5 Things Healthcare Providers are Doing Wrong on Social Media

Are your social media practices compliant with HIPAA and other medical privacy laws? If you’re not careful, that seemingly harmless post can land you in hot water.  Avoid these five common mistakes healthcare professionals make on social media.

Social Media Mistakes in Healthcare

Most of us cannot go more than 10 minutes without checking our Twitter or Facebook feeds for updates. Healthcare professionals are no different.  When you spend most of your waking hours on the job, it’s natural to want to post anecdotes and images about your workday.  If you are a healthcare provider, however, you need to be extra careful when it comes to sharing information that might be protected under HIPAA and other medical privacy laws.  

Here are five of the more common mistakes that we have seen doctors, nurses, and medical staff make on social media.  Do any of these look familiar?

Privacy violation example email.
Thought this was OK? Think again.

1. Sharing snippets of patient communications without written consent.

The Internet is, in many respects, a giant gossip collector. We all enjoy sharing “memes” and jokes on social media sites. Just make sure nothing you share online comes from a patient’s email or other HIPAA-protected communications. Even if you do not directly identify the source of the information, you are risking a HIPAA violation if any snippet of information can be tied back to the original source. Common examples of this are blacked-out emails, texts, greeting cards, or social media messages.

2. Sharing patient photos from around the clinic without written patient consent.

Many doctors enjoy displaying photos of themselves with their satisfied patients, but keeping a photo collage in your private office (away from the view of patients) is one thing–posting those pictures to Instagram is another. Always get written authorization before posting any patient’s photo online. More importantly, make sure any photo you upload does not contain anything that could inadvertently disclose protected health information or identify another patient who has not given authorization. For instance, if a photo of your office happens to show a patient’s medical chart or paperwork in the background, do not post it.

3. Discussing a patient’s protected health information.

Let’s keep this simple: Never discuss a specific patient case on social media. It is perfectly fine to talk about medical conditions, research, and treatments as general topics, but avoid giving any concrete examples that would compromise a patient’s protected health information. For example, instead of posting an item that says, “I treated Mary Smith for arthritis this morning, and here’s what you can learn from it!” simply write about the symptoms of arthritis and when someone should see a doctor.

Similarly, if you’re looking for feedback from your peers, refrain from posting something like, “I treated a 60 y/o woman for arthritis this morning who’s an active golfer, daily runner, vegetarian — looking for less invasive approaches than Lyrica and injectables (which haven’t worked). I’m out of ideas — help?!” Even if you’re practicing in the midst of a major metro area, social media features like shared connections and groups can make this patient easily identifiable. Always send these types of messages personally and privately to individuals whose counsel you seek (still while omitting any PHI), or craft very generalized and professional inquiries when you’re crowdsourcing solutions for a tough case.

4. Sharing a patient’s biometric information.

Biometric information includes any unique biological characteristic that can be used to confirm a person’s identity. Common biometric identifiers include a retina or iris scan, fingerprint, voiceprint, or even a scan of a person’s facial geometry. Healthcare providers have a special duty under Illinois law to protect biometric information from unauthorized disclosure, so it’s critical to make sure none of this data ends up on any public website or service.

5. Discussing patients in a way breaches their trust or violates the provider’s ethical obligations.

Earlier, we discussed never posting the specifics of a patient case on social media. Some healthcare employees might think it is okay to circumvent this rule by talking about patients in an anonymous manner, e.g., “The doctor treated this patient for arthritis today…” The problem with this approach is that it still violates the patient’s trust, as well as the healthcare provider’s professional ethical standards. This is why it is essential for healthcare providers to ensure all of their employees understand and respect the confidentiality of their patients’ medical information.

Jackson LLP can help with your social media compliance.

It is not enough to simply tell your employees not to discuss patients on social media. Every practice needs a written social media policy as part of its employee handbook and its overall HIPAA compliance program.

At Jackson LLP, our healthcare-specific law practice can assist you with updating your HIPAA manuals, drafting patient consent forms, preparing employee handbooks that contain strong social media policies, and drafting workplace confidentiality agreements. Schedule your free consultation below to discuss how we can help your practice.

Free Attorney Consultation

Book Now

Learn more about Jackson LLP’s services discussed in this post:

If you found this post useful, you might also enjoy Connor Jackson‘s guest blog for WebPT about HIPAA-compliant emails and text messages.

© 2018 Jackson LLP

Skip to content