by Amanda Larson
Article filed in
Social Media & HIPAA Compliance: The Ultimate Guide
by Amanda Larson
As more people flock to the internet to share their lives, social media sites are growing in popularity and in users. Naturally, many businesses, including healthcare professionals, are finding new ways to connect with their audiences and attract new customers. However, social media is different for medical practitioners because of one thing: HIPAA.
The Paubox blog has numerous articles about HIPAA compliant products and a collection of those focused on social media. This compilation centralizes all that information.
This ultimate guide will navigate all your questions about social media and how each platform relates to HIPAA compliance. Here we go!
Social media and HIPAA compliance
Before we dive into each platform, there are a few things about HIPAA compliance you need to know.
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity. The primary goal of a business associate is to help covered entities comply with the HIPAA Privacy Rule. Entities covered under HIPAA must have a business associate agreement (BAA) signed with any business associate they partner with.
The popular social media platforms will not sign a BAA, and therefore you should steer clear of sharing any PHI. Better to err on the safe side and be very careful about what information you include in your posts, since even just a name or email address can be considered PHI in some circumstances.
It’s up to you and your staff to maintain HIPAA compliance.
HIPAA compliant social media best practices
Since the responsibility lies with you and your practice, it’s vital to know what you can—and cannot—say on social media in a HIPAA compliant manner.
Educate both yourself and your staff on the following to stay HIPAA compliant when using social media.
- Understand what information constitutes PHI
- Never post any information that can be interpreted PHI
- Do not disclose if a patient received or intends to receive any services
- Do not share or allude to any specific or unique medical cases
- Use broad terms that address “all patients” and avoid addressing individuals or their situations
- Do not diagnose or describe any prognoses, symptoms or courses of treatment publicly
- Use HIPAA compliant email to contact patients (or potential patients) directly—do NOT send messages to patients either privately or publicly via a social media platform
To keep it simple: If a patient might be identified, don’t say it on social media!
Thankfully, there is plenty you CAN say online. Here are some HIPAA-friendly types of posts you can integrate into your content.
- Share updates or news about your practice
- Educate the public about popular or timely health topics
- Communicate about COVID-19
- Share health and wellness tips
- Support other local businesses and partners
- Promote events related to your practice
Facebook is the world’s largest social network with over 3 billion active users. This king of social media reaches over 60% of all internet users. Sixty-nine percent of American adults have a personal Facebook profile and spend an average of 58.5 minutes on the platform daily.
Facebook is not HIPAA compliant because it will not sign a BAA. However, covered entities can use it—as long as they do not share any PHI.
Facebook has expanded from personal profiles to business pages to groups and beyond. Over 90 million small businesses are present on the platform. Facebook’s ad network made $17.74 billion in revenue last year.
The Facebook Pixel is a snippet of code embedded into your website. This code works with Facebook and reports website visitors’ behavior and enables insights like conversion tracking.
The question about Facebook Pixel and HIPAA compliancy lies in its retargeting ability, since it uses Facebook user information to retarget ads. Be aware that Facebook Pixel is not HIPAA compliant by any means.
With over 120 million active users in the United States, this photo and video-sharing app is one of the most popular social platforms. Users can interact with one another’s content through likes, comments, and private messaging.
Since Facebook acquired Instagram in 2012, the platform has grown with advertising in mind. Many businesses use Instagram to complement their Facebook ad strategy.
Similar to Facebook, Instagram is not HIPAA compliant because it will not sign a BAA. However, covered entities can use it if they avoid using PHI.
Did you know Twitter is the birthplace of the #hashtag? Users on this micro-blogging website fire off 500 million tweets per day. As Twitter says, you can “follow everything from breaking news and entertainment to sports, politics, and everyday interests. Then, join the conversation.”
So is Twitter HIPAA compliant? Like the other social media platforms, since it will not sign a BAA with covered entities, Twitter is not HIPAA compliant. Healthcare professionals are still welcome to use it, as long as they refrain from sharing any PHI.
In fact, Twitter’s Terms of Service states directly that “You are responsible for your use of the Services and for any Content you provide, including compliance with applicable laws, rules, and regulations.”
Founded in 2002, LinkedIn is one of the oldest social media platforms. It is the world’s largest professional network and has expanded to 690+ million users in over 200 countries worldwide.
Many healthcare professionals use LinkedIn to build their network, share expert knowledge, and keep an eye on the medical industry.
However, LinkedIn is not HIPAA compliant. Because it will not sign a BAA, covered entities are responsible for what information is shared on the platform.
If you’re looking for a new local business, you might begin your search on Yelp. With 178 million unique visitors per month, Yelp’s local directory and customer rating network helps connect consumers with ideal, trustworthy businesses, including medical practices.
However, Yelp has become a source of HIPAA fines. Most cases are for the accidental sharing of PHI—like a dental office that was required to pay $10,000.
So Is Yelp HIPAA compliant? In short, no, for the same reason as the other platforms mentioned in this post: Yelp will not sign a BAA with covered entities. That means Yelp is not HIPAA compliant. But healthcare providers can use it safely if they do not publish PHI.
SEE ALSO: The Complete Guide to HIPAA Violations
Neither Facebook, Instagram, Twitter, LinkedIn, or Yelp are HIPAA compliant because they will not sign a BAA with covered entities.
However, healthcare providers can and do use the platforms in a HIPAA compliant manner if they steer clear of sharing anything that can be remotely considered PHI and do not message patients directly.
HIPAA compliant solutions that are complementary to social media
Social media provides endless opportunities for medical practitioners to grow their brand online if they stick to HIPAA compliant best practices and avoid sharing PHI.
To increase your social media potential, you can amplify your communications with other HIPAA compliant solutions, like those below.
Paubox Marketing is a leading solution for HIPAA compliant email marketing. You can send personalized email messages that include PHI which arrive directly to the recipient’s email box.
Using an email marketing solution can even get you more social media followers. Share your profiles in your marketing emails so people can easily follow you, and cross-post your content in your marketing emails and on social media to get more bang for your buck.
Simply put, Paubox Marketing is the best HIPAA compliant email marketing solution available.
SEE ALSO: Healthcare Email Marketing Use Cases
Paubox Marketing allows healthcare practitioners to email patients en masse. However, every covered entity needs a HIPAA compliant email solution for standard email as well. Enter, Paubox Email Suite.
Paubox Email Suite
Using a popular email provider like G Suite or Office 365 is not enough to make your email HIPAA compliant. Although healthcare practitioners can use these platforms with a signed BAA, they need additional services like Paubox Email Suite to make the email they send HIPAA compliant.
Paubox Email Suite eliminates the need to press any extra buttons or write “secure” in the subject line when sending encrypted emails. Simply compose an email as you normally would, and Paubox takes care of the rest. As with Paubox Marketing, emails are received directly to your recipients’ email boxes—no password or portal required.
By encrypting everything you send out by default, Paubox Email Suite ensures HIPAA compliance for your organization while making the experience for your recipients to view and reply to one of your encrypted emails extremely user friendly.
Paubox Email Suite Plus
Paubox Email Suite Plus comes with all the email encryption features of Paubox Email Suite, plus it blocks email threats before they hit the inbox with robust spam filtering and email security against ransomware, malware, and phishing attacks.
In conclusion, social media coupled with Paubox products can improve your communication efforts and deliver a secure, effective marketing strategy for your practice—all while remaining HIPAA compliant.