Practice Tips

Online library

Social Media Risks in Healthcare

Social media has become a part of daily life for most people and many businesses. While healthcare organizations can benefit from a well-designed social media presence, they must also be cognizant of the special risks healthcare providers face when engaging in the online world. Being aware of these risks and planning ahead to address them can help reduce violations of patient privacy and reputational harm.

A social media program can be used as a marketing and public relations vehicle to inform the community about the services and programs an organization provides. These communications can improve the organization’s image and increase its market share. While there are many positive aspects to social media, the widespread use and easy access to social media outlets can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA). Organizations must put safeguards in place to monitor their programs to assure that patient privacy is not violated.

Social Media Plan

Organizations should determine to what extent they will be engaged in social media, who their audience will be, and who will have oversight within the organization. A well-thought-out social media plan can guide an organization on how it will build and maintain its social media presence both now and in the future. Organizations can use social media outlets to inform the community of their mission, fund-raising goals, and new programs as well as success stories from within the organization. While a small practice might only have a Facebook page, a hospital might be involved in several outlets, such as Facebook, Twitter, and LinkedIn.

Managing and Monitoring

How an organization monitors and manages its social media accounts will depend on the size of the organization as well as the outlets used and the intended audience. A small practice with a Facebook page might decide that the practice manager will monitor the page and respond to comments. In a large organization, the marketing or public relations department or another group might be tasked with monitoring the various social media platforms.

A key component of managing and monitoring outlets is responding to outside posts on the site. Inappropriate responses or no response at all can damage a practice’s reputation. Responses to comments should remain positive and not contain protected health information.

Posting Comments

The social media plan should identify who will post on sites and who will respond to comments from outside the organization. The organization’s mission and goals should be reflected in what is posted on the site.

Responses to posts from outside the organization should be timely, professional, and respectful. How an organization responds to comments can either boost or damage its reputation. When negative comments are posted, there is a natural tendency to want to defend the service provided. Providers must proceed cautiously when responding to negative comments, being sure not to release any protected health information in their response. The best option is to invite the poster to contact the organization directly so their concerns can be addressed. Reference our practice tip on Complaints – Patients in Acute Healthcare Facilities.

Social Media Policy

Social media is an evolving industry; therefore, policies should be broad enough to encompass new platforms without the need for continuous updating. The policy should address such topics as staff members or departments responsible for posting or monitoring outlets; appropriate and inappropriate uses of social media for both the organization and personal accounts; staff access of personal accounts from the organization’s network; and how violations of the organization’s policies will be addressed.

When developing social media policies, organizations should review and update other policies to address social media issues, for example, code of conduct and patient privacy and confidentiality policies.

Social media sites should list terms of use for visitors and have standard disclaimer and disclosure language. A patient consent process should be developed to ensure that patients have given their consent to the use of their images or testimonials for advertising or marketing.

Risks

Organizations should be aware of social media risks and take steps to address these risks.

  • HIPAA violations: Violations of patient privacy and confidentiality are one of social media’s greatest risks. Violations can occur if providers or staff members disclose protected health information when responding to comments on social media, but there are also risks of staff posting information about patients on their personal social media accounts. Some staff members mistakenly believe that if they do not use a patient’s name, they are not violating the patient’s privacy. Examples of this include identifying a patient by room number or describing a patient’s injuries or other physical characteristics. Staff members should be cautioned against posting anything about patients on their personal social media accounts. The organization’s policies should prohibit such postings and address how these violations will be handled, including termination of employment. Policies should prohibit the use of personal cell phones or other devices for taking pictures or videos of patients. Images necessary for patient care should be obtained with devices owned by the organization. See our practice tip Complete Medical Records: Your Best Defense for more information on digital recording.
     

    Healthcare providers should be aware of boundary issues that may occur if they “friend” a patient or become a follower of a patient’s blog. Even the act of friending a patient or posting on a blog could identify them as a patient and thus be a privacy violation.

    Professional staff should be aware that disclosing protected health information without patient authorization can also lead to sanctions by professional boards as well as other legal actions.

  • Employment issues: Most organizations have policies addressing employee conduct and other behavioral expectations. Social media policies should address employee conduct on their personal social media sites; however, organizations need to be aware of federal labor relations laws when developing these policies.
     

    To avoid misrepresentation by employees, organizations should have policies prohibiting employees from using the company name or logo in their social media name or handle.

Ensure HIPAA Training Includes Social Media

Beginning with new employee orientation, staff members need to receive education about patient privacy and confidentiality. This education must include social media and how posting protected health information on social media sites violates patient privacy and HIPAA. Employees should be provided with examples of the types of posts that would be violations of patient confidentiality.

Staff should be reminded of their responsibility to notify their supervisor if they become aware of social media violations by other employees. Organizations should develop a process for staff to report inappropriate activity on social media.

Resources

ECRI. Social Media: Organizational Risks. Health System Risk Management 2021 Jan 12. https://www.ecri.org/components/HRC/Pages/AdSup4.aspx (membership required to access)

Complete Medical Records: Your Best Defense