By Diane Evans
Publisher, MyHIPAA Guide
For a dentist, social media can be a great way to communication valuable information. Conversely, it could be your worst nightmare if patient privacy is violated.
The challenge is in harnessing the benefits of social media without violating anyone’s privacy. And that is best achieved through a Social Media Policy that encourages the sharing of information while always protecting privacy.
With a Social Media Policy, you as a dentist can set and enforce clear processes for what may be posted and by whom. Here are some suggestions on what to include in your policy:
- Allow social media postings only with proper authorization.
- Prohibit the transmission of patient images via any electronic media.
- Educate staff on appropriate social media activities.
- Require explicit permissions from patients for even the slightest online reference linking an individual to your practice.
- Prohibit staff from taking photos or videos of patients on personal devices.
- Set restrictions on patients’ use of personal devices once they are in your clinical area.
- Require prompt reporting of any infractions or potential breaches.
The objective is to create a culture of vigilance so that privacy protections become instinctive. It’s about a mindset, rather than the mere motions of a regulatory requirement.
What’s at stake is the integrity of your practice. Your patients trust you, and you of course want to uphold that trust.
Once you have a Social Media Policy in place, it’s helpful to have a collective understanding within your practice of how social media infractions commonly happen. Here are the leading culprits:
- Carelessness: This is the most common issue of all in breaches, and typically involves well-meaning intent. Here is an example from an federal case that led to a fine: A small practice included a patient testimonial on its website, but failed to get written permission to do so.
In situations such as this, a practice can expect to avoid fines if an underlying HIPAA compliance program is in place, and the breach occurred due to a violation of internal policy.
- Personal vendetta: In some cases, an employee discovers embarrassing information about a patient, and then spreads that information via social media. An example from an actual case, reported by ProPublica and resulting in a lawsuit and undisclosed settlement: A medical staff member discovered that her former friend had a sexually transmitted disease. A post to Facebook followed, noting the former friend’s diagnosis and her full name.
A cautionary note to dentists: Be extra careful with information with high gossip value. For instance: If a local mayor gets a tooth knocked out in a fight, and then shows up at your office, take extra security precautions.
- Laxity: This is also a common cause of fines. In these cases, regulations under the Health Insurance Portability and Accountability Act (HIPAA) get relegated to low-priority status. Privacy is not top-of-mind, and breaches become more likely.
If a complaint leads to a HIPAA audit, expect stiff fines for lack of an underlying HIPAA compliance program, which must include risk assessment, security policy implementation and management of Business Associates.
Dentists, for our plan to help you get compliant in three easy steps, go to https://www.myhipaaguide.com/3steps/