How to Stay HIPAA Compliant on Social Media

Being an expert on HIPAA compliance is part of the job as a dental professional. Whether you own your own practice, work part-time as a hygienist, or create dental marketing campaigns, it is your job to advocate for patients and protect their health information.‍

This has many dentists rightfully wondering how HIPAA fits into social media marketing. After all, posting patient photos and testimonials on social media has become a key strategy in growing dental practices.

Marketers may smile and clap, but most medical professionals shrink back as the HIPAA hairs on their necks start to rise.

The anxiety surrounding HIPAA violations on social media often keeps dentists from taking full advantage of social media marketing, but with around 80 percent of people in the U.S. on social media, this isn’t a sacrifice you want to make.

It all boils down to knowing the rules and constantly keeping them in check.

Though HIPAA compliance always takes time and training, implementing it on social media is actually easier than you might think.

HIPAA and Social Media — Where Are We Now?

HIPAA has been around for over 20 years, long before social media started dictating marketing campaigns.

The act works to prevent healthcare providers from using or sharing a patient’s protected health information (PHI) without consent. This includes a patient’s name, full face images, phone numbers, email addresses, and more.

For dental practices, HIPAA compliance traditionally meant managing paper files, encrypting ePHI data, and getting written consent for file transfers.

It is all about protecting patient information and identity, which can look very different on social media.

Posting a photo to Instagram, sending a Snap, or communicating through “private” messaging services like Facebook Messenger or WhatsApp can seem harmless. However, without strict attention to HIPAA, one post can easily damage a career and put a patient at risk.

While there are no explicit rules regarding social media in HIPAA, the laws and protections still apply.

To help with the technological revolution, the Department of Health and Human Services Office for Civil Rights has been working to provide some guidance to healthcare professionals about the HIPAA policies that relate to social media.

These rules are proving to be more than just preventative, as the number of cases of HIPAA violation on social media are on the rise.

A recent investigation found 35 nurses having committed HIPAA violations on social media, which resulted in disciplinary action, termination, and even some jail time.

Again, these violations are serious but simple to avoid with the right preparation and communication. Here are ways to guarantee your practice is HIPAA compliant on social media.

Ensuring HIPAA Compliance

Know what a HIPAA violation looks like on social media

HIPAA prohibits the sharing of any patient information on any social media platform. Be it private or public, quickly deleted or left up for weeks, any sharing of this info is a violation.

Even talking about patients in a private Facebook page or sending temporary pictures on Snapchat can constitute a HIPAA violation.

When discussing HIPAA compliance, it's important to go over specific violations with your team. Some common missteps on social media include:

• Sharing images/videos of patients without written consent
• Posting photos inside your practice without realizing a patient file is visible
• Sharing images, videos, or information in a private social media group that may identify a particular patient
• Posting information or gossip about patients, even if the patients is not named
• Assuming posts are private, secure, or deleted when they are not

HIPAA violations cast a much wider net on social media than people might realize.

It's imperative that you go over each social media platform with an eye to potential HIPAA violations. This preventative education will help team members recognize any potential violations before they occur.

Create a written social media policy for your practice

Setting clear rules and expectations for your team is the next step in preventing costly violations.

Policies are important for marketing directors or your social media manager for obvious reasons. However, they should also be in place for team members who may never touch your Facebook page.

Any person who comes into contact with patient records or information should know exactly what they can and cannot do both during and after work hours.

Having a detailed written policy that is easy to reference is the best way to protect your team from HIPAA violations.

Provide social media HIPAA policy compliance training early and often

After creating your policies, get your team up to speed with social media training. If you have not already, include this specific training as part of HIPAA training for new hires.

Social media has become so ingrained in our daily lives that some employees may not even realize they're at risk for violating HIPAA.

Something as innocuous as snapping a photo of a team group with a patient file in the background could put them at risk of HIPAA violation.

Provide follow-up training at least once a year as a refresher. This gives you a chance to discuss new social media platforms, address any questions, and keep your team vigilant against violations.

Understand the severity of HIPAA policy violations

Just because a violation happens on social media does not make it any less consequential.

One famous case made news when a nurse posted an inappropriate photo of a patient that resulted in her termination, 30 days in jail, and a hefty fine.

When it comes to violations, HIPAA has four categories that range in levels of intention and ability to prevent the situation. Depending on severity, they can incur up to $50,000 per violation.

Going over these numbers and fines is not meant to threaten or scare your team away from social media. Instead, it will help bring to light the very real consequences of often unintentional mistakes.

Have a set procedure to get written consent from patients

Always get consent from patients before using their picture, a quote, or any individual identifiers on your social media accounts.

Since the most common violations involve posting photos or videos, it is a good idea to have several consent forms on hand for patients sign should you want to use their photo to promote your practice.

Even if it is a returning patient excited to take a photo, the written consent is always a must! Remember, this is to protect both the patient and the practice.

Tips for posting on social media

• Look at every post through a HIPAA lens: Ask yourself whether or not a post could violate a patient’s privacy
• Speak with your compliance officer to make sure all of your accounts are HIPAA compliant
• Designate specific areas for social media photography in your practice: This will not only prevent unwanted information from sneaking into photos, but it will also likely increase the quality and consistency of the posts
• Don’t engage with patients in comments or reviews who have disclosed personal health information
• Don’t rely too heavily on patient photos or testimonials: Asking for constant consent to use one person’s photo can be fatiguing and hurt patient retention rates
• Engage with patients by using non-promotional content that brings value to their day: Use branded graphics, blog posts, or fun dental-themed holidays to fill your social media calendar

While HIPAA compliance on social media should be taken seriously, it shouldn’t take you out of the social media game.

Social media is an incredible marketing tool that can elevate your practice at absolutely no cost to you.

Whether or not you decide to use patient images or videos in your dental marketing strategy, social media isn’t going anywhere.

As it continues to evolve under the umbrella of HIPAA, so should your practice by using these best practices.

Learn more about how RevenueWell improves case acceptance and creates more close-knit relationships between dentists and their patients.