If you’re a HIPAA-covered organization that uses social media (and you probably do), beware of HIPAA violations. Breaches happen all the time through a healthcare organization’s social media accounts or from their employees’ personal accounts.
Common breaches include posting pictures of patients without first getting their consent or posting a picture with sensitive information (such as a patient chart) visible in the background. A violation of patient privacy can result in lawsuits, lost jobs, fines, and harm to your organization’s reputation.
So what should you, as a Privacy Officer, do to keep your organization’s social media presence HIPAA compliant? We recommend the following six steps:
- Establish roles, responsibilities, and approvals
- Implement social media policies and procedures
- Include social media on your risk analyses
- Train your team
- Monitor your social media activity
- Be prepared for an audit
1. Establish Roles, Responsibilities, and Approvals
First things first: put someone responsible in charge of creating, monitoring, and controlling your organization’s digital presence. This could be one person or an entire team. Once you have a social media manager or team, make sure no one else can access the organization’s accounts.
A social media manager’s responsibility is to screen posts for HIPAA violations. Therefore, make sure they know what counts as a violation and what does not. They will also be responsible for getting patient consent before posting a photo. You can also have them send photos, videos, and other content to your compliance department before posting it.
Furthermore, make sure the social media manager knows how to respond to a crisis on social media; if it’s a potential HIPAA violation, they must inform you right away.
2. Implement Social Media Policies and Procedures
Develop policies and procedures for how your organization should use social media. Hold your organization’s digital presence to high standards and put these standards in the policies and procedures. Make sure to get buy-in from your social media manager or team, who are responsible for carrying them out.
Your policies and procedures must include how to respond to online reviews. Read about this recent social media breach caused by a small dental practice that responded to Yelp reviews with patients’ last names and health conditions. The dental practice paid $10,000 and was issued a corrective action plan.
Lastly, remember to review and update your policies and procedures as needed. As the digital landscape changes, so must your policies and procedures.
3. Include Social Media on Your Risk Analyses
Another way to make sure your social media accounts stay HIPAA compliant is to include them in your risk analyses. How much risk does your online presence place on your organization? What controls (such as policies and procedures) are in place to protect patient privacy? What HIPAA violations could happen and are you prepared to respond quickly to resolve them?
Though it’s important to establish a culture of trust among your team, be aware that employees may knowingly or accidentally violate HIPAA on their personal social media accounts. For example, a nurse who has had a long day may take to Facebook to rant about an especially difficult patient. Or a technician on Snapchat may not realize their workstation monitor is visible behind them.
Train staff members on your social media policies and procedures when you hire them and periodically after that. In this training, explain what appropriate and inappropriate online behavior looks like. Use real-world examples to discuss the serious consequences of HIPAA violations, and make sure they understand that inappropriate social media use will jeopardize their job. However, be careful not to create a culture of suspicion and distrust. Instead, model positive social media behavior for your team and reaffirm your organization’s commitment to protect patient privacy.
Finally, make sure physicians know not to use social media for clinical purposes; they must never engage with a patient about his or her specific health concerns on a public site.
5. Monitor Your Social Media Activity
HIPAA compliance isn’t a “set-it-and-forget-it” activity, and neither is social media. Stay tuned in to the online world. What information about your organization and patients is floating around on the World Wide Web? Are any online conversations potentially violating patient privacy?
Have a plan to address misconduct that you discover online. Don’t wait for the social media manager to alert you. Keep your ear to the keyhole and be ready to act fast.
6. Be Prepared for an Audit
If the Office for Civil Rights audits your organization, you’ll need to be able to account for your online activity. Work with the social media manager to keep documentation of all social media activity, security incidents, and mitigation efforts.
This is another reason it’s important to establish roles and responsibilities, an approvals process, and policies and procedures around your social media accounts. In an audit, you’ll need to show the steps your organization has taken to proactively address privacy and security concerns.
In summary, HIPAA violations are all too common on social media, whether an organization publishes a careless post or an employee gossips about their patients. Establish standards for appropriate social media use and put them in writing in your policies and procedures. Equip your team to uphold patient privacy online, and always be ready to catch and resolve potential violations as they come to your attention.
Are you up to date with HIPAA?
Check out our cheat sheet for staying up to date with changing regulations!