Hospitals and Providers: How to Address Concerns about HIPAA and Social Media

by Andrea White on October 19, 2010 | 6 comments
in Healthcare, HIPAA & HITECH, Social Media

A follow up to last Tuesday’s blog post on HIPAA & Social Media…

There are systematic ways to address concerns and avoid HIPAA violations in social media. And frankly, your legal counsel and C-Suite will be much more comfortable with your recommendations regarding social media if you put some of these mechanisms into place.

  • Make sure your organization has a clear social media policy, much like your Internet policy, for personal and professional references to the organization and patients.

Connect employees’ conduct online to the expectations of your Code of Conduct. Encourage positive representations of your company and disallow anonymous posts. Make it clear to your employees that they represent your company even when they are using social media for personal use.

  • Post a Comment Policy on your Facebook Page – written in lay language – to explain the reason for the forum and your policy for removing posts.

This policy truly doesn’t have to be complicated, but it needs to clearly state the forum’s intended purpose (to share information with the community about hospital services, medical trends and resources, etc). It also needs to make your position known about avoiding the use of PHI in this forum.

  • Conduct frequent employee training about HIPAA security in the context of new technologies.

Sometimes employee training is a half day workshop, but sometimes a refresher can be as simple as a five question “What would you do?” survey pushed out to all employees with a drawing for a prize among those who get them all right.

  • Develop standard responses to use when an online conversation involves PHI.

It may be as simple as, “Out of respect for our patients we have removed a comment to ensure the privacy of protected health information.” And then you may want to follow up with the individual who made the post, communicating in a HIPAA-compliant format like the telephone or encrypted email.

  • Establish safeguards to discourage patients and visitors from taking photos of other patients or otherwise revealing PHI.

Though it is not a HIPAA violation for a patient to post a photo of another patient online, it could still lead to a PR nightmare.  Put employee policies in place to avert these behaviors and post appropriate signage about the importance of protecting patient privacy. This will be reassuring to patients and serve as a good reminder to employees.

  • Require Business Associates (e.g. outside marketing firms, graphic designers, web developers, PR consultants, etc.) to participate in training or require some other form of extra accountability.

Because they are an extension of your organization and considered a covered entity under HIPAA, they need to understand the requirements and the risks.

How is your hospital/healthcare organization addressing HIPAA concerns in social media?

This entry was posted in Healthcare, HIPAA & HITECH, Social Media and tagged , . Bookmark the permalink.

6 Responses to Hospitals and Providers: How to Address Concerns about HIPAA and Social Media

  1. Amanda Kinsch says:
    October 21, 2010 at 12:52 pm

    Andrea,
    I work in the Marketing and PR Department at Beaufort Regional Health System; at a small 144 bed hospital in Washington, NC. We are currently entertaining the idea of social media and community email marketing strategies. Do you have any advice on a e-community newsletter using patient email addresses that were voluntarily given during new patient check-in?

    Reply
    • Andrea White says:
      October 26, 2010 at 4:19 pm

      Amanda,
      Congratulations on the new initiatives. Obviously, we come at this from a marketer’s perspective (because we certainly aren’t lawyers) but I’m glad you found our research useful!

      For your enewsletter, it sounds as though you will need to evaluate three concerns from a HIPAA standpoint: the use of this email list, the methodology of way it is used and the content of the newsletter.

      I am happy to help dissect these issues to help you down this path if that would help. As a starting point, another of our recent blog posts may help you begin thinking about content concerns, http://www.lovell.com/blog/?p=1397.

      Andrea

      Reply

  2. Pingback: Engaging Conversations on Healthcare using Social Media | HL7 Standards

  3. Andrea White says:
    October 26, 2010 at 3:58 pm

    Erica,
    Thanks for linking to your terrific blog post on toolkits for healthcare in social media. Great resources!
    Andrea

    Reply
  4. David Cho says:
    March 28, 2011 at 1:27 am

    Hi Andrea,
    While all your your points are quite valid, I’m wondering if having technology in place that would help monitor,moderate and secure social media usage by employees and any posting to a corporate site/page should be on your list. There are lots of solutions already in use in the financial services industry enabling compliance to FINRA/SEC guidelines around social media usage. With their fiduciary responsibilities similar to if not greater then HIPPAs, I’d think it’d be in healthcare’s best interests to keep leveraging the community building powers of social media but to do so with not only with policy, training/ education but technology as well.

    Reply

  5. Pingback: When Social Posts Go Awry – A Reminder to Healthcare Workers When Social Posts Go Awry – A Reminder to Healthcare Workers | Lovell Communications

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>