When we talk to medical practitioners and practices, including hospitals, about social media the one concern we hear over and over is that they worry about potential HIPAA violations.
The short, almost flippant, answer is “you didn’t violate HIPAA when you got a fax machine, email, or a cell phone. Just do the same things you did when you weren’t violating HIPAA with that technology.”
And for the most part, that’s usually enough to keep you out of trouble. But there are still some important points that people don’t think about. So here are our recommendations for doing social media in an age of HIPAA.
- You can’t acknowledge a patient’s compliments, because to do so would be to acknowledge that they were a patient. While it’s one thing if a person compliments you via Twitter, it’s another thing if that compliment shows up on your Facebook page. You should remove those, unless you can make the person anonymous (and you can’t).
- The same is true for complaints. Unlike a restaurant, which can offer to fix a problem wherever a complaint is made, you can’t do that. Instead, develop a standard message where you urge any and all people to contact your office directly. And then remove the complaint from your page.
- If you offer testimonials on your page, remove any and all identifying information. Refer to the patient by their initials, or at least first name and last initial. Never refer to any specific symptoms or ailments online.
- Keep your personal and professional accounts separate. Don’t friend patients at all with your personal account. And try to encourage more than just patients to “Like” your practice page.
There are still some subtle nuances about HIPAA that confuse medical practitioners about what can and can’t be done. If you’re not sure, check with your compliance officer or another doctor for the answers to any questions you may have.