HIPAA Compliance on Social Media: A Guide for Private Practices
If you’ve been following our blog, you probably have a pretty good understanding of why you should be using social media to grow your business.
Social media not only allows you to connect with your existing clients on a different level, but it also allows you to provide educational materials that will help establish your expertise with new potential clients. Plus, it’s a great way to continue to build your overall brand.
As beneficial as social media marketing is for businesses, many private practice owners shy away from social media for fear of unknowingly violating the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA violations can come with some pretty substantial penalties – fines, sanctions, even loss of license in some cases – so we totally get why ignoring digital marketing and social media may seem like the easy way to go.
But we’re here to tell you that you don’t have to choose between HIPAA compliance and growing your practice online. Using social media doesn’t have to feel like walking through an ethical minefield. You simply need to understand what is and what is not allowed by law.
Read on to learn how you can use social media to grow your practice all-the-while maintaining HIPAA compliance.
What Is Protected Health Information (PHI)?
Because HIPAA was enacted several years before social media (as we know it today) really took off, there’s no official set of HIPAA social media rules. However, the same HIPAA privacy standards apply to social media use.
HIPAA guidelines define Protected Health Information as “anything – vague or specific – that could reveal the identity of a patient.” Well, speaking of vague, what the heck does that really mean?
There are actually 18 items that are considered to be “individually identifiable health information” under HIPAA.
Types of PHI:
- Names, including nicknames and names used on social media
- Address, or any other geographical location information
- Dates, except for the year (i.e. birthdate, appointment dates, admission/discharge dates, etc.)
- Phone number
- Fax number
- Social security number
- Email address
- Medical record number
- Any other account numbers
- Health plan beneficiary number
- Any other certificate or license numbers
- Vehicle information such as license plate numbers or the make/model/color of a vehicle
- Web URLs or social media links
- Device identifiers or serial numbers
- Internet protocol addresses (IP addresses)
- Biometric identifiers such as fingerprints, retinal scans, or voice recordings
- Photos, even if they’re not showing anyone’s face
- Anything else that compromises the patient’s identity
Using any of the above information about a client on social media – even with their permission – could be considered a HIPAA violation and should be avoided to protect your clients’ privacy. But, that shouldn’t mean that your practice should be precluded from having a presence on social media.
Want help coming up with HIPAA compliant content for social media?
Find out how Social Genie can help you!
Maintaining HIPAA Compliance on Social Media
According to Healthcare Compliance Pros, 74% of Internet users are active on social media. Not only that, 80% of those who use social media actually use it to research doctors, hospitals, medical news, and other medical-related information.
Without a doubt, social media is a great way to help position yourself as an expert in your field and attract new patients.
But, before you starting posting across the various platforms, it’s important to make sure you really understand what’s allowed and what isn’t.
Engaging with Clients
HIPAA should not prevent you from engaging with clients online – it just means that you should take some additional precautions in doing so.
As a therapist you work really hard and you take pride in what you do, so a negative online review can be extremely disheartening. Generally speaking, a prompt response can resolve the issue most of the time. Furthermore, it will show other potential clients that you are empathetic to the client’s experience.
When managing your online reputation it may be difficult to do so without revealing any identifying information, but that doesn’t mean it’s impossible.
Just remember to keep your response as vague as you can. Even though a client left a review with their name on it, this does not mean you should address them by name in your response. Also be sure to withhold any other information about the client or the situation they’re referring to in their review, including any appointment dates, treatments discussed, or the reason for their visit.
General responses are going to be your best bet in order to be in compliance with HIPAA. Try to follow this format:
- Thank them for their feedback or, at least let them know that you value the feedback
- Offer a solution (i.e. a free appointment)
- Let them know that you would love to hear from them again and ask them to contact your office directly
Posting and Sharing
Whether you’re adding a new article to your website’s blog or posting to social media, you always want to be 100% sure that nothing you’re sharing could identify one of your clients in any way. This could be one or multiple of the 18 types of PHI we listed earlier.
Even information that isn’t necessarily listed above – such as their race, occupation, income bracket, political affiliation, age, or marital status – shouldn’t be disclosed about a client.
So what can you post on social media?
- Share mental health tips that may help your specific client-base
- Link to new research related to your specialty
- Share inspirational or motivational quotes
- Let clients know about upcoming events your practice will be hosting or participating in, that will be open to the public
- Brag about any awards your practice has received
- Let clients get to know you better with staff bios and photos
- Offer discounts or special offers
- Promote posts from your website’s blog
- Announce new business partnerships
Do you know the best times to post on social media?
Fill out the form below to download our free guide.
When it comes to HIPAA compliance, it’s always best to err on the side of “better safe than sorry.” It’s important to make sure that not only do you understand what is and isn’t acceptable on social media but that all of your other employees do as well.
Create A Social Media Policy for Your Therapy Practice
It’s good idea to come up with an official Social Media Policy and include it as part of your New Client Intake Paperwork. Clearly establish your guidelines in regards to your professional use of social media.
This way, there won’t be any confusion or hard feelings in the future if you need to decline a client’s friend request, or their request for you to “like” or “follow” their own business page, because you’ve already let them know your stance.
Here’s a list of a few key points you could include in this document:
- An explanation for why you’ve created this policy
- Friending policy
- Liking policy
- Following policy
- Sharing policy
- Public Conversations or Posting policy
If you’d like to find out more about how to write your own Social Media Policy, check out this post from SimplePractice’s blog.
Conduct a Mandatory HIPAA Training for All Employees
In addition to creating a Social Media Policy, we also suggest following this up with regular HIPAA trainings for anyone and everyone allowed behind “closed doors” in your practice. This allows your employees to learn from HIPAA violation examples and ask questions.
Making your employees aware of the rules (and consequences) will significantly reduce the number of violations that could occur either in or out of the office.
Most therapists would never intentionally reveal their clients’ protected information, but it’s important to always be mindful of anything and everything you’re sharing on social media. Before sharing that impromptu photo of your staff having fun in the office on a slow day, scan the background for any potential privacy violations such as a client’s file sitting on a desktop or a sticky note with a client’s phone number stuck to a computer monitor. This is exactly the type of unintentional act that could get you into trouble with HIPAA.
Before using anything that could be considered PHI on social media (or any other marketing materials) a client must give written consent via the proper channels, and even then it can only be used for the purpose specifically mentioned in that written consent.
If you want to include any photos, recordings, stories, or quotes from any of your clients in your practice’s marketing materials – whether online or on paper – it’s important to speak to an attorney first. They will be able to help outline the best practices for doing so, including any required consent forms and/or retention of photographic rights.
Growing Your Business
Now that you have a pretty good idea about what you can and cannot post on social media in regards to HIPAA, let’s put that knowledge to work!
Brighter Vision’s new social media management tool, Social Genie, can provide you with thousands of pre-written posts that are 100% HIPAA compliant.
Fill out the form below for a 14 Day Free Trial to the best Social Media management software for therapists.
Ready for a Full Schedule?
Find out how Social Genie can help you!