« Return to List
Posted on 10.19.2010
Hospitals and Providers: How to Address Concerns about HIPAA and Social Media
A follow up to last Tuesday's blog post on HIPAA & Social Media...
There are systematic ways to address concerns and avoid HIPAA violations in social media. And frankly, your legal counsel and C-Suite will be much more comfortable with your recommendations regarding social media if you put some of these mechanisms into place.
- Make sure your organization has a clear social media policy, much like your Internet policy, for personal and professional references to the organization and patients.
Connect employees’ conduct online to the expectations of your Code of Conduct. Encourage positive representations of your company and disallow anonymous posts. Make it clear to your employees that they represent your company even when they are using social media for personal use.
- Post a Comment Policy on your Facebook Page – written in lay language – to explain the reason for the forum and your policy for removing posts.
This policy truly doesn’t have to be complicated, but it needs to clearly state the forum’s intended purpose (to share information with the community about hospital services, medical trends and resources, etc). It also needs to make your position known about avoiding the use of PHI in this forum.
- Conduct frequent employee training about HIPAA security in the context of new technologies.
Sometimes employee training is a half day workshop, but sometimes a refresher can be as simple as a five question “What would you do?” survey pushed out to all employees with a drawing for a prize among those who get them all right.
- Develop standard responses to use when an online conversation involves PHI.
It may be as simple as, “Out of respect for our patients we have removed a comment to ensure the privacy of protected health information.” And then you may want to follow up with the individual who made the post, communicating in a HIPAA-compliant format like the telephone or encrypted email.
- Establish safeguards to discourage patients and visitors from taking photos of other patients or otherwise revealing PHI.
Though it is not a HIPAA violation for a patient to post a photo of another patient online, it could still lead to a PR nightmare. Put employee policies in place to avert these behaviors and post appropriate signage about the importance of protecting patient privacy. This will be reassuring to patients and serve as a good reminder to employees.
- Require Business Associates (e.g. outside marketing firms, graphic designers, web developers, PR consultants, etc.) to participate in training or require some other form of extra accountability.
Because they are an extension of your organization and considered a covered entity under HIPAA, they need to understand the requirements and the risks.
How is your hospital/healthcare organization addressing HIPAA concerns in social media?