Incorporating HIPAA into Your Practice’s Social Media Marketing

This article has been reprinted with permission from Doctor’s Life Magazine.  To learn more about Doctor’s Life Magazine, please click here.

It’s clear that social media is here to stay and that ALL businesses, including healthcare organizations, are currently using and will continue to increase their use of social media to connect with their targeted audience—patients, peers, influencers—all with the goal of creating a wonderful community where you impart your knowledge, support your peers, and increase your status within that community as an expert—thereby driving business to your door. However, the issue of patient privacy, HIPAA, and offering advice is still of concern. Many have said; “My business did fine before social media…I don’t need it!” However, our client base and the Baby Boomers (incidentally the fastest growing segment of social media users) are turning to the web and social media to get answers, research providers, and give their opinions. Their fingers are still “doing the walking,” but on their keyboards instead of in a phonebook.

Physicians are being asked to deal with more and more lately. With the increase in the cost of doing business, insurance, managed care, reimbursement issues, litigation, the advent and transition to EMR’s, HIPAA concerns, and now social media integration, it’s understandable that physicians are slower to adopt this means of communication. However, physicians are such a wealth of information, those that do get involved in social media and blogging reap huge benefits and quickly develop a reputation as an expert in their field, often leading to an increase in new patients, requests to speak at events, invitations to write for industry journals, and more!

Often, clients expect that if you are on the cutting edge of your medical specialty, that the other aspects of your practice—your office, your staff, advertising pieces, personal appearance, and even your business cards, website, and social media presence—should reflect that level of professionalism and technological savvy. How can you be a part of this 24/7 online networking event while keeping current and ahead of the curve with the ever powerful and beneficial results of a successful social media campaign?

In a previous Doctor’s Life Magazine column (bit.ly/SocialMediaRx) I discussed how social media is an extension of your practice specialty, personality, current marketing plan, office atmosphere, and website – all rolled into one.

Here are 10 suggestions on ways to have a successful social media campaign, and continue to communicate online with patients (current and future) and market your services, while adhering to HIPAA guidelines. Note that these tips can apply to texting, emailing, voicemails, and other forms of communication as well!

1. How you act on social media is transparent, and you should act no differently online than you do in person, or how your sales and marketing staff would at a networking event, or how any of us would in an elevator. SO as social media is truly a “conversation,” just like face-to-face interactions, you need to maintain your own personality and tone, you also need to refrain from posting anything that might identify a patient, even if you don’t mention their name. You wouldn’t want to post any combination of things such as locations, times or events that may allow someone to draw a conclusion or disclose personal information. Although a picture is worth a thousand words, be sure to get authorization before posting pictures of employees, vendors, or patients.

2. Maintain professional boundaries and don’t combine your personal and professional online accounts. Have a separate account for your friends and family and a business page for your practice. Refrain from “friending” your patients on your personal account. Occasionally a patient may find your personal account and send you a friend request. If that happens, be sure to private message them to let them know that your practice’s social media policy prohibits you from connecting with them on your personal page, but offer the links so they can follow your business page.

3. Social media is a transparent platform for sharing information, not hiding it. With that in mind, be sure that whatever you post, whether it’s an original post or one that you share, re-tweet, or mention is one that you’d be proud of, and wouldn’t mind if it were printed in a newspaper. Many times, once things are out there in cyberspace, they’re out there, which brings us to our next tip…

4. Before you push send, count to three and ask yourself if the post is true, helpful, respectful, does it apply to a mixed audience, and could it be misconstrued as offensive by anyone. Remember, once you push send it becomes immediate, and although you can sometimes delete a post, people can print it or save it before you do. This applies to responses to comments, especially when you might not agree. Again, be sure to act the same way you would in person.

5. Review your privacy settings at least monthly, as they can change. Be sure that you have control over the comments posted and that you can approve or deny what you want. Don’t be afraid to block anyone that posts anything that is inappropriate.

6. Google yourself frequently. Or better yet, set up Google Alerts, (google.com/alerts) so that you will get an email whenever a search term (your name, the name of your practice, or any subject you want an alert on) comes up in Google. Another great idea is to have a separate gmail.com account for your social media accounts only. You can set your contact emails to your business account, but all of your notifications should be sent to this private Gmail account, so that you will see EVERYTHING that’s going on on your social media channels. This email address would be different from your contact email, and is kept private on the sites, just be sure to adjust your notification settings in each channel appropriately.

7. Know the Health Insurance Portability and Accountability Act (HIPPA) and its amendments, the Health Information Technology for Economic and Clinical Health Act (HITECH ACT), along with state laws, all of which provide privacy and security protections of personal healthcare information (PHI), along with the repercussions if the law is violated. Be sure to take reasonable and appropriate measures to protect your patients privacy. The Mayo Clinic has a wonderful 12-word social media policy: “Don’t Lie, Don’t Pry, Don’t Cheat, Can’t Delete, Don’t Steal, Don’t Reveal.” Obviously, each of these rules can be expanded upon. Read more at bit.ly/SMMPolicy.

8. Set up a social media policy within your office and provide education on it as well as regular HIPAA education and how social media is included in this. Review it frequently with those that have access to and/or manage your social media channels, and update it as rules and regulations change. Some guidelines you might want to consider including in your social media policy should touch on; respect of time and property, use of confidential and PHI information, respectful communications, right to monitor, and enforcement measures, and that each employee utilizing your social media is responsible for knowing, understanding, and upholding HIPAA regulations, as well as your social media policy. Remember even if you don’t have social media channels for your practice, your employees most likely have personal accounts. Be sure that they understand the implications of revealing PHI on those accounts.

9. What if a patient comments on your social media channel, if their name shows up, is the physician breaching patient privacy and opening themselves up for trouble? The answer is: Probably not. However, you should take any precautions you can such as, setting up a disclaimer on your ‘about page’ stating that opinions and views are your own, and reminding them that by commenting on your site, they are revealing their identity. However, since they are doing it by their own volition, it would be no different from them having a conversation with someone in your waiting room. However, with monitoring you can stay on top of the conversation.

10. “What if I get on social media, and someone complains or says something negative?” We hear this one quite a bit, and the truth is; if you didn’t have your own outlet for them to write these things, they would simply do it on their own channels. Having your own social media presence allows you to monitor what’s going on, react to comments and ideas, and if and when something negative does come your way, don’t immediately delete it—show the rest of your followers that you are truly concerned and document an apology, correction, or whatever it takes to recognize that client’s issue, and your willingness to make it right. Bear in mind, use caution in what you say, perhaps requesting the client call you directly. Oftentimes, it’s the fact that you respond, and the speed of doing so that shows you are a cut above!

In conclusion, there is no doubt that social media is here to stay. The benefits of this online version of communication far outweigh the potential risks, with just a few common sense tips. Remember too, when outsourcing your social media to a online marketing firm such as The Go! Agency, they are bound by the same rules and regulations as you are. Be sure to ask them very pointed questions about how they will maintain your patient’s privacy, and ensure that your social media campaign is one that truly creates a wonderful community for your practice, educates your current and future clients, and pushes you to the top as an expert in your field!

Need Online Marketing Help?

Fill Out the Form Below and We Will Get Right Back to You!

[ninja_forms_display_form id=1]

One Comment Published

Reply Dec 19 / 2014

Very good points on the social media aspect in regards to HIPAA. It’ also important to note that what’s really missing when it comes to healthcare and HIPAA compliance is security awareness training and there’s really no excuse for this. There are actually hundreds of free and cost-effective solutions online, but time and time again, I see Covered Entities and Business Associates failing to implement basic training. As a HIPAA security specialist, it’s somewhat upsetting to see this because something that’s so vital to an organization and that is so easy and cost-effective to obtain is many times never done. C’mon folks, train your employees about ensuring the safety and security of PHI, it’s not that difficult. Think about it, healthcare companies spend massive amounts of money on new hardware and software products for security, but the true front line for defense for protecting PHI is well-trained and educated employees, something that’s so easy to do!

Leave a Comment