Is your medical practice’s social media policy adequate? By now every physician should be aware of the benefits that can be bestowed upon their practice as a result of social media. Indeed many practices are engaging in one or more social media platforms on a regular basis. Moreover, staff members are most definitely active in social media, and probably use it while at work.
Physicians and practice managers must be smart about training employees on what they should and should not share online. Staff in your practice could incur liability on behalf of your practice as a result of their comments on social media. Because of the confidentiality rules in HIPAA, staff training is important. You should constantly remind employees that they are representatives of the practice.
You should also have some sort of social media policy in place. Here are a few key items your policy should include:
Guidelines and expectations. Your policy should set clear expectations for how team members (as representatives of your practice) must conduct themselves online.
Your policy should clearly state that there will be no posting of protected health information (PHI) and that employees are not allowed to use social media in work areas near patients. Be specific in training your employees and inform them to avoid identifying patients in any way on social media — this includes names, unique characteristics, etc.
Some practices do not allow employees use social media for personal reasons on work time. While that is fine as a policy, it does not circumvent the need to appropriately train your staff. Moreover, it can be hard to police.
It is advisable to discourage team members from participating with patients on various websites. If they do engage patients on social media, they certainly should not be discussing patient-related matters.
Lastly, someone (most likely the practice administrator) should be designated as the spokesperson responsible for answering questions about your practice on social media.
Penalties and consequences. Penalties for data breaches increased under the American Recovery and Reinvestment Act so your policy should make it clear to employees about the consequences of their actions on social media sites. An individual claiming they did not know they violated HIPAA is subject to a minimum of $100 per violation. A HIPAA violation due to reasonable cause and not due to willful neglect carries a minimum fine of $1,000 per violation. A HIPAA violation that is due to willful neglect (but corrected in short order) is subject to a minimum of $10,000 per violation. Lastly, a HIPAA violation that is due to willful neglect and not corrected carries a minimum fine of $50,000 per violation. The maximum fine for each of these four categories is $50,000 per violation.
Explanations of rules and regulations. The social media policy should outline what is illegal, what is considered confidential information of the practice, and what is protected health information.
It’s not enough to have a social media policy — employers should put in just as much time and effort in training their employees on the ins and outs of the policy. Make it a separate document from the employee handbook.
Contact ABISA, a consultancy specializing in solo and small group practice management. Visit us at ABISALLC.com.