Money, Marketing & Soul Blog

Patients, PHI, Social Media and HIPAA

Posted · Add Comment
JPEG image-5579F9C1B9FF-1
Special Note: The term “patients” here is used as we are discussing medical clinics and HIPAA in particular. However this applies to ALL businesses with clients and customers. Your clients, customers, and patients deserve (and legally have the right to) privacy. Please read and heed the warning even if you aren’t bound by healthcare laws.

Oh my! It almost sounds like we are heading to Oz, yes?

JPEG image-1B82819E7A70-1Last week I spoke at a local PMI conference about how to leverage social media to grow your practice and engage patients. Lucky for me, one or two speakers earlier in the day told her audience that it is a HIPAA violation to respond to a patients comment on social media. In my presentation I pushed back on that, and I would like to expand on that topic today. As it is pretty simple to use social media to promote your practice, engage your patients all while avoiding a HIPAA violation and protecting PHI.

Don’t worry, you absolutely CAN respond to social media comments and reviews HOWEVER there are some things you should be aware of to avoid HIPAA violations and general hand slaps.

First, lets look at what is considered a HIPAA violation on social media networks. Under HIPAA guidelines, a violation is use without permission or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI). Examples may include:

  • posting gossip about a patient, even if the name is redacted
  • posting photographs
  • sharing workplace photos with an visible patient information in the photograph

If you wouldn’t or couldn’t say it in public, then you can’t say it on social media.”

So what do you do to cover your practices you know what:

  1. Get Consent. Don’t share ANY photographs, testimonials, stories of patients with out expressed written consent.
  2. Checks and balances. Have posts scheduled and reviewed by an extra set of eyes to make sure that there aren’t any violations present.
  3. Never include specifics. Even in response to a patient. Direct the poster to contact the office directly and thank them for their feedback. Sometimes patients will take to the interwebs to complain…your response can be something to the effect of “We are sorry you feel your experience wasn’t up to our standard of excellence. Thank you for your feedback. Please reach out to our office manager directly at 555-555-5555 and we would be happy to assist you.”
  4. Seek outside help. If it is difficult for staff that interact daily with patients to avoid over-sharing on social media, consider hiring an outside firm. This always costs less than a dedicated marketing staff in house. Usually for services can be found around $300 -1500 per month.

The key to remember is when in doubt get consent or leave it out. It is the popular view and our at IMG view that writing a deidentified patient narrative using a respectful tone on a blog or other social media site, is not differentthan similar narratives published in books and medical journals. This in itself is not morally, ethically, or legally in itself not wrong (1).