YEARS AGO, DOCTOR-PATIENT CONFIDENTIALITY WAS SIMPLE for healthcare professionals—just speak in hushed voices behind closed doors. Of course HIPAA (and its many facets) has changed that.
Occasionally we have clients ask us, “How does social media affect HIPAA compliance?” or “How does HIPAA compliance affect social media?”
The good news is that it isn’t as complicated as you may think.
Yes, there are a few negative stories out there about physicians who were cited for unprofessional conduct related to posting confidential information about their patients online. But these instances have been very, very rare. By putting a few simple safeguards in place, and using just a little common sense, this should be a non-issue for your practice.
Here Are Our Suggestions:
1. Remember that the same rules that apply to your patients’ privacy before you started using social media tools absolutely apply to everything you do in your office—including the use of social media. Do you need to have a refresher course about HIPAA in your practice? Make sure your team understands the do’s and dont’s.
2. Take comfort in knowing that none of your social media tools are directly tied to your practice management software. If you are using a patient email list that is generated by your practice management software, simply export it with only the information needed to send your email message. Then import that file into your email distribution software.
3. Don’t use social media to “practice dentistry online”. In other words, if an exchange with a patient would be more appropriate in person, find a time to visit with that patient in person.
4. Use a consent form when appropriate (more about this below).
5. When in doubt, “generalize” the information you offer. It’s usually just as easy to talk about “a favorite patient” or “our valued patients” as it is about a specific person.
6. Set up some rules and guidelines in your practice. You likely already have a confidentiality policy that your team is expected to adhere to. A social media policy can simply be an add-on to that policy if you’d like.
We have read a number of social media policy documents that various dental practices use. Here is one (below) that we have developed—using a few parts we’ve gleaned from others’ documents that you may use as a template. Cut and paste what works for you, or add to it.
Please keep in mind that we are NOT attorneys. We don’t even play attorneys on TV. My Social Practice does not provide legal advice and, as such, the template below is only offered as a suggestion. Additional compliance rules vary greatly from state to state, country to country. If you feel like you need more advice than what we have provided here, be sure to consult your own attorney.
A Sample Social Media Policy (template)
The following applies to <your practice name> employees who create or contribute to social media, including but not limited to: blogs, social networks, online videos, pinboards, forums, etc. As social media changes the way we communicate and conduct business, it is important to remember what you do online is ultimately linked to your personal life, your professional life, and our dental practice.
Here are our practice guidelines. They are broken into two sections, A and B:
A. Your “Personal” Social Media Participation
A1. <your practice name> respects an employee’s right to participate in social media for personal reasons during non-work hours. All <your practice name> employees participating in social media and online commentary—even on their own personal accounts—are expected to use their professional judgment prior to posting anything online that is connected in any way to our dental practice or to our patients, and to adhere to all office confidentiality policies currently in place. Content posted on any blogs, social networks, online videos, pinboards, forums, etc. that is connected in any way to our practice or to our patients should comply with our organization’s confidentiality and employee ethics policies. Any work-related comments should also be respectful and relevant in a way that protects the practice’s brand and reputation and follows both the spirit and letter of the law.
A2. Even though you maintain and use your own personal social media accounts, your online presence reflects upon <your practice name> and its reputation. Be aware that your actions captured via images, posts or comments can be considered by some as a reflection on our practice, regardless of whether or not it occurs during work hours. If you make comments about work, or work-related topics, please post meaningful, respectful comments that positively promote your role as a <your practice name> employee and reflect positively on your co-workers and team members.
A3. Respect the Health Insurance Portability and Accountability Act (HIPAA) privacy requirements. If you are unsure of what they are, let us know so that you can be better trained.
B. Your “Practice” Social Media Participation
B1. Always be kind, honest, generous, and genuine.
B2. Respect copyright laws and reference or cite sources appropriately. If you have a question about the appropriateness or legality of an image, always error on the safe side by asking first.
B3. If you disagree with another’s opinion, do not respond until you have visited with our practice manager or with <dr.’s name>. In every case, keep comments appropriate, respectful and polite. If you find yourself in a situation online that looks as if it’s becoming antagonistic, politely disengage from the dialogue—then talk with our practice manager or with <dr.’s name> before continuing the conversation.
B4. Never participate in social media when the topic being discussed might be considered a “crisis” situation—or, if somebody is belligerent. If you have a question, talk to our practice manager or with <dr.’s name>.
B5. If you are ever in doubt about posting a comment or image, don’t! Protect our practice and its reputation, and our patients’ privacy. Consider all content carefully. If you have a question, talk to our practice manager or with <dr.’s name>.
B6. Before posting anyone’s photo anywhere, ask for their permission, and be sure to have them sign our consent form—then properly file said form. If the person is a minor, their parent or guardian must sign the consent form.
B7. Remember that nearly every social media interaction falls into one of the three following categories. Here are our “Rules of Engagement” for each category:
Category 1: Exchanges Started by Another Party – Example: Sally Smith “LIkes” our Facebook page. After Sally’s visit, she posts the following comment on our wall, “Thanks, Dr. _______ and team, for taking such good care of me today!” Rule of Engagement: Respond directly, sincerely and openly. However, there is no need to divulge any additional information beyond what the patient has shared. DO NOT write something like, “Thanks for your comment, Sally. Good thing we caught that awful gum disease you have before it became a bigger problem!”
Category 2: Exchanges Started by You – Example: You post to our Facebook wall, “It was wonderful seeing one of our favorite patients today, Sally Smith!” Rule of Engagement: Kindly ask Sally’s permission first, before she leaves our practice. Ask if it would be OK to thank her publicly on our Facebook page.
Category 3: Exchanges Started by You That Include an Image or Video – Example: You post to our Facebook wall, “It was wonderful seeing one of our favorite patients today, Sally Smith!”, AND you upload a testimonial video, or a photograph of her smiling and holding a Social Sign, to our Facebook page. Rule of Engagement: Kindly ask Sally’s permission before she leaves our practice—AND have her sign a consent form (sample text below).
Sample Text For Consent Form
I consent that <your practice name> may use photographs or videos of me, taken on the date indicated below, on their social media tools which includes but is not limited to their Facebook page. I understand that these images and/or videos will not be used for any other commercial purposes.
Name (please print):
Name of Minor (please print):
Name of Parent or Legal Guardian (please print):
By the way, you don’t need to worry about comments that others make on your social media accounts. The common consensus is that healthcare providers cannot be held liable for postings made by other parties just because they sponsor the venue where is was said. However, if something appears on your Facebook wall, for example, that you consider questionable, you should contact your Social Media Consultant here at our office. He or she can help you determine whether or not it’s a good idea to delete it.
This is also another good reason to watch your Facebook wall and other social media tools on a regular basis. Also, the rule of thumb with any comment is to respond. Don’t edit the comment because by doing so you may be considered a co-author.
So, there you go. Hope that helps you think this through—and we hope it helps you not worry about it too much. And once again, if you have more concerns or questions, be sure to visit with your own attorney. HIPAA compliance related to social networking doesn’t need to be a problem for your practice.