HIPAA Compliance and Marketing in the Social Media Age
July 2019 Issue
With so many people online, the question isn't whether O&P practices should use social media to share their stories with patients and potential patients, but rather how to do it effectively and responsibly.
Whether or not O&P practices want conversation about their business online, it is probably already happening, the experts say. Companies like Yelp and Google will post reviews of a practice without the business doing anything on its own to facilitate them. Patients may also be using their own social media accounts to tell others about the practice. If someone isn't watching what is being posted online, there could be wrong or detrimental information on the web that could negatively impact the organization.
However, doing a good job of sharing healthcare-related stories online can be challenging where a misstep can cause a costly breach of Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations.
"I am definitely a firm believer in social media," says Chad Schiffman, director of compliance for Healthcare Compliance Pros, headquartered in Salt Lake City.
"Just be careful. Proceed with caution."
The Benefits of Social Media
When done well, social media can be a great, and inexpensive, way to market a practice and build community.
"It can be pretty traumatic when people have to have a limb amputated. By highlighting your business and showing people what you offer and what you are about, it can attract patients," says Jennifer Fayter, sales director for Coyote Prosthetics and Orthotics, headquartered in Boise, Idaho. "Even if they are not in your area, they can get a sense of the different types of prostheses out there. It's free marketing. You get to reach a lot of followers at no cost."
Since Coyote has begun focusing on social media—usually posting about three to four times per day—Fayter has seen name recognition of the practice grow and also has felt more connected to the local O&P community.
"It's been really beneficial and highlights a lot of our patients in the Idaho area," she says. "They make comments like, ‘Oh, I just climbed stairs for the first time,' or one gentleman just got his first leg and commented how great it is."
These kinds of comments and online reviews are a great way to attract future patients, Schiffman says.
"Ninety percent of consumers read online reviews before visiting a business," Schiffman says. "About 75 percent of those consumers say that if those businesses have positive reviews and stories, that they can be trusted as much as a personal recommendation."
Fayter is a firm believer in a strong social media presence but says she is also very careful about what she posts to avoid breaching HIPAA rules. She always has signed consent forms before posting a patient story and is careful not to share too much information about patients even with consent.
The Consequences a HIPAA Breach
While the experts say a robust social media presence is important for O&P practices, they also warn that the practices should always be careful to avoid a breach.
According to the Centers for Medicare & Medicaid Services, a HIPAA breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The Privacy Rule sets national standards about when protected health information can be used and disclosed. According to Healthcare Compliance Pros, fines can range from $100 to $1.5 million or can include criminal penalties that could result in up to ten years in prison.
These are some common examples of social media HIPAA violations according to Healthcare Compliance Pros:
- Posting verbal gossip about a patient to unauthorized individuals, even if the patient's name is not disclosed
- Sharing photographs or any form of protected health information without written consent from the patient
- Believing that posts are private or have been deleted when they are still visible to the public
- Sharing seemingly innocent comments or pictures, such as a workplace lunch that happens to have visible patient files underneath
There are a few ways an O&P practice can stay in compliance on their social media channels. One way is to never post any identifiable patient information on their channels. Photos do not include patient faces or any other features that could identify them. Any quotes are generic and not attributed to a specific person. If patients are never identified, then their protected health information is not released.
If you do want to share patient stories and stay in compliance with HIPAA, have the patient sign a consent form and ensure they understand what information is going to be used and where it may be used. This way is more difficult, the experts say, but also makes for a much better social media presence.
"People like seeing people like themselves having successes," says Linda Williams, a partner for The Brand Counselors, a marketing firm headquartered in Long Island, New York, that manages the social media accounts of Progressive Orthotics and Prosthetics, headquartered in Albertson, New York. "It's helpful from a strategic standpoint of showing patients up and active and doing all sorts of things."
Real stories of real people help readers make a stronger connection with a practice, ultimately making them more likely to become patients, says Schiffman.
"If you give readers specific examples, they can better identify with that story. It gives them a personal connection," he says.
So, if it's a good idea to use patient stories on social media channels, what's the best way to proceed? The experts offer many ideas for O&P practices, including:
- Always have patients sign a consent form before any of their health information, including their photos, are released.
- Communicate with patients about how their information will be used. When possible, let them review any information that will be shared even if they have already signed a consent allowing the release.
- Limit the amount of patient information that is shared, for example, full names of patients do not need to be used. Also, general information about their health and injuries is usually sufficient; specific details, such as their K-level, is not necessary.
- Train staff members how to use the company's social media accounts, and make sure that anyone with access to the channels knows how to stay HIPAA compliant.
- Be consistent and positive. Post continually, and always check online reviews and social media channels to spot any negative or inaccurate information so the practice can immediately respond. Address any negative information publicly so others can see it is taken seriously and then have the rest of the conversation in private.
- Build community. The best thing about social media is the social aspect. Telling the practice's stories can encourage and inspire others. A strong social media community will lead to more patients who want to share their stories and successes.
Consent and Communication for Patient Stories
While a consent form signed by patients is an absolute necessity before any information about them is disclosed by the practice, specifics of that consent are also important.
"Have a signature so you have proof, and have it dated," Schiffman says. "There doesn't need to be an expiration date on it, but it should say that a patient has the right to withdraw consent at any time."
In his career, Schiffman can only think of two cases where patients wanted to withdraw their consent and it was only for posts from that point forward. If patients want old posts taken down, Schiffman says the business should comply, but also tell the patient it is not responsible for posts that might have been shared by others and are out of the control of the practice.
"It's like an email," he says. "You aren't responsible for it in transit. You don't have responsibility for it if it is shared by others."
The form should also allow the patients to give different levels of permission, he says. For example, some patients are fine sharing their stories but don't want any images of themselves. Others are fine with images, videos, and their stories.
"Have them identify what kind of PHI [protected health information] they are willing to share," he says. "Find out if there is anything they want to limit, and personal identifiers they might not want shared."
It is acceptable for the practice to make recommendations about what patients should share on the company's social media accounts—for example, recommending that only first names are used on social media posts shared by the practice, or recommending that the company leave out specific health details in its posts.
Schiffman also recommends that O&P practices post disclaimers on their social media accounts warning people not to post their protected health information and stating that anything they do post, including their names, will be publicly viewable to others, so they should use caution.
"I think the patient needs to understand that he should not share more than he is comfortable with being online," Schiffman says.
Many of the other potential problems of sharing patient stories online can be solved with good communication, the experts say. If patients know what is going to be shared and approve of it, they are much less likely to complain or ask that it be taken down.
"Anything shared has to be approved," says Linda Williams. "I say, ‘No one will see this until you approve it, and we will kill the story if you feel uncomfortable.' We are really super sensitive about that."
Fayter says she also tries to use as much discretion as possible when posting about patients, even after they have given her a consent form.
"I don't necessarily use their full name and I don't tag people personally," she says. "I also don't get into any medical specifications, such as their amputation level."
Employees should be trained about social media HIPAA breaches just as they are trained about other types of breaches, the experts say.
If all employees aren't thoroughly trained, it can be problematic Schiffman says. He once had a case where an employee tagged a selfie of herself at work and that post ended up on the company's social media account. The employee did not realize that she accidentally had patient health information in the background of the picture, in violation of HIPAA. When the patient saw that on social media, the practice had to take it down and the employee was disciplined.
"It took a lot of work for what was just supposed to be a simple tagged photo," Schiffman says.
Part of that training should include information about what the practice does and does not want to post on social media. The policy should also warn employees about their personal accounts, he says.
In general, the experts say, it's a good idea to have a single person assigned to posting to the social media channels, rather than having several people in charge of it. First of all, this helps ensure that the person posting has been trained about being compliant with HIPAA. Second, it's also just a good practice to keep a consistent voice on the social media channels.
"There's a consistency you want on the posts—the writing style, the look and feel, and the direction," says Trevor Williams, a partner for The Brand Counselors. "Having one point person, you have one person who is accountable. It would be tough to have multiple people doing it."
Fayter says at Coyote that everyone discusses social media and will send her pictures and ideas, but she is the one responsible for what gets posted and what doesn't.
"I think you should have one person consistently post to make sure you have a consistent message and it always sounds the same," she says. "You do have to watch how you word things and you want to sound professional and consistent and along the company guidelines."
Consistent and Positive Messaging
Of all of the social media recommendations from the experts, there are two that they all agree on: be consistent and be positive.
Consistency is key because it keeps the practice in the eyes of the people it wants to reach.
"You can't just post every other week," Fayter says. "Everything comes up in a feed and most people will scroll up maybe three or four times. Unless they go to your page, they aren't going to see your posts if you aren't consistent."
Trevor Williams says he is also consistent with the types of posts he releases and when he posts them, so the readers know what to expect. For example, every Friday he has a "Fab Friday" post that highlights something new that has been fabricated. For example, during baseball season, the post may show a socket that has been decorated with Mets or Yankees logos. This helps him keep on track about what to post, highlights the practice's work, and gets the audience looking forward to something new each week.
Staying positive is also crucial when posting online, even if patients themselves are not positive. In the case of a negative online review, the experts say it's important to respond to what is said so that others know the practice cares about it.
While responding to negative reviews is important, Schiffman says, for HIPAA compliance, the responder should be careful not to confirm that the comment poster is a patient. For example, instead of writing, "We are sorry you had a bad experience at our practice," the responder should post something like, "Thank you for your comments. We take comments like these very seriously," and then offer to take the conversation offline or through personal direct messages.
"This way, you are saying that there was an experience, but I am not telling you that the person was a patient," Schiffman says. "This also allows the person to feel validated."
Staying positive doesn't mean just sticking to the stories of the O&P practice. Patients like a good story or motivational quote wherever it comes from.
Trevor Williams says he will post quotes or feel-good stories from other media because that is what his readers want. Their readers especially love to see stories of kids who are living and thriving with their devices.
Through Progressive's social media, Linda Williams says she loves to be able to post the successes of its patients, but what's really fun is when she sees the patients connecting through them and then cheering on one another.
"For me, it's about that," she says. "It's about the building our community."
Maria St. Louis-Sanchez can be contacted at firstname.lastname@example.org.