Can HIPAA Compliance and Social Media Coexist in Your Organization?

HIPAA Compliance and Social MediaThe question of whether your organization should be present on social media today is moot. Whether you maintain official accounts on Twitter, Facebook, and other channels, your hospital, practice, and healthcare brand will be found and discussed.

The fact that you need to monitor and, (to whatever extent that you can control) the message broadcast about your brand is just a reality of doing business today. But, in a healthcare environment, this raises privacy and compliance issues that many are unsure how to overcome. It is possible to responsibly manage your brand on social media, participate in discussions effectively, allow employees freedom within their personal accounts, and still maintain the necessary privacy and compliance.

Managing Social Media for Your Organization

Monitor Posts and Mentions

Begin by understanding and participating in the conversation around your brand on main social channels. It is critical that you establish an official account from which your organization’s message and voice can be identified. Designate one or a very small number of people to maintain oversight of this account and to respond effectively, with privacy and compliance always the priority, from these official accounts.

This is where “social listening” is critical to the reputation of your brand as well as to your organization’s compliance. Your organization needs someone (or a team) dedicated to regularly monitor mentions of your brand on social media channels and across the internet. There are tools that can facilitate social listening but a concerted effort to search and watch for mentions of your organization can be done with or without dedicated tools. In Twitter, for example, you can also create filters or groups to easily see mentions of your brand or key hospital leaders. Ultimately, having an active social presence for your brand is more secure than not because you can participate and can be tagged and included in the conversations that will happen there with or without you.

Establish Clear Policies; Review, Revise and Retrain often.

Like any business, you must establish clear social media policies and procedures up front that guide every interaction that takes place online with your brand. You must address what channels are to be maintained by the organization, the frequency of posting, appropriate content for posting, and who is responsible for actively listening to relevant conversations (from patients, staff, and the public) about your brand or your industry for insights and to identify any potential issues. Your policies should be comprehensive but concise and should be in writing. It is a good idea to post these policies and link to them within each official social media account bio.

Review & Revise

Once you have established policies, you cannot forget it and assume they will remain in effect and sufficient indefinitely. Your social media process must include regular, scheduled review of the policies, your brand’s interactions, and changes to the accounts you maintain (updates, settings, privacy policies of the social media can and do change often).

Retrain

For your policy to be effective it must be understood by everyone with access to your social media accounts. But, to effectively maintain compliance and protect the privacy of your patients, you must consider every employee a member of your organization’s social media team. Every person with access to patient information or really any information about your organization needs to understand what is appropriate and what is allowed within your policies and within the laws and regulations governing your organization. This will require training – effective, consistent, and repeated training.

Training Employees to Be Social but Stay Compliant

We believe long boring training sessions are not very effective. Employees respond better and retain information better when it is presented in a more fun, snippet format and is repeated often, constantly in front of them to remind everyone that this is a critical priority for the organization.

Your organization may have specific instructions or considerations, but the basic instruction that your employees need whether they speak from an official social media account or just from their own personal accounts should include simple, common sense guidelines.

Never use a patient’s name or any PII (personally identifiable information) for any reason.

It may seem like this should go without saying.  But say it anyway. And say it often. There really are not exceptions or caveats to this tip.

Take questions or conversations offline.

If questions do arise, instruct staff to redirect the conversation to an offline medium. Consumers are increasingly accustomed to handling customer service through social media. But, in any regulated industry, this is not possible.

Do not “Friend” patients.

Your employees understandably become personally invested in the lives and stories of some of your patients. It is popular for chronically or critically ill patients (or their families) to create social media accounts to manage the flow of information to their family and friends and to build communities of support around the patient. These support accounts are awesome. But your staff’s participation in them is tricky. You can determine within your organization what level of participation is appropriate. But, in general, your employees should be free to follow support (not persona) accounts but should rarely if ever comment or participate in discussions within those groups.

If you wouldn’t say it in a crowded elevator, don’t post it online.

Never assume any level of privacy, even in “private messaging” within social media. Any information typed on a screen really should be considered a potential breach. If it would be a problem if it was overheard in a crowded elevator, it could be even worse “overheard” online.

Don’t post on boards or forums anonymously.

Posting advice or opinion anonymously to an online forum or chat is tempting because the word “anonymous” is reassuring. This promise of anonymity is a false promise and the risk of exposure here is simply too great. The staff could cautiously direct someone to other offline resources but should refrain from any advice or information exchange in any online medium.

Don’t mix personal and professional. Create separate profiles if necessary.

Your employees will use social media. They will discuss their day – including their work day. It is inevitable. It is important to proactively train employees to understand what is appropriate and what could post potential compliance issues – as well as pose a threat to their employment with your organization.

Share These Tips for Using Social Media Safely and Maintaining Compliance

HIPAA Compliance and Social MediaTo help you being the dialogue with employees about their use of social media and considerations for the organization’s compliance, our September IT Security Tip addresses how to Be Social and Stay Compliant.

  1. Social Media: Share this article on social media.
    Share on TwitterShare on LinkedinShare on Facebookpace
  2. Email: Share this article with your colleagues.
  3. Print: Post this tip in your break room for employees to see.
  4. Newsletter: Download this full image to be included in your next internal employee newsletter. There is also a smaller image here that may fit better in your newsletter format.

We only ask that you use the images intact and unaltered. Thank you.

Avoiding social media will not protect your organization from the pitfalls.  Only understanding and proactively addressing compliance issues will ensure your control of both the message that is found online about your brand and the privacy of your patients.

For more shareable security tips, click here.