Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Prezi logo
Log in
Loading…

Staying HIPAA-Compliant on Social Media

MW

Marie Westerhof

Transcript

Staying HIPAA-Compliant on Social Media

Presentation by

Updated March 26, 2021

About us

www.medicalwebexperts.com

We’ve been providing HIPAA-compliant technology solutions for the healthcare industry since 2003 - including custom development, mobile app development, hosting, website design, and marketing.

Your presenter:

Marie Westerhof

Director of Marketing

Disclaimer

Disclaimer

I am not an attorney. Defer to your hospital's attorney when developing/amending a HIPAA-compliant social media policy for your marketing department.

Let's get started!

How can a healthcare business stay HIPAA-compliant on social media?

Let's get started!

The golden rule:

Don't share personal health information (PHI) without a signed authorization.

What constitutes PHI?

What constitutes PHI?

According to HIPAA privacy rule, these 18 identifiers constitute PHI (protected health information):

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

1. Name

2. Address

3. Dates associated with individual (e.g. date of birth, admission date, etc.)

4. Phone number

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account numbers

11. Certificate/license numbers

See full, more detailed list: https://medschool.duke.edu/research/clinical-and-translational-research/duke-office-clinical-research/irb-and-institutional-14

What constitutes PHI?

According to HIPAA privacy rule, these 18 identifiers constitute PHI (protected health information):

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

1. Name

2. Address

3. Dates associated with individual (e.g. date of birth, admission date, etc.)

4. Phone number

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account numbers

11. Certificate/license numbers

See full, more detailed list: https://medschool.duke.edu/research/clinical-and-translational-research/duke-office-clinical-research/irb-and-institutional-14

Social media offers unique opportunities for accident...

Social media offers unique opportunities for accidental PHI disclosures.

Common social media tactics may actually constitute a HIPAA violation.

  • Sharing photos of the facility

  • Sharing photos of staff + patients

  • Engaging with patients who've shared their own PHI

  • Responding to private messages

Did every patient in this photo sign a HIPAA authorization? If not, don't post it online!

How easy is it to accidentally share PHI?

What if a patient were in the background?

License plate numbers are considered PHI. What if a patient's car were behind them?

Quick note on corporate social media pages vs. staff’s personal profiles

HIPAA compliance rules for corporate pages & employees’ personal social media profiles are the same.

But we may discuss them separately in this presentation, because your hospital likely already has a separate (much more strict) policy for staff members' personal profiles.

Publishing content on your corporate social media pages

How do we stay

HIPAA-compliant on Facebook, Twitter, YouTube, Instagram, Yelp, or other profiles?

What not to share

What not to share

Anything containing one of the 18 PHI identifiers!

12. Vehicle identifiers and serial numbers, including license plate numbers

13. Device identifiers and serial numbers

14. Web Universal Resource Locators (URLs)

15. Internet Protocol (IP) address numbers

16. Biometric identifiers, including finger and voice prints

17. Full face photographic images and any comparable images

18. Any other unique identifying number, characteristic, or code

1. Name

2. Address

3. Dates associated with individual (e.g. date of birth, admission date, etc.)

4. Phone number

5. Fax number

6. Email address

7. Social Security number

8. Medical record number

9. Health plan beneficiary number

10. Account numbers

11. Certificate/license numbers

...Unless the patient has signed a HIPAA authorization form.

Using a HIPAA authorization form to share patient stories

Using a HIPAA authorization form to share patient stories

Patient stories demonstrate:

  • Quality of care
  • Patient-focused attitude
  • Patient satisfaction

Patient stories can be shared on social media if the patient has signed a HIPAA authorization form.

What needs to be in the HIPAA authorization form?

Your hospital may already have one, which can be amended to include social media.

  • Your hospital's attorney can make sure that you have a HIPAA authorization form that works for social media.

  • Patient authorizes you to share name, details of his/her treatment, and experiences as a patient over electronic media, including internet/online publications, email, etc.

  • Patient authorizes you to share photos of them.

Great example from Rutgers: http://ucm.rutgers.edu/sites/ucm/files/Rutgers%20HIPAA%20Authorization%20form%2012-16-14.pdf

Public posts vs. private messages

Public posts vs. private messages

Private messages are no more HIPAA-compliant than public posts. (Including Twitter direct messages, and private messages on Facebook/Instagram/Linkedin.)

Private messages from patients must be treated like public posts.

When patients share their own PHI

When patients share their own PHI

Patient post disclosing PHI:

"I loved Nurse Amy! She was so sweet. Had a bad fall and broke my hip. I'm still on Vicodin 10mg for the pain. Hope to be off it soon.

When patients share their own PHI

Implement a policy for your digital marketing team.

It could be very restrictive, or slightly less restrictive.

Very restrictive policy:

Delete all posts where a patient has shared their own PHI.

Less restrictive:

a) Leave these posts up, but do not engage with the poster. (Don't respond or "like.")

b) Answer publicly or via private message, but it a way that does not suggest confirmation of PHI, disclose other PHI, or suggest medical advice.

When patients share their own PHI:

How could this post be answered?

SAFEST:

ALSO SAFE:

NOT RECOMMENDED:

[Delete user's post.]

[Ignore user's post - do not comment or like.]

"Thanks for your feedback!"

(Could imply they were a patient.)

“Get well soon!”

(Implies they were a patient.)

VERY BAD!!!

Private messages requesting medical advice

Patients often send questions via private message that disclose their own PHI.

Example:

“Hi, I’m 57 and have acid reflux. I take Nexium 80mg per day and my DeMeester score was 62. No hiatal hernia. Am I a candidate for TIF?”

Respond politely, but encourage the user not to send PHI.

Private messages requesting medical advice:

How could this message be answered?

GOOD:

Hi, ______ - thanks for getting in touch. Unfortunately, we're not able to provide this information over Facebook. To schedule a consultation with a physician at our clinic, please call us at 555-555-5555.

Private messages that DON'T disclose PHI:

You can answer these freely! But know how to tell the difference.

Examples:

“What are the visiting hours of the ICU?” OK TO ANSWER

“Is the Yoga for Seniors class canceled?” OK TO ANSWER

“Do you have cable?" OK TO ANSWER

Answering online reviews:

Avoiding a HIPAA violation

Answering online reviews:

Avoiding a HIPAA violation

Most common review sites in healthcare:

  • Yelp
  • Facebook
  • Google+
  • Healthgrades

Positive reviews require no action or answer. Best way to deal with a bad review:

  • Post a polite response.
  • Have a patient services rep contact them - sometimes patients will take the review down once the dispute has been resolved.

But don't disclose PHI when responding to a bad review.

Answering online reviews: Avoiding a HIPAA violation

The patient might disclose their own PHI in their review, but it’s still a HIPAA violation for a healthcare organization to disclose PHI.

Example:

“You brought your daughter in for the exam in early March 2014. The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.”

-Written by a CA chiropractor, in response to a reviewer who claimed he misdiagnosed her daughter.

Article: https://www.washingtonpost.com/news/to-your-health/wp/2016/05/27/docs-fire-back-at-bad-yelp-reviews-and-reveal-patients-information-online/

Answering online reviews: Avoiding a HIPAA violation

Patient writes: “Dr. Black was rude and rushed my appointment. He ordered an endoscopy, which I felt was totally unnecessary.”

BAD ANSWER (CONFIRMS PHI):

“We’re sorry that you were unhappy with our recommendation.”

OK ANSWER #1:

"Thank you for sharing this feedback. Please feel free to call our office at (555) 555-5555 if you'd like to speak with us further."

OK ANSWER #2:

[NO ANSWER - call the patient and try to smooth things over. Many will take down a bad review once their concerns have been addressed.]

Another example

Patient writes: “The parking lot is very unsafe! I nearly slipped.”

BAD ANSWER (CONFIRMS REVIEWER IS A PATIENT + TREATMENT TIME FRAME):

“We had bad weather on the day you came in. Our parking lot is usually quite safe.”

OK ANSWER (DOESN'T CONFIRM REVIEWER'S STATUS AS A PATIENT):

"Thank you for sharing your feedback, and we're very sorry that this happened. We're working on improvements to our parking lot."

Guidelines for hospital staff when using their personal soci...

Guidelines for hospital staff when using their personal social media pages

Hospital employees might interact with your hospital's official social media accounts (e.g. tagging them in a post). We need to make sure these posts don't violate HIPAA.

Your hospital likely already has a social media policy for staff in place.

We'll discuss some common "accidental PHI disclosures" on employees' personal accounts. When in doubt, defer to your hospital's social media policy.

Examples of accidental PHI disclosures by staff

1. Photos of/with a patient, even if outside the hospital.

  • Example: "Ran into my former patient Linda at brunch!" PHI DISCLOSURE

This selfie may be acceptable if the employee does not specify that Linda was a patient - but there's always the risk that a friend could leave a comment revealing that this person was a patient.

  • Example: "Ran into a friend at brunch!" NO PHI, BUT RISKY - NOT RECOMMENDED

2. Patient have a cool tattoo or birthmark? That's PHI too.

3. Photos of empty exam rooms with potential patient info.

4. Patient told you about their cool website.

Example: "Hey Facebook friends, check out my patient's amazing food blog! www.bodybybutterfinger.com" PHI!

Examples of accidental PHI disclosures by staff (cont'd)

5. Status updates, Tweets, etc.:

OK: “Love my job as CNA at ___ Hospital! So many wonderful patients.”

NOT OK: “Love my job as CNA! Had a wonderful time caring for little Jeffrey and his family in the pediatrics ward.”

OK: “Terrible day in the ER.”

NOT OK: “3-car pile up on I90 today - treated a man in his 60s with 6 broken bones."

(Anyone who knows the identities of those involved in the accident now have PHI.)

Examples of accidental PHI disclosures by staff (cont'd)

6. Private groups: Even if a Facebook group is closed (only approved members can see the posts), it's still considered a violation to share PHI there.

Example: In 2013, a nurse at the University of Cincinnati Medical Center posted the results of a patient's STI screening in a private Facebook group.

Sources: http://www.wlwt.com/article/uc-med-center-ceo-employee-admitted-to-posting-patient-s-history-online/3543568

http://www.cincinnati.com/story/news/2014/06/04/suit-uc-health-employee-posted-file-facebook/9970813/

"Friending"/Following patients on social media

It’s not a HIPAA violation to “friend” or “follow” a patient, but it does greatly increase the potential for accidental PHI disclosures. Defer to your hospital's policy, if they have one.

It's not possible to "friend" patients with your hospital's corporate Facebook or Linkedin profile.

It's possible to follow a patient with your hospital's corporate Twitter, YouTube, or Instagram account. Doing so is not a HIPAA violation, but be aware that it may encourage the patient to send PHI over social media.

Questions?

Questions?

Thank you!

Contact me:

Marie Westerhof

marie.w@medicalwebexperts.com

(425) 666-9096

Choose a template

Modular - Dark (AI Assisted)

Revolutionize your presentations with our Modular Prezi AI-assisted presentation template, a versatile and customizable solution that adapts to your unique content, providing a visually stunning and cohesive framework for professionals, educators, and creatives.

Sheet Music (AI Assisted)

Elevate your presentations with our Sheet Music Prezi AI-assisted presentation template, seamlessly blending aesthetics and functionality for a harmonious visual experience.

Constellations (AI Assisted)

Illuminate your ideas with our captivating Constellations Prezi AI-assisted presentation template, merging celestial elegance with professional design to elevate your content and guide your audience through a stellar visual experience.

Presentations from around the world

Academy of Alameda 18-19

Granite Benefits

4

최린 최린

AU405A1S2020AULA1

Carla Costa

Learn more about creating dynamic, engaging presentations with Prezi
Why Prezi is better