As most medical practices realize, the success or failure of their of marketing will be decided online. For medical spas, chiropractors, and other local practices, social media plays a critical role. We have grown some of our client’s practices by 4X…solely using Facebook and Instagram.
Recently, we got some questions thrown our way about HIPAA compliance when posting on social media, and thought we might be able to share the results of our research, and give you some actionable tips to make sure your medical practice is 100% HIPAA compliant on social media.
Does HIPAA apply to social media?
Yes, HIPAA applies to all versions of media, including social media. Even though HIPAA was enacted in 1996…8 years before Facebook came along, the intent of the law remains the same: to protect the privacy and security of patient health information. Social media such as Facebook and Instagram boost open and often “public” communication between you and your patients…but with this advantage comes great responsibility.
This guide should save you time by giving you the quick and dirty HIPAA guidelines that will allow you to leverage social media to grow your practice, while staying HIPAA compliant at the same time.
Who This Is For?
Maybe you’re a medical spa owner, chiropractor, or orthopedic clinic manager that has outsourced your social media marketing…
What is a HIPAA Violation?
A HIPAA violation is a failure to comply with the law…and all of its provisions. You can view an overview of all the HIPAA laws on HHS.gov here. They also have a nice FAQ section that we’ve combed through to answer our questions. Be sure to bookmark it.
There are more than 100 pages of provisions (believe us, we painfully went through it :)). At the end of the day there are hundreds upon hundreds of ways you could potentially violate HIPAA in your digital marketing and social media efforts, but here’s a list of some of the most common ones:
-Impermissible disclosures of patient protected health information (PHI)
-Unauthorized access of PHI
-Improperly disposing of PHI
-Failure to manage risks to the confidentiality, integrity, and availability of PHI (essentially, negligence regarding the protection of PHI)
-Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
-Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI (this is a big one here…have you done this yet?)
-The disclosure more PHI than is necessary for a particular task to be performed
-Unauthorized release of PHI to individuals not authorized to receive the information (this happens on social media ALL THE TIME)
-Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
Legal Ramifications of HIPAA violations:
Just because you “didn’t know”, does not relieve you of legal ramifications, including fines and jail time. HIPAAjournal.com did a nice article going into the specific categories of HIPAA violation penalties:
“The four categories used for the penalty structure are as follows:
Here’s the corresponding chart showing potential fine amounts (credit: HIPAAjournal.com)