Actively posting patient photos to your social media while staying HIPAA compliant may seem like an arduous, fraught task – but it doesn’t have to be!
Here is a guideline for adhering to HIPAA rules while engaging in dental social media marketing:
1. Implement a practice-wide, written HIPAA-compliant social media policy.
Train your entire team on your Social Media Policy, and assign a social media manager who is very familiar with HIPAA, and who has the time, willingness, and trustworthiness to devote to managing your social media. Limit the number of people with access to your practice’s social media login information.
2. Always get signed consent from patients before taking and/or posting any patient photography.
A verbal agreement will not suffice; make sure you obtain a signed, HIPAA-compliant photo release form (like ours, free to download here). And even after receiving signed consent, keep as much personal information as confidential and private as possible when posting online.
3. Do not post protected patient information or circumstantial details.
This may seem like a no-brainer, but it happens far too often. Even if you remove identifiable features in your patient photos and don’t include the patient’s name, their PHI can still be traced if you post about a specific treatment or circumstantial details.
–This includes responding to an online comment or review by acknowledging a patient’s treatment at your office. While we nearly always recommend responding to comments on your social media, if someone (even the patient themself) shares patient PHI in a comment, avoid verifying it in any way. Instead, respond in generalized terms that your practice always strives to provide excellent dental care, or when in doubt, simply do not respond to it.
4. Do not assume information is private.
Virtually everything posted online can be found and tracked, even if the post is deleted. Be vigilant about preventing HIPAA violations before they ever make it to social media.
–This includes the storage and handling of patient photos, even prior to posting them online. If a team member takes patient photos on a smartphone or tablet, those photos must be properly encrypted, and cannot leave the office. We know mistakes happen, but it’s a simple thing to prevent this HIPAA violation by using a free, cloud-based photo encryption app, and deleting all patient PHI from smartphones and tablets before leaving the office daily.
We know that staying HIPAA compliant while posting to social media may seem daunting, but it is really just a matter of taking the HIPAA policies your team already follows in your daily office life, and translating them to your online platforms and social media interactions. Plus, you and your team are already well-practiced in ensuring your patients’ safety and comfort, and that includes protecting their PHI. Taking the necessary steps to protect your patients’ PHI when it comes to social media and dental marketing is a simple extension of the same responsibility and care you provide for your patients on a daily basis, and well worth it!
Note: We do not provide legal advice, and the recommendations found here are informed suggestions. Additional compliance rules vary significantly from state to state and country to country. Please consult your attorney if you need further advice or have any further questions.
Tel: (972)882-9200 / (972)882-9222