Supporting HIPAA Compliance on Facebook: A Physician’s Guide
By Amber Turner On Sep 13, 2021 . 0 Comments
Social media, especially Facebook, can be a useful resource for practice advertising, professional networking, and patient engagement; however, many practices struggle with how to ensure HIPAA compliance in the social media age.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed far before the era of social media. Ergo, there are no laws or amendments that contain any explicit rules regarding social media usage. However, many of the existing laws and regulations have details that certainly apply to conduct within social media channels.
For those that aren’t familiar with HIPAA, the legislation “assures that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well being.”
Healthcare practices take HIPAA seriously and it sometimes is the reason some doctors or healthcare professionals shy away from healthcare social media marketing.
Employees who aren’t properly trained on HIPAA and social media can potentially expose your organization to costly HIPAA violation fines.
However, there are numerous benefits of marketing your practice on Facebook and infinite content you can share on Facebook while remaining safely HIPAA compliant.
We understand the risk your practice can take when the misuse of social media can lead to issues with HIPAA compliance, so read our helpful HIPAA Facebook guidelines to avoid any mistakes that can lead to HIPAA penalties.
We will also recommend content ideas you can use to succeed on the world’s largest social media platform while staying HIPAA compliant.
Understanding HIPAA Policies and Procedures for Facebook
HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees.
Protected health information (PHI) “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:
Transmitted by electronic media;
Maintained in electronic media; or
Transmitted or maintained in any other form or medium.
HIPAA regulation forbids the use of PHI in marketing or social media campaigns, so this should be avoided at all costs to protect your patients’ privacy.
These are the 18 HIPAA Identifiers that are considered personally identifiable information (PHI):
Names
Dates, except year
Telephone numbers
Geographic data
FAX numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:
The nature of the violation
Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
Whether the action was taken to correct the violation
Whether there was malicious intent or HIPAA Rules were violated for personal gain
The harm caused by the violation(s)
The number of people impacted by the violation
Whether there was a violation of the criminal provision of HIPAA
Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.
The four categories used for the penalty structure are as follows:
Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation”
Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range.
Tier 1: Minimum fine of $100 per violation up to $50,000
Tier 2: Minimum fine of $1,000 per violation up to $50,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000
View an overview of large-scale HIPAA fines listed by year provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) here.
The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information.
However, as this incident shows, the patient does not need to be mentioned by name for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule.
Most HIPAA violations are accidental. Maybe PHI was in the background unknowingly. In some cases, employees don’t realize that what they’re posting is a HIPAA violation.
What NOT to share on Facebook
The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to NEVER disclose protected health information on social media.
Avoid posting any patient information, stories, and conditions even if the name is left out.
Also, never post photos of patients or their medical documents. That includes any photos where PHI might be visible in the background.
One of the most effective ways to protect your practice against HIPAA violations is to have policies and procedures in place to address each of the HIPAA regulatory standards.
These policies and procedures should be unique to the needs of your practice–which is why that dusty and often forgotten HIPAA policy binder in the corner of your office often isn’t enough.
Share this checklist below with the employee or marketing team managing your practice’s Facebook page.
Here are some additional precautions to take in terms of social media posting:
Don’t talk about specific patients in any way via social media.
Don’t share any workplace-related frustrations online.
Refrain from discussing patients even in a general way via Facebook direct messages and Facebook Groups (Private or Public).
Monitor the comment section and delete anything that could elicit a compromising response.
What you CAN share on Facebook
“Without a doubt, Facebook is a great way to help position yourself as an expert in your field and attract new patients.”
– Klara Morgan, Marketing Director @ Koda Digital
With the proper precautions being taken, there are still many ways to use Facebook to benefit your healthcare organization.
In general, social media can be used to attract new clients to your medical practice or educate current patients on a topic or piece of news. With roughly 2.8 billion monthly active users as of the fourth quarter of 2020, Facebook is the biggest and in our opinion, the best social media platform to market your practice.
Below, we list some of the things you can post on social media:
Health tips that patients might find useful
Upcoming events patients might like to attend
New research or findings related to your field
Honors or awards your organization has been granted
Pictures and bios of your staff
For more great ideas and Facebook marketing support, check out other Koda Digital blogs written by our expert social media managers:
Healthcare practices shouldn’t abandon social media marketing in fear of accruing HIPAA violation penalties from their social media posts. I
Instead, there are ways to successfully use healthcare social media marketing in a way that protects the privacy of your patients on social media. Find the best way for your practice to begin a healthcare social media strategy that fits your needs and helps your business.
By standardizing the way that marketing and social media efforts are maintained, you ensure that no sensitive health information will be improperly disclosed on the web.
It is imperative to keep patient health information protected, with secure and effective digital marketing.
When it comes to HIPAA compliance, it is better to be safe than sorry. That being said, there are lots of ways healthcare providers can stay on the cutting edge of marketing and leverage their digital footprint to attract new patients while remaining HIPAA compliant.
If you don’t have the time or the resources to handle effective online HIPAA-compliant management, you can always invest in training your employees or turn the work over to someone who does it for a living and has a proven track record with digital medical marketing.
At Koda Digital, helping our clients grow and keeping them HIPAA compliant is more than just our business; it’s our passion.
Instead of waiting for patients to come to you, let’s go to them. From patient reviews and social media to SEO and website, we handle the entire digital experience so you can focus on what you want to focus on.
2023 is almost here so don’t wait too long! Do reach out.
If you're ready to discover the strengths and weaknesses of your
digital marketing efforts, without all the confusing techno-babble, then enter your healthcare website below.
