With the increase in social media popularity, professionals in the healthcare industry are seeing new and alarming trends. Healthcare workers often post about their workday on sites like Facebook. They may even post photos of their friends at work. We’ve all seen photos of a group of friends at a hospital or clinic goofing around.
Though everyone enjoys posting about their daily life at work, for the healthcare industry, this has become a growing problem when it comes to HIPAA compliance. In fact, the issues have escalated to where it’s a virtual minefield of compliance violations that could blow up at any moment.
HIPAA violation fines can be huge, so why aren’t employees better trained in what is and what is not acceptable?
The company Facebook page
Another area of potential compliance issues is those company Twitter and Facebook pages. Most businesses including healthcare, post daily to their social media accounts. This can be a great way to connect with your customers/patients. Social media is a unique place to interact on a personal level with people. For the healthcare industry, there are a number of restrictions about what you can share.
Some of these regulations are common sense. If you just got out of surgery, then you probably don’t want anyone posting your photo on Facebook. We should all know how important patient security is. From health plans and patient medical records to hospitals and doctors, we can’t be too careful.
Data breaches in hospitals are increasing at an alarming rate. We certainly don’t want to make it any easier for cyber thieves to break in and steal our health information.
Protecting PHI
It is never acceptable to post any type of info that is considered Protected Health Information (PHI). This includes a patient’s name, address, date of birth, social security number, financial information, photos—if something you post can in any way identify one of your patients, then it’s a violation of HIPPA. If the patient or a family member see that posted on social media, they can file a complaint and your organization may have to pay hefty fines.
PHI includes all demographic information that might, in any way, identify one of your patients. According to the HIPAA Privacy/Security Rules, you can’t use this PHI in your marketing campaigns or on social media platforms. Every precaution must be taken to avoid revealing the identity of a patient.
What can you post on social media?
Now that we know what you can’t post on social media, what types of info are safe to post? Every business, including healthcare, has a right to use social media to improve their rankings and interact with people in general. It would not be fair to take that away from healthcare organizations. Having a social media presence has become a basic human right for every company. It’s a proven way to attract new business and promote your brand.
At the end of the day, the hospital down the street is just another business trying to survive in a complex global marketplace. Healthcare professionals often use social media platforms to expand their professional network. This has become a common practice. As our world moves more into interacting on the internet, we must all know the rules to avoid making costly mistakes.
So let’s take a look at some of the information you can post on social media—things that will not get you in trouble with HIPAA:
- Upcoming events patients might find interesting
- Profiles of staff members
- Useful health tips
- Exciting new research related to your field
- Discounts and special offers on services
- Awards and honors your organization has received
You can also advertise any of your services as long as you do not include any protected health information. Remember that PHI includes photos of patients, so be careful if you and your staff are taking pictures in the lobby. Make sure there are no patients lingering in the background before you snap that photo.
HIPAA Policies and Procedures
The responsibility for using guidance concerning HIPAA most often falls to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Each year, this organization issues the standards and policies for compliance. They work to ensure that all healthcare organizations know and understand HIPAA regulations. In addition, they have special guidance on how health care professionals can safely use social media in their day-to-day activities.
These standards should be well-known to all the principles in your organization, but the employees must also be aware. Most organizations post the special policies regarding HIPAA standards in a breakroom. But it can also be a good idea to have monthly meetings where you discuss the regulations with employees.
Educating employees
Many hospitals and clinics have a fairly brisk employee turnover rate. Large hospitals are constantly hiring new people all the time. How will those new employees get up to speed about HIPAA guidelines? What if a new employee who does not know about these regulations, takes a photo with a friend standing in front of a patient bed and that photo winds up on his Facebook page?
Things like this are likely to occur in large facilities. The “human factor” is often the weakest link when it comes to overall internet security. Educating every new employee, however, is the responsibility of hospital administrators. You can’t simply post the HIPAA regulations on a bulletin board and expect everyone to know what to do. There must be ongoing training that’s mandatory. The HIPAA fines are just too high to assume everyone is abiding by the rules.
Take a proactive approach
Policies must be well documented and updated annually. Regardless of the size of your practice, regular training is a must. Each healthcare organization should implement high-level security protocols to prevent accidental or intentional data breaches. Last year alone, data breaches in hospitals cost approximately $6 billion. This number rises steadily each year despite all the publicity; social media issues add untold complexities to the mix.
It is essential to do everything possible to make sure your staff knows and understands HIPAA regulations, especially pertaining to social media. This can protect your medical practice from liability in the event of a violation. HIPAA social media guidelines are an important part of ensuring that PHI remains secure. Compliance is everyone’s responsibility!