HIPAA compliant social media guidelines have unique provisions and social media training requirements that most companies outside the health care sector don’t need.
If you don’t work in health care, HIPAA stands for the Health Insurance Portability and Accountability Act.
It was enacted in 1996 under US president Bill Clinton and HIPAA social media training is unique.
It’s all about making sure so called “covered entities” keep patient information private, unless of course, patients share that information on social media themselves.
Social media, needless to say, has made keeping things private tougher than ever.
But given that health care providers are beholden to Federal Regulators, you’d think their social media policies would need special language.
But according to Mayo Clinic General Counsel Daniel Goldman, that’s just not the case.
“If you look at our social media policy, I don’t know that it’s dramatically different from folks in other industries,” says Dan, in an interview recorded today on HIPAA and Social Media who also says the Mayo Clinic offers it’s employees and others in the health care sector a portfolio of social media training courses to increase their digital IQs.
But according to Dan, developing a corporate social media policy that satisfies HIPAA compliance does not necessarily require a different approach.
“I do think the emphasis on privacy is probably a bit stronger as it should be for any health care provider,” he says.
Social Media HIPAA Violations
The HIPAA Privacy Rule sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization and is covered in my free HIPAA Social Media Training Course.
But Dan warns against allowing legal compliance to chill employee advocacy.
“If people don’t have confidence you’re going to protect very sensitive information, it’s not only a legal issue, it’s a brand issue. And for most of us that’s even more important. Our brand is a multi-billion dollar asset and tarnishing it by having people believe we’d play fast and lose with privacy is an even greater risk than the regulatory penalties we’d have to pay.”
An emphasis on privacy and providing social media training with concrete examples of violating HIPAA social media by posting pictures on social media accounts and other social media platforms, is critical as well.
Otherwise, employees may not understand your social media guidelines, and you can’t comply with rules you don’t understand.
Tweets and status updates are automatically date and time stamped, so if someone working for a healthcare provider posted on social media sites about treatments or procedures being administered to specific patients (even if names are omitted) it is possible that that time stamp, combined with other public information, could compromise patient privacy.
Under HIPAA, that would be considered a data breach.
But having a HIPAA-complaint social media policy is not enough. The social media guidelines and guidance on HIPAA you provide is equally important.
When it comes to social media and healthcare, it’s a good rule of thumb to make sure everyone is trained on HIPAA compliance in the digital age.
“The best policy in the world is useless if it sits on the shelf or on your intranet and either people don’t look at it or people don’t really understand the nuances so I would encourage employers in any industry, but especially in health care, to really provide education. Add it into new employee orientation. Add it into your yearly or regular compliance training. Just about everybody entering the workplace these days has grown up with social media. So there really is that urge to share everything that’s interesting that happens in your life on social media, so it really is about getting people to take the extra 3 seconds before they hit post on their mobile phone or computer,” says Dan. “Education is equally as important as your policy.”
Dan characterizes those organizations that have responded to the risks of HIPAA social media violations by blocking access to social media entirely on their networks as somewhat naive, since most people have smart phones they can use to social network and are not reliant on their work computer for access to Facebook or Twitter.
“You’re much better served by being realistic about it and working with your employees to train them to be responsible social media users as opposed to just saying no,” he says.
Social media training is more sustainable to achieving widespread compliance than reliance solely on policy or governance.
As general counsel for the Mayo Clinic, which employees more than 58 thousands people and treats more than 1.1 million patients each year, he should know.
My conversation with Daniel M. Goldberg, esquire is also On the Record…Online as an episode of my podcast.