With over 3.5 billion people projected to use social media in 2020, healthcare professionals cannot afford to ignore the power of this communication tool.
However, choosing the right social media management service might not be an easy task. Especially when you need to stay HIPAA compliant.
Today we are looking at Buffer.
Founded in 2010, Buffer is a social media management platform used to create, analyze, and publish social media posts.
Buffer’s capabilities include in-depth social analytics, report building, audience insights, and more.
Buffer and the business associate agreement
We found no information online about Buffer executing a BAA.
Protected health information and Buffer
An essential part of HIPAA compliance is protecting patients’ protected health information (PHI). Any information that can be used to reasonably identify a patient and is used during patient care is PHI.
Buffer offered no information about PHI on its website.
We did find information on its Legal Policies and Procedures page that personal user information is collected, used, and disclosed by Buffer. By agreeing to Buffer’s terms and conditions, users agree to allow the platform to collect their personal information.
Buffer also states that it may sell this personal user information.
Per its Privacy Shield:
The above information is another reason why Buffer is not HIPAA compliant.
A pivotal component of HIPAA compliance is an executed BAA.
We found no information on Buffer’s willingness to sign or discuss executing a BAA. Therefore, Buffer does not offer HIPAA compliant services.
Using Buffer without violating HIPAA
There are ways covered entities can utilize Buffer’s services safely, however.
Using social media to nurture the patient-provider relationship is an excellent idea for healthcare professionals. You and your practice can maintain HIPAA compliance while sharing general information on social media, like general wellness tips, information about your practice, event information, and updates about COVID-19.
To use social media in a HIPPA compliant manner, your practice must never:
- Disclose anything that could be considered PHI
- Allude to someone’s specific health condition or unique medical case
- Address individuals or their individual health histories, even if someone discloses this information willingly
- Direct or private message any patient
Simply put, steer clear of sharing anything that can be remotely considered PHI, and make sure your team completely understands social media and HIPAA compliance.
Also, consider creating a HIPAA compliant social media plan to help ensure your staff is sharing information correctly.
Complement social media with HIPAA compliant email
Emails are delivered directly to a patient’s email inbox; no password or portal is required.
Your patients will never have to worry about logging into and out of an email portal again.