Prospecting on Social Media While Protecting PHI and Maintaining HIPAA Compliance
Social media marketing is one of the most important marketing tools for businesses of all kinds. It allows medical practices and other organizations to meet people where they are already at — on social media platforms like Facebook, Instagram, and Twitter.
These platforms let you communicate with and reach customers 24/7 in a way that is familiar and authentic to them. Social media marketing is ideal for just about any budget and use. Businesses that don’t use social media are potentially missing out on reaching billions of customers.
Why it’s important
Review sites and directories also greatly influence people’s decisions on where to get healthcare. Sites like Google Reviews and Yelp are increasingly being used by patients to select a healthcare provider. A 2011 study by the Pew Research Center showed that almost 80 percent of online users use Facebook Recommendations to look up information about health care providers. Another study conducted by Vitals showed that about 85 percent of consumers are more likely to choose a doctor over another based on high ratings and reviews.
There is no doubt that healthcare providers who use social media and digital marketing to reach patients have the upper hand. However, you must follow HIPAA rules when conducting social media and online marketing. So, how does HIPAA apply to social media and online marketing?
There are two rules that you must understand when it comes to social media marketing and HIPAA.
The patient may post whatever they want on any platform they want.
The patient making such a post does not allow you to confirm a patient-healthcare provider relationship.
Tips To Stay In Compliance
Here are some tips to help you stay in compliance with the above two rules when using social media marketing.
Have a written social media policy.
Every practice needs to have a written social media policy that is readily available to your staff. Define your purpose for using social media within your company.
Decide who will post photos, write status updates, and respond to potential patients. Identify a back up social media manager, if needed. Create a few ready-to-go responses. These will help your staff stay in compliance with HIPAA rules.
Regularly review your social media policy and update it.
As the government issues new guidelines about social media, update your social media policy. Also, include your social media policy as part of your Annual HIPAA Risk Analysis.
Never confirm a patient-provider relationship on social media.
If a patient leaves a review, a simple thank you is all that is needed. If they leave a negative review, respond quickly and respectfully, but again, don’t confirm a relationship with the patient. Instead, invite them to reach out to you offline.
Remove comments that violate HIPAA.
If someone posts PHI on your business page, it’s still your responsibility to remove it. So, make sure you have the ability to remove any comments on your website or social media pages that contain PHI. Yelp and Google both have avenues for getting reviews removed.
Use Facebook™ recommendations carefully.
Prospective patients highly utilize Facebook recommendations; however, there is no way to remove a recommendation once it is posted. Some HIPAA consultants recommend businesses turn off the Facebook™ recommendations for this reason. If you do have a Facebook™ business page, don’t tag patients or share information that can identify a patient.
Don’t post testimonials without written authorization from the patient.
Many practices will screenshot patient reviews and utilize them in their marketing. This practice of screenshotting reviews is absolutely not ok. Remember, a patient can post what they want wherever they want. The patient’s post does not mean you can utilize this content, especially if the review contains PHI. Breakdown: if you’re going to use patient testimonials on your website and social media, make sure you obtain authorization before posting the testimonial.
Link out from your website to Google or Yelp reviews.
It is important to respond to patient reviews and comments on social media and sites like Yelp or Google. Reviews help build online credibility with prospective patients who are looking at the office. Instead of posting patient reviews directly on your website, link out them. Simply say “Check out all of our 5 Star Reviews” and then provide a link to the review page. Linking to offsite reviews is an easy way to show off your reviews while staying HIPAA compliant.
Avoid personal contact with patients outside the office.
Don’t interact with patients on your personal social media accounts. Make your pages private and don’t accept Friend or Follow requests from patients. You might even consider using a pseudonym so that it’s hard for patients to find you on social media. Most importantly, let your staff know that they should also avoid contact with patients outside of the office.
What does it mean for you?
If you deal with PHI, it is crucial to make sure that your marketing is following HIPAA guidelines to ensure you and your patients are protected.
James Speed | Pawsitive Marketing
James is a marketing consultant and facebook ad specialist. He has excelled in sales for over a decade with multiple Fortune 500 companies and high demand local businesses. James has consistently blown past sales goals and strived to be a leader in sales strategies. By setting organizational objectives and sales quotas, he has been able to improve revenue from sales continuously. Through this experience, James has gained valuable insight into sales and marketing that can apply to almost any business. James strives to spearhead new marketing initiatives – some of which have brought about 6 figure changes in revenue for our clients. James’ purpose with Pawsitive Marketing is to help local healthcare-related businesses grow through digital marketing and increasing their web presence. While assisting medical practices, it is imperative to keep patient health information protected, with secure and effective digital marketing. Keeping our clients HIPAA compliant is more than just our business; it’s our passion.
Very interesting and new approach to HIPAA compliant.
From my perspective, any health care organization must use security software like SIEM to protect the confidentiality of data.
At the same time, In case of a data breach, the SIEM generates reports for a better comprehension of the vulnerability and its solution, helping to analyze and solve the future complains. The reports can be easily customized in the dashboard and might become an essential assistant to face the challenge of an independent Audit, which controls the security or integrity of the ePHI (electronically protected health information) exhaustively.