Let’s face it, social media is part of every business today.  Healthcare providers using social media face thousands of dollars in HIPAA penalties and fees if there is a breach of protected information.  Do you have a clear policy and procedure for your team? Here are basic best practices to consider.


Create a policy document for the type of information that will be allowed for every social platform you use. 

Everything shared on the internet is eternal and every social media platform has their own privacy and usage policies for images uploaded to their systems. Whether you are sharing happy patient pictures and their stories of well being on your own website or on Twitter, Facebook etc, remember they can be downloaded and used by anyone on the internet. Be careful not to disclose any personal information on your clients that identify thieves could use to obtain additional information. Your policy and procedure should include having a form authorizing use of images and information for marketing purposes and the retention of the authorization reviewed by your legal counsel. Don’t forget to have your employees sign as well.


Protect social media access

Ensure your employees authorized to access and manage social media accounts are training on HIPAA policies.  If you have a third party manage social media, verify they understand the importance of HIPAA rules. Anyone with access to social media accounts should also follow best practices for login credentials and passwords to protect against unauthorized access.


Monitor your social media accounts and have an incident response plan

To limit the impact of unauthorized content that is not compliant with your social media policy you must monitor your account frequently.  Social media managers can mistakenly post a personal message on a business account instead of their personal one, or you could be hacked or have the wrong image uploaded. Mistakes happen as we are only human. Be sure you have an incident response plan for each social media platform that includes information and process on how to verify ownership of the account, remove content or disable the account when needed.  Make sure you have up-to-date contact information for management and social media manager(s).


Template policies and procedures

The Office of Civil Rights (OCR) fines providers for using sample policies that they do not follow. It may be necessary to create custom policies and procedures and document that your staff is complying with these policies.


Risk Mitigation and actions you can take

Conduct a full annual risk analysis that assesses systems and provides both HIPAA Security Compliance and Threat Analysis. Document compliance activities and implementation of policies. Utilize custom HIPAA security policies based on your organization and avoid generic templates. Breaches can happen often so stay on top of compliance all year around.

Comments are closed.