Here’s an article from RDH Magazine by Melissa Van Witzenburg, MS, RDH that we wanted to share with our customers. As HIPAA consultants, we want to remind you that all the HIPAA rules apply to social media used by the office.
What’s the bottom line? It boils down to this: patient’s personal health information (PHI) should never be discussed on social media.
Here are some more details about how to safely use social media. More importantly, make sure you are current with your HIPAA compliance and training. Remember that HIPAA compliance and training is included with your DDS Rescue service. Please make sure you are current for every year.
Contact DDS Rescue to check your HIPAA status!
Here’s the RDH MAGAZINE LINK
Social media contains many pitfalls for dental hygienists and other healthcare professionals, but can be used properly with some good judgment and knowledge of HIPAA rules.
Melissa Van Witzenburg, MS, RDH
Social media is all around us, whether it is for personal or professional use. It has become the most effective way to connect with people all over the world. Currently, Facebook is the largest social media platform with over 2.4 billion users worldwide; other platforms have an average of half a billion to a billion users.1
Early in my career, electronic medical records were just beginning to become mandatory in health care, and social media was beginning to change the way we consulted with other professionals, educated patients, and marketed dental practices. It is important that we as health-care professionals are aware of guidelines and limitations when using technology, especially social media.
The dos and the don’ts
So, what are the dos and the don’ts of social media for health-care professionals? What can be discussed or shared on social media? To date, there are no firm rules on social media included in the HIPAA laws, but the same HIPAA principles apply to social networks. A HIPAA violation by definition is, “when a HIPAA covered entity—or business associate—fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.”2 These violations can be unintentional or intentional. According to the website HIPAA Journal, the following are general guidelines when posting to social media:3
Patient’s personal health information (PHI) should never be discussed on social media.
- PHI can only be on social media if written consent is obtained.
- Written consent must specifically state how the PHI will be used.
- Sharing images and videos without written consent is not permitted.
- Do not post any images inside an office where PHI is visible.
- Avoid posting information or gossip about a patient, even when the patient cannot be identified.
- Never assume a post is private, secure, or has been deleted.
- To help further this discussion, let’s examine four different scenarios.
Posting x-rays: A patient’s bitewing x-ray is posted in a private dental social media group to discuss the performance of another hygienist and the treatment outcomes. For any dental hygienist, it is frustrating to remove calculus that has been left behind or burnished, but a post like this would likely be a HIPAA violation. Unless the patient has given written permission for an x-ray to be posted on social media, posts such as this are not HIPAA compliant. It is important to remember that even though a post may not identify a patient by name, the circumstance or provider may give away the patient’s identity. Also, whether or not photos or x-rays are posted on a social media site without written permission, it is simply not professional to criticize another professional on either a public or private social network.
Venting about a patient: A patient questions your clinical skills and then requests not to see you again for future visits. After work, you take to a dental social network to express your dismay and explain the patient’s behavior during and immediately after the visit with you. While we’ve all experienced frustrating days when we’ve encountered a noncompliant patient or someone who simply was not friendly, it is not appropriate to gossip about patients on social media. In 2018, a pediatric intensive care unit (ICU) and emergency room (ER) nurse in Texas posted on her personal social media page about a child who was seen in the ER with a case of measles. While she didn’t identify the child by name, the number of measles cases diagnosed in this region was small, and because of this, the possibility that the child could have been identified increased significantly. As a result of the HIPAA violation, this nurse was terminated from her place of employment.4 While this was not an intentional violation of HIPAA, one cannot assume that all posts are private or can easily be deleted.
Accepting a patient’s friend request: A patient sends a friend request to your personal social media page, and you accept. What is posted on a personal social media site can vary from what is posted on a professional page. Private or personal social media pages can be a place to express political and personal views that could potentially skew the way you are viewed professionally. While this is not a direct HIPAA violation, providers should exercise caution when friending or following patients, as this could provide an opportunity to commit an unintentional violation.
Removing PHI from a practice: A clinician takes PHI and images from a previous place of employment and uses them to market a new practice on social media. This is a major HIPAA violation and can also result in other professional consequences and penalties. Whenever PHI is removed from a practice, it must be with written consent from the patient, and many employers do not allow PHI to be removed, regardless of written consent.
HIPAA is regulated by the US Department of Health and Human Services Office for Civil Rights (OCR). If a provider is reported to the OCR and found to have violated HIPAA, there is a four-tier system in place to categorize the severity of the violation and the penalty associated. It is up to OCR to determine if the violation is worthy of a penalty or if the practice/person involved should be guided on how to prevent future violations. If this is the case, the penalties would therefore be minimal. HIPAA Journal describes the tiers as follows:
- “Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules. $100 per violation to $50,000
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. $1,000 per violation to $50,000
- Tier 3: A violation suffered as a direct result of ‘willful neglect’ of HIPAA Rules, in cases where an attempt has been made to correct the violation. $10,000 per violation to $50,000
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation. Minimum fine of $50,000 per violation”2
Advantages of using social media
The use of a social media platform has tremendous rewards; however, it does have risks. Social media allows users, including dental practices, to extend their reach and market to a larger audience. Digital, not print, marketing has now become the preferred method of advertising. By demonstrating that procedures can be quick with minimal discomfort and yield great esthetic outcomes, providers are easing dental fears, as well as building a “brand.” Social media platforms allow for providers to build good rapport outside of the clinical setting and show the public that they take interest in the whole person, not just the oral cavity. Social media platforms also allow for professionals to connect with other professionals and exchange ideas and treatment methods. This type of interaction is a much more efficient way to gather and communicate data, but it must be done within the boundaries and compliance of HIPAA. Here are a few basic tips to help safeguard your office from social media violations:
- Provide staff training on what are acceptable and unacceptable uses of social media and offer examples.
- Develop strategies and a policy on social media usage.
- Keep personal and professional social media pages separate.
- If a patient discloses his or her own PHI on a social media page, do not engage in the discussion.
- Provide strategies and training on how to handle different scenarios that may occur on social media networks.
- Inform all staff of the consequence of a HIPAA social media violation.
Social media is here to stay, and while the name of these platforms may change over time, the general purpose will be the same. This technology allows providers to network to a larger and wider audience than the boundaries of a town or state. The scope of social media stretches to every corner of the world, and the distant connections and common bonds can be astounding. As social media evolves, so must our awareness of privacy and how to maintain it, not only for patients but for professionals as well. We must remember that there will always be a digital footprint, even long after we’ve hit the delete button. For this reason, we must always remember to conduct ourselves in a professional and respectable manner on social media, both in our private and professional lives.
1. Ortiz-Ospina E. The rise of social media. Our World in Data website.Published September 18, 2019. Accessed November 2, 2019. https://ourworldindata.org/rise-of-social-media
2. What are the penalties for HIPAA Violations? HIPAA Journal website. Published June 24, 2015. Accessed November 13, 2019. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096
3. HIPAA Social Media Rules. HIPAA Journal website. Published March 12, 2018. Accessed June 5, 2019. https://www.hipaajournal.com/hipaa-social-media/
4. Texas nurse fired for social media HIPAA violation. HIPAA Journal website. Published September 13, 2018. Accessed November 13, 2019. https://www.hipaajournal.com/Texas-nurse-fired-for-social-media-hipaa-violation/