Generally, when people think about medical staff violating HIPAA (Health Insurance Portability and Accountability Act), they recall news stories like the emergency room nurse who divulged the medical status of a football player, or the doctor who posted that a model was admitted for binge drinking. Most people would be stumped if they had to craft a scenario where an optician or optometrist would accidentally violate HIPAA on social media, but it is possible. It’s very important to take HIPAA seriously, and to be extra careful not to violate the privacy of patients where HIPAA and social media come together.
Social media can be a fun and engaging way to connect with your patients and supporters, so don’t let HIPAA scare you away from social media altogether.
Just keep these HIPAA and social media tips in mind:
Get to know social media. There are lots of websites out there that help business owners understand different platforms and how to use them. You need to know enough to advise staff on what to do and what not to do.
Develop a social media policy. Maybe it’s as simple as including a social media policy for staff in their new hire paperwork that states that they are allowed to say where they work and what they do, but should never refer to patients even in general terms, or divulge any other protected information.
Post your social media policy for visitors and have it on your website. You want to encourage patients to check-in on Facebook, or to post pictures of their new glasses to Instagram and tag your practice, depending on which social platforms you use. Feel free to post a sign that says which social media platforms you use (as in “Find us on Facebook and Yelp!”). Use that sign to post a short paragraph letting patients know that you won’t take their picture or use any of their information without their knowledge for social media or anywhere else.
Leave social media for socializing and advertising. It’s best for patients and doctors not to collaborate on medical advice or treatment over social media platforms. Stick to secure portals like practice email and the office phone lines. Even if you think correspondence is private, the terms for social media channels usually declare that your information and messages are not necessarily private. Plus, deleted posts can live on, and people can take screenshots of anything you post, even if it is only available for a minute.
Avoid interacting with protected health information, even if someone else posted it. Do not assume that a patient posting their private health information makes it okay for you to comment, repost, or otherwise interact with their information. It’s safest to avoid the situation because you could be violating their privacy.
Social media makes conversations easy. That’s good and bad. It can open up dialogue with an old friend, or help you keep in touch with parts of your network that would otherwise mostly be forgotten. The problem is that it makes instant, widespread, unfiltered communication possible, so you should always think about what you’re saying on your own pages, and what you are posting to the practice page.
Social Media