Even if you’re not involved on social media as a business, your employees or staff are more than likely on social media in their personal lives. And even innocent-seeming posts, tweets, pins or shares can leads to big repercussions if they are perceived as violating patient confidentiality. It is because of this that every medical office needs to set a social media policy to avoid any privacy or HIPAA violations.
First off, it is important to note that violating patient confidentially isn’t a cut-and-dry matter – it is whatever can be perceived as violating their privacy. So even if you don’t put their name, their birthdate, or where they live, any post that identifies a specific patient by any detail can be perceived by someone as a violation.
Several cases from the last couple years have highlighted this. For example, four nursing students were expelled from their Kansas program when they posted pictures of themselves posing with a woman’s placenta during a lab course, even though nothing in the post identified which patient the placenta came from.
In another case, a Rhode Island doctor was fired from the hospital where she worked after she made a post identifying a trauma patient – not by name, but by enough details where the medical board felt the patient could be identified. Hospitals, teaching colleges and medical boards are being extra cautious to avoid any potential violation of a patient’s privacy on social media, so chances are if there is any potential perceived violation of a patient’s confidentiality they would rather censure the offender than risk being sued by the patient.
So how do you create a good social media policy for a medical office? A good start for any office social media policy is to never identify patients. Ever. By any detail. And definitely never post pictures of patients (or any part of them.) Even if the patient’s themselves don’t mind, what we’ve seen in these example cases is that medical boards will still issue reprimands regardless if the patients themselves are ok with the posts.
In addition, employees need to be aware that even friending patients on social media sites can violate HIPAA. And answering their questions posted online is also a big no-no. Instead, make it clear that your staff is not to engage with any patient through their personal social media profile, and that if a question is asked of them online a return phone call to the patient is the only way to answer it. And, perhaps most importantly, designate a person in the office that employees can question as to what is appropriate online behavior. Although most medical programs now cover the subject of patient confidentiality online, if a team member hasn’t been formally trained in the medical field or hasn’t been in school within the last two years chances are they might not even be aware of these issues. Having a contact person and open communication will ensure employees are 100% aware of what is appropriate behavior online.
It may seem overly cautious at first, but setting a strict social media policy before an incident occurs is the only way for medical offices to ensure they won’t violate HIPAA or face other unwanted or unintended consequences.