Successful medical practice managers and physicians have embraced digital marketing and social media as a sustainable, cost-effective and measureable tool to attract and retain patients. Last year alone, 77% of patients searched their physician online before booking an appointment. The challenge for healthcare providers has been to stay HIPAA compliant with digital marketing efforts.

You obviously want to make use of your digital footprint and social networks to grow your patient base, right? But it’s important to balance the benefits and risks of being online and to maximize the use of digital channels within your overall marketing strategy while still ensuring proper HIPAA compliance.

Providing training and conducting compliance checks to practice managers and admin staff is pivotal to effectively mitigate the risks associated with today’s marketing landscape. When ineffectively managed, online breaches of HIPAA standards can harm patient privacy, lead to legal sanctions, and cause irreversible reputational damage for you and your practice.

In this article, we’ll break down what you need to do to remain HIPAA compliant online so you can reap the many rewards the digital world has to offer.

1. Actively Inform and Manage Privacy Concerns

When it comes to health information, you must respect the privacy and act in accordance with the preferences of your patients. In other words, you can only communicate directly with patients regarding their health information over social media channels if you’ve received their express permission to do so and you have made them aware of the risks associated with such communication through disclaimers on your website and in your practice brochures.

You may even want to be proactive and create a patient information leaflet geared entirely to the use of social media and outlining your practice’s social media and digital policy. Establishing your practice’s own online and social media code of conduct and ensuring it is understood and implemented by your employees will go a long way toward your practice steering clear of HIPAA disclosure violations.

Last year alone, 77% of patients searched their physician online before booking an appointment.

If you’re new to social media and Facebook, you’ll need to become well-versed in how the platform works and intimately understand its privacy settings and functioning. In this way, you can control the privacy settings your practice enables on its Facebook page and ensure that private patient messages and information stay private. By familiarizing yourself with the ins and outs of social media channels like Facebook, Twitter and Instagram and understanding how information is transmitted within a given social media site, you can design your practice’s social media policy to address any HIPAA disclosure risks.

As a general rule of thumb, we recommend the elevator rule to the practice managers we serve every day. The elevator rule states that if you wouldn’t say your comment in public, or in an elevator full of people, then don’t say it on social media. And in the event that an improper disclosure does occur, you’ll also need to have a policy in place that guides how you’ll proceed to alleviate any potential damage.

In other words, if someone is asking a specific PHI-related question, politely ask them to give the office a call to protect their patient privacy rather than communicate the information on the web.

In today’s digital marketing world, we know exactly what works and how much it takes to attract and retain that coveted new patient. 

2. Keep Your Networks Secure

Research evidence shows that electronic communication with patients enhances patient care, boosts adherence for chronic disease patients, and can promote improved health outcomes. Also, patients may feel more satisfied by the increased communication with their doctors and having their questions or concerns addressed in real-time online.

Medical clinics and hospitals are starting to move in-person seminars (say for bariatrics) to live streams on Facebook to reach a larger audience with reduced costs. Moreover, these institutions are using the live feed to develop support groups by inviting current, former, and prospective clients to join and ask questions, gain insight, and garner support.

Therefore, with increased online connections, your practice needs to work closely with your IT department or internet service provider to establish strict security, access, and information sharing pathways.

Of utmost importance is reducing your exposure to a HIPAA violation via a 3rd party vendor. You need to have your business agreements in place with any 3rd party vendor to cover yourself in the event of an infraction. Without a signed business associate agreement, your practice will be the first in line for potential litigation; with the agreement, the 3rd party vendor is on the hook.

3. Be Mindful Before Posting

You must consider individual patient confidentiality before using their likeness in any way (that goes for images, testimonials, and letters). Have blank copies of standard photo and video release forms when filming patient testimonial videos or using patient photos or candids for marketing purposes.

As an example, an employee may post a photo of their lunch which might be lying inadvertently on top of a patient file, visible in the background of the post. Another thing to be mindful of is filming physicians in their office. It will be on your shoulders to make sure nothing is visible on the computer screen, and if it is, to blot it out (this can be done during editing or post-production). Such posts would be in clear violation of HIPAA disclosure rules. Moreover, you cannot share private details of past cases without prior written consent from the patient.

Remember, YouTube is the second largest search engine in the world, so even the slightest mishap on a photo or video can have serious repercussions.

4. Establish Roles in the Office

Everyone in your practice should know their role when it comes to your social media presence. This will help ensure compliance and save you headaches later on. When you first begin your efforts, decide which staff members will be able to coordinate, monitor, post and respond to social media messages or reviews left about the practice in general.

Establishing a chain of command will also help you quickly address issues should they arise down the road (pro tip: they will). Decide who will post photos, status updates, etc. and who will be their backup. Then choose if those same individuals will also respond to patient inquiries, health information requests, positive and negative reviews, and online complaints.

Having a few handcrafted responses ready to go will save you from scrambling around when you need to post a delicate and tactful reply. Here are a couple of response examples to both positive and negative online feedback:

Negative responses

1. “We are sorry you were not satisfied with your visit to our office. In the medical field there can be unforeseen emergencies or patient needs that can set our calendar back. I can assure you the delay in your appointment was not intentional. If you are having an issue with our billing department, we invite you to contact our office so we can correct or clarify any misunderstanding about our policies. Thank you.”
2. “We take feedback from our patients very seriously and are grateful you took the time to share your experience. We are sorry there seemed to have been a miscommunication with our office staff. Your concerns will be addressed. If we can be of further assistance please contact our office.”

Positive response

1. “Thanks so much for those words of encouragement! It makes the work that much more rewarding. I feel blessed to have such wonderful patients and appreciate you sharing your thoughts with others.”

As the current scandal concerning Facebook and Cambridge Analytica suggests, potential violations of data usage can often be innocent and happen when not enough questions are asked.

We always tell our medical practice clients that today they need to be IN social media, not just ON it, to reach the right patient at the right time with the right message. However, that kind of public familiarity comes with its own risks where a HIPAA violation can happen without even realizing it.

5. Know the Difference Between HIPAA and FERPA

Many patients are under the assumption that athletic trainers (ATs) and educators are required by law to follow HIPAA. That is not technically the case. “Covered entities” under HIPAA must meet two requirements – those who: a) bill for services and b) file those bills electronically.  

ATs employed by educational institutions are usually required to follow FERPA (The Family Educational Rights and Privacy Act), not HIPAA (because they do not bill).  However, FERPA does restrict access to the student’s records (which includes the student-athlete file).

ATs employed by hospitals and clinics are usually considered “covered entities” under HIPAA, however, there is some confusion and potential loopholes if the ATs are not part of the bill. ATs employed at universities may need to adhere to both because there is often significant confusion (for example, many sports medicine departments do not bill, but are a part of student health which is clearly HIPAA).

The bottom line is that most ATs follow HIPAA because it is good practice and because they are required by their Code of Ethics to protect patient privacy.

6. Hire a Professional to Take Care of the Headaches

If you don’t have the time or the resources to handle effective online HIPAA-compliant management, you can always invest in training your employees or turn the work over to someone who does it for a living and has a tried and true record with digital medical marketing.

The HIPAA stakes online being so high, hiring a partner can save you time, money, stress, and headaches down the road.

Being online provides medical practices with digital marketing tools to connect with patients and improve their care and health outcomes like never before. With proper management and organization, your office can have a strong online and social media presence while remaining HIPAA compliant.