For example, Facebook’s recent changes to their check-in feature allow visitors to post a picture to your facility’s page. While a patient or visitor can share that photo without violating HIPAA, they could inadvertently violate another patient’s privacy should someone be in the background and unaware that their photo is being taken or shared. Facebook’s new check-in feature does not require approval from the page administrator or provide the ability to disable this functionality, which is a concern.
Here are a few tips and considerations to ensure your Facebook and other social media channels are not compromising patient privacy:
If someone posts a photo to your organization’s Facebook page, don’t like or share it as the Facebook page administrator. While they have willingly shared their own information, taking action could be seen as confirming someone as a patient by HIPAA standards.
Any organizations using social channels for marketing should have a social media policy in place that includes guidelines and expectations for the social community manager, employees throughout the organization and fans or followers interacting with the account. As HIPAA rules change, be sure to review your social media policy to reflect updates and keep employees informed as well.
Similar to having a social media policy in place, healthcare organizations should also post signs in waiting rooms and other visible areas stating that taking photos in the building is prohibited. This serves as a notice to visitors, as well as a reminder for staff.
Incorporate social media scenarios into your employee HIPAA training. Hospital and clinical staffs go through HIPAA training and refresher courses regularly, which is an opportunity to provide tangible examples of how social media impacts patient privacy and ways to avoid both overt and inadvertent compliance issues.
This post was written by Lindsay Vidrine, Health Practice Lead