Social Media Risks in Healthcare
Social media engagement has become a part of daily life for many people and businesses. While healthcare organizations can benefit from a well-designed social media presence, they must also be cognizant of the special risks healthcare providers face when engaging in the online world. Being aware of these risks and addressing them proactively can help reduce violations of patient privacy and reputational harm.
A social media program can be used as a marketing and public relations vehicle to inform the community about the services and programs an organization provides. These communications can improve the organization’s image within the community and increase its market share. While there are many positive aspects to social media, widespread use and easy access to social media outlets can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA). Organizations must put safeguards in place to monitor their programs to ensure that patient privacy is not violated.
Social Media Plan
Organizations should determine the extent of their social media engagement, who their audience will be, and who will have oversight within the organization. A well-designed social media plan can guide an organization on how to build and maintain its social media presence both now and in the future. Organizations can use social media outlets to inform the community about their mission, fundraising goals, new programs, and success stories from within the organization. While a small practice might only have a Facebook page, a hospital might be active on multiple platforms, such as Facebook, X (formerly Twitter), and LinkedIn.
Managing and Monitoring
How an organization monitors and manages its social media accounts depends on its size, the platforms it uses, and its intended audience. A small practice with a Facebook page might decide that the practice manager will monitor the page and respond to comments. In a large organization, the marketing, public relations department, or another department might be tasked with monitoring the various social media platforms where the organization is active. A key component of managing and monitoring outlets is responding to outside posts on the site. Inappropriate responses or no response at all can damage a practice’s reputation. Responses to comments should remain positive and not contain protected health information. If a post contains negative comments, invite the poster to contact the practice directly by including a phone number in your response so the issue can be addressed directly.
Posting and Commenting
The social media plan should identify who will post on sites and who will respond to comments from outside the organization.
Responses to posts from outside the organization should be timely, professional, and respectful. How an organization responds to comments can either boost or damage its reputation. When negative comments are posted, there is a natural tendency to want to defend the service provided. Providers must proceed cautiously when responding to negative comments, ensuring they do not release any protected health information. The best option is to invite the poster to contact the organization directly so their concerns can be addressed. Reference our Practice Tip Complaints – Patients in Acute Healthcare Facilities.
Social Media Policy
Social media is a rapidly evolving industry; therefore, policies should be broad enough to encompass new platforms without requiring continuous updates. The policy should address topics such as staff members or departments responsible for posting or monitoring outlets; appropriate and inappropriate uses of social media for both the organization and personal accounts; staff access to personal accounts through the organization’s network; and how violations of the organization’s policies will be addressed.
When developing social media policies, organizations should review and update related policies to address social media issues, such as code of conduct, patient privacy and confidentiality, and staff/patient electronic device use policies.
Social media sites should list terms of use for visitors and have a standard disclaimer and disclosure language. A patient consent process should be developed to ensure that patients have given their consent to the use of their images or testimonials for advertising or marketing.
Risks
Organizations should be aware of social media risks and take steps to address these risks.
- HIPAA violations: Violations of patient privacy and confidentiality are one of social media’s greatest risks. Violations can occur if providers or staff members disclose protected health information when responding to comments on social media, and there is also a risk of staff posting information about patients on their personal social media accounts. Some staff members mistakenly believe that if they do not use a patient’s name, they are not violating the patient’s privacy. Examples of this include identifying a patient by room number or describing a patient’s injuries or other physical characteristics. Staff members should be cautioned against posting anything about patients on their personal social media accounts. The organization’s policies should prohibit such postings and address how these violations will be handled, including termination of employment. Policies should prohibit the use of personal cell phones or other devices for photographing or video recording patients. Images necessary for patient care should be obtained with devices owned by the organization. See our practice tip Complete Medical Records: Your Best Defense for more information on digital recording.
Healthcare providers and staff should be aware of boundary issues that may arise if they “friend” a patient or become a follower of a patient’s blog. Even the act of friending a patient or posting on a blog could identify them as a patient and thus become a privacy violation.
Professional staff should be aware that disclosing protected health information without patient authorization can also lead to sanctions by professional boards as well as other legal actions.
- Employment issues: Most organizations have policies addressing employee conduct and other behavioral expectations. Social media policies should address employee conduct on their personal social media accounts; however, organizations should be aware of federal labor relations laws when developing these policies.
To avoid misrepresentation by employees, organizations should have policies prohibiting employees from using the company name or logo in their social media name or handle.
Ensure HIPAA Training Includes Social Media
Beginning with new-employee orientation, staff members need education on patient privacy and confidentiality. This education must include social media and how posting protected health information on social media sites violates patient privacy and HIPAA. Employees should be provided with examples of the types of posts that would be violations of patient confidentiality.
Staff should be reminded of their responsibility to notify their supervisor or compliance officer if they become aware of social media violations by other employees. Organizations should develop a process for staff to report inappropriate activity on social media.
Resources
ECRI. Social Media: Organizational Risks. Health System Risk Management 2021 Jan 12. www.ecri.org/components/HRC/Pages/AdSup4.aspx (membership required to access)
Medical Mutual Insurance Company of Maine's risk management resources are offered only as references for informational purposes. They are not intended to establish practice standards or take the place of medical judgment or legal advice. Medical Mutual recommends you consult with your medical staff leadership and a qualified attorney for any specific application to your practice. No risk management resource provided by Medical Mutual is intended to affect the applicability, scope, or limit of your liability insurance coverage or to otherwise amend or add to the terms and conditions stated expressly in the liability insurance policy issued to the identified policyholder for the applicable policy year.