The most common platforms used for social media are Facebook, Instagram, Snap- chat and Twitter. ere are others that are also important, such as LinkedIn, Yelp, YouTube, Angie’s List, and Google Reviews. How you interact with each of these is a little different, but the basic premise is the same when it comes to HIPAA — don’t expose your practice to risk by exposing patient privacy.

The U.S. Health and Human Services (HHS) department has issued publicly available guidance on how to deal with social media.  However, this guidance is just that – guidance.  How your staff is educated and what policies you have in your practice regarding social media is really what makes using it either HIPAA compliant or not.

I always recommend that doctors think carefully about who they are “friends” or “connected” with, but also what they are “licking” or posting personally, as it can be used against them professionally.  It is also a good idea for doctors to not personally connect with their patients through social media.  I once had a dentist client who had and after hours party at the office with beer and one of the staff snapped a picture, tagged the doctor’s personal Facebook account and uploaded it onto the business page.  While the picture was taken after-hours, a patient could easily use that public post for a malpractice claim.

In the previous situation, the surroundings matter. As further examples, pediatric and orthodontic offices often have walls with patient photos. e practice should have obtained consent to post the photos in the office, but that consent does not extend to other people’s social media. Make sure patients understand that they should not take selfies with photos in the background.

On another note, you should make sure other people do not accidentally post images of your office that could contain patient information. Minimize the schedule on a computer. Log out the last patient on an iTero. Hide printed schedules. These things could easily get snapped in the background of a photo. Other patients and family members may not want to be photographed, so it is a good idea to have a ‘selfie-zone’ to take pictures in a safe environment and maintain everyone’s privacy.

We are already starting to see changes in how people interact with social media in everyday activities. Patients want to make appointments, text, chat, message and more from their social media pages. While these features are convenient, there is security to consider. Are those integrations secure? Are they encrypted? Are they opening you up to more liability? Will the vendor take responsibility if their program causes a data breach or patient lawsuit? These are all questions you have to consider.

I do not think HIPAA will change in the future in regards to social media. e Office for Civil Rights with HHS has outlined a pretty straightforward stance on social media that will hold up for years to come, so it is up to the practice to have and enforce a comprehensive policy. People are always the weak point. Social media has turned us into an oversharing society and unless you educate your staff properly and enforce a solid policy, your staff can share too much and get your practice into trouble. So, how do you get your once up to date with HIPAA and social media?

1. Write a policy and procedures for social media and stick to it.
2. Routinely discuss the policy with your staff.
3. Have your staff sign confirmation that they’ve been trained on your new policy.
4. Make sure vendors who integrate or help with social media adhere to your social media policy.
5. Perform Business Associate Due Diligence Security Review on any potential vendors to ensure that both their Business Associate Agreement is mutually beneficial and they are not inadvertently introducing risk into your social media platforms.

For more information, HIPAA has published guidance on social media in the healthcare setting: https://www.hhs.gov/ web/social-media/getting-started/index.html.

Amy Wood is President of ACS Technologies, LLC. With her experience as a data breach consultant and health-care IT provider, she edu-cates private practices, clinics, dental associations, study clubs, disability groups, vendors and business associate practices to ensure that they are addressing HIPAA proactively in a reasonable and appropriate manner. She runs ACS with her husband, Scott, and lives in Santa Rosa, CA with their three daughters. Amy can be reached at [email protected]