HIPAA Compliance for Medical Practices
65.0K views | +1 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA and Social Media: What are the Rule

HIPAA and Social Media: What are the Rule | HIPAA Compliance for Medical Practices | Scoop.it

The use of social media in today’s society continues to grow as more Americans interact through one or more social media platforms. Whether writing a blog article, posting on Facebook or tweeting on Twitter, many users see social media as a primary means to communicate. According the Pew Research Center, as many as 46% of users “discussed a news issue or event” on a social media platform.

As more healthcare providers use or consider using social media for business purposes, HIPAA plays a more significant role in what can be said in a Facebook post, a tweet or a blog article. There are some clear challenges when it comes to meeting the requirements of the HIPAA Privacy Rule. But those challenges do not need to be obstacles, as long as there is proper guidance on what can or cannot be posted. 

My advice when it comes to the use of social media in a healthcare organization is to have a comprehensive, written policy and procedure. The less discretion the better, meaning there is always structured guidance to follow with little to no wiggle room.

In formulating your organization’s social media policy, start with the 3 W’s: Who, What and Where.  

  • Who – Determine who is permitted to post material on social media on behalf of the organization. Designate a specific person as the organization’s official social media administrator.
  • What – Determine what can be posted. The policy should include how to handle an individual that posts a medical question on a social media platform. As an example, if a patient can ask specific questions about a medical condition on your Facebook page, how does your organization address it? I caution from a possible liability standpoint that it may be inappropriate to respond with advice. A better response would be to ask the individual to contact the office to discuss the specific concern.
  • Where – Determine where and on what platforms posting will occur. The policy must clearly state which social media sites the organization will use.  

Guidelines issued by the AMA on social media say, “Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.” The guidelines also say to “maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.” This means following all the applicable standards of the HIPAA Privacy Rule.

Another area of concern is the use of patient testimonials. This is a somewhat newer trend in the healthcare provider marketing strategy. Any patient testimonials used by a healthcare organization must comply with the HIPAA Privacy Rule. A healthcare provider, as a covered entity, must obtain the written authorization of the patient prior to any use or disclosure of the individual’s protected health information for marketing purposes.

In a recent case, a California physical therapy practice paid a settlement of $25,000 to the HHS Office for Civil Rights for a HIPAA privacy violation. There were allegations that the practice posted patient testimonials to its website without legal, HIPAA-compliant authorization. This is not a situation you want to find yourself in.

If your organization embraces social media as a method to market or provide information, have robust policies and procedures in place and follow them. You can be social, but be safe.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Is Your Medical Practice's Social Media Policy Adequate?

Is Your Medical Practice's Social Media Policy Adequate? | HIPAA Compliance for Medical Practices | Scoop.it

By now every physician should be aware of the benefits that can be bestowed upon their practice as a result of social media. Indeed many practices are engaging in one or more social media platforms on a regular basis. Moreover, staff members are most definitely active in social media, and probably use it while at work.

Physicians and practice managers must be smart about training employees on what they should and should not share online. Staff in your practice could incur liability on behalf of your practice as a result of their comments on social media. Because of the confidentiality rules in HIPAA, staff training is important. You should constantly remind employees that they are representatives of the practice.

You should also have some sort of social media policy in place. Here are a few key items your policy should include:

1. Guidelines and expectations. Your policy should set clear expectations for how team members (as representatives of your practice) must conduct themselves online.

Your policy should clearly state that there will be no posting of protected health information (PHI) and that employees are not allowed to use social media in work areas near patients. Be specific in training your employees and inform them to avoid identifying patients in any way on social media — this includes names, unique characteristics, etc.

Some practices do not allow employees to use social media for personal reasons on work time. While that is fine as a policy, it does not circumvent the need to appropriately train your staff. Moreover, it can be hard to police.

It is advisable to discourage team members from engaging with patients on social media. If they do engage patients, they certainly should not be discussing patient-related matters.

Lastly, someone (most likely the practice administrator) should be designated as the spokesperson responsible for answering questions about your practice on social media.

2. Penalties and consequences. Penalties for data breaches increased under the American Recovery and Reinvestment Act so your policy should make it clear to employees about the consequences of their actions on social media sites.

An individual claiming he did not know he violated HIPAA is subject to a minimum of $100 per violation. A HIPAA violation due to reasonable cause and not due to willful neglect carries a minimum fine of $1,000 per violation. A HIPAA violation that is due to willful neglect (but corrected in short order) is subject to a minimum of $10,000 per violation. Lastly, a HIPAA violation that is due to willful neglect and not corrected carries a minimum fine of $50,000 per violation. The maximum fine for each of these four categories is $50,000 per violation.

3. Explanations of rules and regulations. The social media policy should outline what is illegal, what is considered confidential information of the practice, and what is protected health information.

It’s not enough to have a social media policy — employers should put in just as much time and effort in training their employees on the ins and outs of the policy. Make it a separate document from the employee handbook.

No comment yet.

HIPAA in the social media era

HIPAA in the social media era | HIPAA Compliance for Medical Practices | Scoop.it

In today's social media-obsessed world, employers must understand the implications that social media may have on their HIPAA compliance strategies. A HIPAA breach could result from something as innocuous as a Facebook post.

Think your employees know better than to post Protected Health Information ("PHI") online for all the world to see? Think again.

In recent years, several potential HIPAA violations have occurred through employees' use of social media. For example, one hospital employee posted on his Facebook wall a patient's picture and chart, along with his comments on her condition, because "it was only Facebook" and therefore "not reality." He thought it was "funny."

Other recent incidents of similar behavior include emergency room personnel posting pictures to the Internet of a man's fatal knife wounds, and hospital employees posting pictures of patient X-rays.

Perhaps these are extreme examples, but HIPAA breaches can be more subtle. In one California case, five nurses were fired after management discovered that they were using Facebook to provide shift change updates to their coworkers. They did not use patient names, but did post enough specific information about the patients that the incoming nurses could prepare for their shift. Although these disclosures were likely made with the best of intentions, they were plainly HIPAA violations.

Since violations associated with the use of social media are relatively new, the Department of Health and Human Services has yet to issue formal guidance on these matters, but there is little doubt we will learn more about its strategy for handling the increasing number of such incidents.

Social media is clearly here to stay, so what is an employer to do? The answer: training. Although HIPAA regulations already require all "covered entities" to provide employees with HIPAA training, employers should ensure that their training programs include information specifically related to social media usage. In fact, due to the increasing risk of HIPAA violations through social media, it may be appropriate to draft a separate social media policy to disseminate to employees in addition to general HIPAA training.

Comprehensive HIPAA training along with a clear, well-defined social media policy, emphasizing compliance responsibilities during both work and non-work hours, is an employer's most effective weapon against HIPAA liability for employee misuse of social networking sites. To maximize effectiveness, be sure to include specific examples of the kinds of statements an employee might make on social networking sites that could run afoul of HIPAA and emphasize how even small, seemingly trivial disclosures can constitute HIPAA privacy rule violations.

Ashley Trotto is an associate attorney at Kennerly, Montgomery & Finley, where she focuses her practice on employee benefits and related issues. This column is provided through the Knoxville Bar Association, (www.knoxbar.org), a nonprofit corporation that offers continuing legal education and service to the community through free programs such as the Lawyer Referral & Information Service, speakers bureau and law-related education programs.

No comment yet.