HIPAA Compliance for Medical Practices
69.7K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Social Media and HIPAA Compliance: What Medical Professionals Should Know 

Social Media and HIPAA Compliance: What Medical Professionals Should Know  | HIPAA Compliance for Medical Practices | Scoop.it

Social media is fast becoming one of the most impactful marketing channels for medical professionals; however, HIPAA regulations must be taken into account.

More than ever before, medical professionals are using social media every day in both their personal and professional lives. And of course this isn’t a bad thing: physicians, nurses, and other practitioners are in a unique position to engage and educate current patients and others in search of treatment. However, when used incorrectly, social media can be a veritable minefield in regards to HIPAA regulations for patient confidentiality. So in the interest of keeping those tweets flowing, let’s run through four easy ways to maintain compliance with these regulations.

1) Don’t Talk About Patients (Even When it’s Subtle)

HIPAA regulations for patient confidentiality may seem complicated, but they all essentially boil down to one key point: don’t share your patients’ personal information. Few medical professionals would post something as obviously problematic as “John Smith from Cherry Street came in last night with such-and-such medical condition,” but that’s far from the only way to incur a violation. Rather than taking the risk of accidentally broadcasting protected information like specific appointment times and diagnoses, avoid the issue altogether by never referring to an actual case or visit.

That said, medical professionals should absolutely post interesting and relevant information on their professional social media accounts. Just be sure to always keep things in broad terms — talk about specific conditions or treatment options, not specific patients.

2) Don’t Like, Share, Retweet, or Regram Your Patients’ Posts

Even if you don’t share the information yourself, it’s still possible for a physician to breach his or her patient’s confidentiality. One way to do so is by engaging with a specific patient on any social platform. Even if your patient chooses to post his or her medical information in a public forum, sharing this post with your own network could land you in hot water.

The easiest way to avoid this issue is by doing something that’s fairly intuitive: create separate accounts for your professional and personal activities.

3) Don’t Post Pictures of Patients or Their Documentation

When to comes to HIPAA compliance, one key mistake that should always be avoided is posting pictures of real-life patients. Even if you’re celebrating something as meaningful as a patient’s recovery from a serious illness or injury, sharing a photo of their likeness still counts in HIPAA’s eyes as a forbidden personal identifier. Another thing to keep in mind when posting photos from around the office or clinic: a patient’s files can accidentally get caught in the background. Always triple-check that your image is free of any potentially confidential paperwork or other materials.

It may sound easier to rule out photos of your workplace altogether, but warm, engaging imagery bolsters patient trust in your medical brand — in some cases increasing conversion rates by as much as 95%. Just be smart about the photos you share with your network.

4) Don’t Send Confidential Information Through Direct Messages

Switching over to direct messages might seem like an easy loophole in all of the regulations outlined above, as the interface of any social media platform would have you think that such messages are private and confidential. However, doing so would risk violating another one of HIPAA’s major tenets: the Security Rule, which mandates that all electronic protected health information (ePHI) is stored in such a way that it is secure from potential data breaches, leaks, or any other form of unwanted disclosure. Most social media messaging services do not meet HIPAA’s standard for compliance with this rule, and thus they should never be used to share patient data or health records with colleagues or even the patients themselves.

Luckily, a number of medical industry apps — such as DrFirst’s Backline — offer secure messaging platforms that are in compliance with HIPAA’s Security Rule. So keep the sharing away from Twitter DMs and Facebook Messenger and stick to the software and services that guarantee both compliance and conversions.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Social Media: What are the Rule

HIPAA and Social Media: What are the Rule | HIPAA Compliance for Medical Practices | Scoop.it

The use of social media in today’s society continues to grow as more Americans interact through one or more social media platforms. Whether writing a blog article, posting on Facebook or tweeting on Twitter, many users see social media as a primary means to communicate. According the Pew Research Center, as many as 46% of users “discussed a news issue or event” on a social media platform.

As more healthcare providers use or consider using social media for business purposes, HIPAA plays a more significant role in what can be said in a Facebook post, a tweet or a blog article. There are some clear challenges when it comes to meeting the requirements of the HIPAA Privacy Rule. But those challenges do not need to be obstacles, as long as there is proper guidance on what can or cannot be posted. 

My advice when it comes to the use of social media in a healthcare organization is to have a comprehensive, written policy and procedure. The less discretion the better, meaning there is always structured guidance to follow with little to no wiggle room.

In formulating your organization’s social media policy, start with the 3 W’s: Who, What and Where.  

  • Who – Determine who is permitted to post material on social media on behalf of the organization. Designate a specific person as the organization’s official social media administrator.
  • What – Determine what can be posted. The policy should include how to handle an individual that posts a medical question on a social media platform. As an example, if a patient can ask specific questions about a medical condition on your Facebook page, how does your organization address it? I caution from a possible liability standpoint that it may be inappropriate to respond with advice. A better response would be to ask the individual to contact the office to discuss the specific concern.
  • Where – Determine where and on what platforms posting will occur. The policy must clearly state which social media sites the organization will use.  

Guidelines issued by the AMA on social media say, “Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.” The guidelines also say to “maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.” This means following all the applicable standards of the HIPAA Privacy Rule.

Another area of concern is the use of patient testimonials. This is a somewhat newer trend in the healthcare provider marketing strategy. Any patient testimonials used by a healthcare organization must comply with the HIPAA Privacy Rule. A healthcare provider, as a covered entity, must obtain the written authorization of the patient prior to any use or disclosure of the individual’s protected health information for marketing purposes.

In a recent case, a California physical therapy practice paid a settlement of $25,000 to the HHS Office for Civil Rights for a HIPAA privacy violation. There were allegations that the practice posted patient testimonials to its website without legal, HIPAA-compliant authorization. This is not a situation you want to find yourself in.

If your organization embraces social media as a method to market or provide information, have robust policies and procedures in place and follow them. You can be social, but be safe.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Is Your Medical Practice's Social Media Policy Adequate?

Is Your Medical Practice's Social Media Policy Adequate? | HIPAA Compliance for Medical Practices | Scoop.it

By now every physician should be aware of the benefits that can be bestowed upon their practice as a result of social media. Indeed many practices are engaging in one or more social media platforms on a regular basis. Moreover, staff members are most definitely active in social media, and probably use it while at work.

Physicians and practice managers must be smart about training employees on what they should and should not share online. Staff in your practice could incur liability on behalf of your practice as a result of their comments on social media. Because of the confidentiality rules in HIPAA, staff training is important. You should constantly remind employees that they are representatives of the practice.

You should also have some sort of social media policy in place. Here are a few key items your policy should include:

1. Guidelines and expectations. Your policy should set clear expectations for how team members (as representatives of your practice) must conduct themselves online.

Your policy should clearly state that there will be no posting of protected health information (PHI) and that employees are not allowed to use social media in work areas near patients. Be specific in training your employees and inform them to avoid identifying patients in any way on social media — this includes names, unique characteristics, etc.

Some practices do not allow employees to use social media for personal reasons on work time. While that is fine as a policy, it does not circumvent the need to appropriately train your staff. Moreover, it can be hard to police.

It is advisable to discourage team members from engaging with patients on social media. If they do engage patients, they certainly should not be discussing patient-related matters.

Lastly, someone (most likely the practice administrator) should be designated as the spokesperson responsible for answering questions about your practice on social media.

2. Penalties and consequences. Penalties for data breaches increased under the American Recovery and Reinvestment Act so your policy should make it clear to employees about the consequences of their actions on social media sites.

An individual claiming he did not know he violated HIPAA is subject to a minimum of $100 per violation. A HIPAA violation due to reasonable cause and not due to willful neglect carries a minimum fine of $1,000 per violation. A HIPAA violation that is due to willful neglect (but corrected in short order) is subject to a minimum of $10,000 per violation. Lastly, a HIPAA violation that is due to willful neglect and not corrected carries a minimum fine of $50,000 per violation. The maximum fine for each of these four categories is $50,000 per violation.

3. Explanations of rules and regulations. The social media policy should outline what is illegal, what is considered confidential information of the practice, and what is protected health information.

It’s not enough to have a social media policy — employers should put in just as much time and effort in training their employees on the ins and outs of the policy. Make it a separate document from the employee handbook.

more...
No comment yet.
Scoop.it!

How to Stay HIPAA Compliant When Using Social Media for Healthcare 

How to Stay HIPAA Compliant When Using Social Media for Healthcare  | HIPAA Compliance for Medical Practices | Scoop.it

Despite regulations surrounding the use of social media within the healthcare industry, there are enormous gains to be made from utilizing social media, from increasing patient engagement to acquiring new patients. Here, we look at why the role of social media is growing in healthcare, and how to make the most of this channel within healthcare internet marketing while still ensuring HIPAA compliance.

Healthcare Social Media Perks

Research data repeatedly indicate that patient outcomes improve when patients are involved and engaged in their own healthcare. Social media acts as the conduit that enables the patient-doctor relationship to extend beyond the traditional face-to-face consultations. When physicians actively engage on social media, they have an additional opportunity to connect with patients and impact their daily choices.

Meanwhile, blogging is both an effective marketing tool for doctors and a valuable source of information for patients looking to learn more about your healthcare organization or seeking health tips for specific conditions. And it’s not just the young, tech-savvy generations that can be reached on social media; one of the fastest growing demographics engaging in social media is the 55-65 year age group.

In addition, social media is an ideal platform for professionally connect with colleagues and industry peers. It is a great place to debate, express opinions, share information and experiences, and build referral networks.

The diversity of social media platforms and post types – including simple text, article shares, images, and videos – enables a new level of connection between the public, patients, and healthcare professionals. However, while social media continues to grow in importance in healthcare marketing, the challenges associated for non-compliance with HIPAA rules and regulations continue to increase.

Social Media HIPAA Compliance Concerns

To ensure HIPAA compliance on social media, it’s important to keep several key issues in mind.

Protected Health Information (PHI) The main compliance issue facing physicians is patient privacy. Physicians must be aware of both HIPAA and state laws with regard to the disclosure of patients’ PHI through social media. Even an inadvertent disclosure of PHI, including visual elements like photos or videos, can result in fines and other penalties. To satisfactorily manage this, healthcare organizations should provide HIPAA training to social media managers and conduct compliance checks. Healthcare organizations must also be prepared to present all electronic communications on demand, should an audit or lawsuit require it.

Medical Advice: Providing medical advice via social media should be treated with extreme caution due to licensing laws. If a patient is located in a state where the doctor is not licensed, the doctor risks liability under state licensing laws.

  

 

 

Tips for HIPAA Compliant Social Media

We recommend you have the following in place before going full-steam ahead on social media:

  • Create a Social Media Working Group to discuss any potential concerns about implementing a social media strategy. The group should include representatives from various parts of the organization.
  • Ensure a thorough understanding of the HIPAA patient privacy regulations and how they pertain to your healthcare organization’s social media accounts.
  • Create an employee use policy for social media and clearly communicate it to all staff.
  • Educate and train staff on the use of social media – plus how not to use it – with real life examples.
  • Create a realistic content strategy that specifies both the frequency and types of social media posts to reduce the likelihood of breaches.
  • Develop a process with the Legal and Compliance departments to approve content prior to being posted.
  • Monitor social media communications with technology controls that flag any words or phrases that may indicate HIPAA non-compliance, so that they can be reviewed before posting.
  • Capture and save records that preserve the format of social communications, including edits and deletions.
  • Archive electronic records so that they can be found, in accordance with federal and state recordkeeping rules.
  • Develop metrics to measure the effectiveness of social media programs.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA in the social media era

HIPAA in the social media era | HIPAA Compliance for Medical Practices | Scoop.it

In today's social media-obsessed world, employers must understand the implications that social media may have on their HIPAA compliance strategies. A HIPAA breach could result from something as innocuous as a Facebook post.


Think your employees know better than to post Protected Health Information ("PHI") online for all the world to see? Think again.

In recent years, several potential HIPAA violations have occurred through employees' use of social media. For example, one hospital employee posted on his Facebook wall a patient's picture and chart, along with his comments on her condition, because "it was only Facebook" and therefore "not reality." He thought it was "funny."

Other recent incidents of similar behavior include emergency room personnel posting pictures to the Internet of a man's fatal knife wounds, and hospital employees posting pictures of patient X-rays.


Perhaps these are extreme examples, but HIPAA breaches can be more subtle. In one California case, five nurses were fired after management discovered that they were using Facebook to provide shift change updates to their coworkers. They did not use patient names, but did post enough specific information about the patients that the incoming nurses could prepare for their shift. Although these disclosures were likely made with the best of intentions, they were plainly HIPAA violations.


Since violations associated with the use of social media are relatively new, the Department of Health and Human Services has yet to issue formal guidance on these matters, but there is little doubt we will learn more about its strategy for handling the increasing number of such incidents.


Social media is clearly here to stay, so what is an employer to do? The answer: training. Although HIPAA regulations already require all "covered entities" to provide employees with HIPAA training, employers should ensure that their training programs include information specifically related to social media usage. In fact, due to the increasing risk of HIPAA violations through social media, it may be appropriate to draft a separate social media policy to disseminate to employees in addition to general HIPAA training.


Comprehensive HIPAA training along with a clear, well-defined social media policy, emphasizing compliance responsibilities during both work and non-work hours, is an employer's most effective weapon against HIPAA liability for employee misuse of social networking sites. To maximize effectiveness, be sure to include specific examples of the kinds of statements an employee might make on social networking sites that could run afoul of HIPAA and emphasize how even small, seemingly trivial disclosures can constitute HIPAA privacy rule violations.


Ashley Trotto is an associate attorney at Kennerly, Montgomery & Finley, where she focuses her practice on employee benefits and related issues. This column is provided through the Knoxville Bar Association, (www.knoxbar.org), a nonprofit corporation that offers continuing legal education and service to the community through free programs such as the Lawyer Referral & Information Service, speakers bureau and law-related education programs.


more...
No comment yet.