doctor’s response should never acknowledge the patient was treated in the clinic. Here are some simple and generic responses to a positive comment from a patient:
“Over the years, we have seen hundreds of successful wellness journeys and appreciate every one of them.”
“Our office takes pride in providing the best of care to the local region.”
“Our office works hard every day to bring quality care to our neighbors. We love the city of…”
“Our office takes pride in seeing patients benefit from the healing journey. Learn more about our services at…”
It can be difficult for a provider not to respond to negative comments about the practice or treatment. If a provider receives the dreaded negative post from a patient, the response must be vague with little to no emotion. Simply stating the practice’s office policy is the best approach. Here is a simple and compliant response:
“Our mission is for patients to have a healing experience at our clinic as we focus on integrity, honesty and compliance. Due to HIPAA privacy laws, we are unable to address concerns in a public forum. Our office contact information is …”
When establishing policies, providers should include sample responses or scripting and stick with the same vague response to negative reviews. This way if there were a complaint and an investigation, the OCR would see the same response to all the office’s negative reviews, which would show it was not a personal response to the individual. This does not mean the provider cannot reach out to the patient directly through a phone call to discuss the negative posting.
Social media has become an integral part of our lives, but it also poses a significant threat to privacy if handled without serious consideration of HIPAA safeguards. The clinic must keep HIPAA requirements front and center with the entire team. Posting reminders, such as these, can help create a compliant culture:
- Generic responses only.
- Think before you post.
- Refrain from using a social media page to contact patients.
- Never acknowledge the individual as a patient.
If you feel overwhelmed managing your HIPAA compliance and assessing the risks of interacting via social media, seek the assistance of a HIPAA specialist. HIPAA mistakes can affect your reputation with patients as well as lead to costly fines and penalties. So keep HIPAA alive in your practice and focus on protecting your patients’ privacy.
JILL FOOTE currently contracts with KMC University as a subject matter expert. She has developed a wide variety of curriculum for KMC University, state associations and chiropractic colleges. Previously, as senior manager of coding and practice management at the American Chiropractic Association, she served as staff liaison to the ACA’s Coding Manual Workgroup, ICD-10 Taskforce and the Coding Committee. As she worked with doctors on a national level, she saw a growing need for training in HIPAA compliance. She holds a certification as a Healthcare IT Specialist and is currently the owner of Easy Tech Compliance. She can be reached at Hello@easytechcompliance.com.
- “Does the HIPAA Privacy Rule permit health care providers to use email to discuss health issues and treatment with their patients?” Dec. 15, 2008. HHS website. Accessed Aug. 14, 2023. https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html.