Stay HIPAA Compliant on Social Media

One effective way to attract new patients is through online reviews on social media sites like Yelp, Google, and Facebook. A good rating on one of these sites can earn referrals more quickly than regular word of mouth in many cases. And testimonials from satisfied patients can be worth their weight in gold. But even if your patients volunteer information about their experience at your office, your practice needs to take the same steps to protect patient privacy online that you follow in the office. Read on for best practices to ensure you stay HIPAA compliant when using the power of social media to grow your patient base.

According to marketing coach Misti Buard, doctors should keep in mind that they need to follow the same privacy rules online as they do in the office: “If you wouldn’t say it in an elevator, then you shouldn’t say it online.” In some cases, the rules are fairly clear-cut. This applies to posting office photos on Facebook or elsewhere – make sure no files or patient information can be seen in the photos. It also applies to advice – do not give professional recommendations on social media; rather, advise patients to visit a medical professional for treatment.

What about online review sites, like Yelp? If patients are voluntarily sharing information about their experience with your office, how do HIPAA rules apply? This is where things can get tricky. Privacy compliance expert Dr. Danika Brinda of Planet HIPAA recommends this simple strategy: “Keep it brief, keep it general, and try to move the conversation offline.” Just because a patient posts details of their visit does not mean they are giving authorization for you to share their status as a patient or any of their private health information. Providers must get a patient’s explicit consent before disclosing any of that patient’s information.

Rather than going into detail about services received at your office or the patient’s treatment plan, it is best to respond to online reviews with a consistent and general message, such as, “Thank you for your comments. It is our policy to provide the best possible care to patients. Please contact us with any further concerns or comments.” This ensures that your organization responds to patients who want to engage online, but stays HIPAA compliant by moving the discussion away from the internet. So even if a patient writes a glowing review of your practice, be sure to get written authorization from them before sharing their positive testimonial on your website or embedding a link to their review.

With 84 percent of patients looking to review sites when they search for a new doctor, Yelp and other sites can become powerful tools for increasing your revenue. But as Dr. Brinda notes, “Even the most savvy organizations may have questions about how to respond to reviews and maintain patient privacy.” Make sure your social media plan includes finding online reviews, responding to them, and keeping HIPAA compliance in mind, and your patients – new and old – will thank you.

COVID-19 Resource Center    Visit our Resource Center to stay up to date.​