The use of social media has invaded every part of our lives today. Because of this, it is normal for it it also be used in healthcare. However, due to the ease of sharing information, social media presents an enormous risk to practices to maintain patient privacy under HIPAA. Because of the way social media encourages connections and discussion, it seems natural to use it to discuss health-related items with patients. However, this would be an incorrect idea. Here are some examples of why it is a bad idea:

Elite Dental Associates – October 2019

Elite Dental responded to a review left about them on Yelp. This, in and of itself, isn’t an issue. However, in the course of the response, they revealed the patient’s name, treatment plan, and costs, along with patient insurance information. Elite was forced to pay $10,000 in fines to the Office of Civil Rights (OCR) for the violation.

Glenway Nursing Home – August 2019

Employees of the nursing home posted a Snapchat post of them taunting a 91-year old patient who had dementia. When the nursing home learned of the incident, both were fired and reported the incident. They are now under investigation and facing a lawsuit.

The above two cases seem obvious. These were very stupid mistakes that should never have happened. But what about seemingly innocent examples? Here are the most common social media mistakes.

• Posting images or videos of patients without obtaining PRIOR written consent
• Posting of gossip about patients on social media, in private groups, or via messenger apps
• Posting or sharing images from inside a practice or other healthcare facility where patients are visible in the picture

If a patient leaves a positive review for services your practice performed, how should you respond? It doesn’t matter if the patient mentioned treatment they received, you are not allowed to confirm it anyway. Confirming releases private patient information. For example, if they state, “thank you for the wonderful experience when I had my surgery there”. Don’t respond with anything that would confirm the surgery or what type of surgery it was. Simply respond with, “thank you for the kind words”. This doesn’t reveal anything about the patient.

What if a patient posts a picture of their new baby and tags their OBGYN? The OBGYN shouldn’t respond in any way that confirms the patient’s information. Simply comment on the beautiful baby, happy mother, etc.

Remember, patients can disclose their health-related information. Even if they do it first, this doesn’t change how HIPAA rules work for Covered Entities.

Pause before you post. Its not worth losing a job or facing possible lawsuits and fines.