Like millions of other businesses, medical aesthetic practices and medspas often use social media channels—such as Twitter, Facebook and Instagram—to increase brand awareness, promote new services, and strengthen the bond between providers and patrons. Unlike other service- and product-based businesses, medical practices and medspas are bound by patient privacy regulations set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And it is shockingly easy for a practice to expose itself to HIPAA violations through social media activity.
HIPAA is a piece of legislation that regulates the many ways in which the business of health care is conducted in the U.S. Since its adoption, however, it has become virtually synonymous with the issue of patient privacy. HIPAA’s Patient Privacy Rule prohibits medical institutions from sharing protected health information, which it defines as anything that can be used to identify a patient. This can include an email address, street address, name, birth date, Social Security number, etc. All of this information must be kept completely confidential.
Medical facilities that violate HIPAA’s Patient Privacy Rule may be subject to substantial fines—sometimes in the hundreds of thousands of dollars per violation. Additionally, many states enforce even stricter patient privacy statutes, so practices and medspas must take great care to protect their patients’ identities and healthcare information.
Social Media Guidelines
There are three major ways that medical aesthetic facilities and medspas can violate patient privacy laws through the use of social media.
Publicly reaching out to a patient. If you are connecting with patients via a social media channel, such as Facebook or Twitter, it might seem like a good idea to reach out to them after a visit to thank them for coming in. This can help build a relationship by showing your gratitude for their patronage and entice their friends to learn more about your services. Unfortunately, this seemingly innocuous act may constitute a HIPAA violation, because you have revealed that person is one of your patients.
You can thank your patients via social media by using the private messaging feature of whichever social media platform you are using. However, the safest avenue to follow-up with patients while protecting their privacy is through a handwritten note, personal email or direct phone call.
Publicly responding to a positive comment from a patient. Let’s say that one of your patients posts the following on your practice’s Facebook wall: “Had a great Botox treatment here today!” You may be inclined to post a response, such as: “Thanks! We hope to see you again soon!” Though it appears harmless, even this response can represent a breach of patient privacy, because you have confirmed that this person is a patient of your practice.
This is an emerging legal issue that has yet to be put to the test by litigation, and it could be argued that by publicly posting that message the patient is tacitly waiving his or her HIPAA protection. Unfortunately, HIPAA and other state-based privacy laws are very strict, so it’s probably not a good idea to test them.
You can avoid this trap by stating on your social media channels that, although you appreciate all comments and feedback from patients, the best way to deliver them is via email or to call the practice directly. This way, you do not appear unappreciative yet you reduce your potential exposure to patient privacy violations. Alternatively, you can draft a form acknowledging that the patient wishes to waive his or her HIPAA protection for social media communication. If you choose to follow this route, the release form should be created or reviewed by a healthcare attorney.
Photo copyright Getty Images.