If you search the web for top five HIPAA violations, you will find something similar to the following:
- Lost or stolen Protected Health Information (PHI) on laptops, back-up disks, and portable drives
- Inappropriate access of PHI by employees (i.e. snooping into records of family members or co-workers)
- Improper disposal and storage of PHI
- Computer Hacking
- Releasing PHI to patients in a timely manner
You will find after some research that Twitter, YouTube, Instagram and other social media tools are not even mentioned in the list but not anymore. Social Media tools are going to top the HIPPA violations within the next few years unless your healthcare organization and staff are bound by simple, easy to follow, and well protected social media policy. If you haven’t heard about the Woman Sues Chicago Doctor, Hospital For Posting Photos Of Her Drunk In ER To Facebook and you are managing a doctor’s office or urgent care or hospital then this is the time for a must review of your policy and procedure book.
During the past three years, I had the chance to manage a healthcare organization’s brand presence, both offline and online. I can say that managing the offline presence is little easier because most communications are internal while taking the patients online is what makes the whole marketing and branding process a lot harder not just because you are dealing with very sensitive medical information but because their information will become permanent record on the web and you will have no power to remove it later.
My role within the medical center is called Chief Experience Officer, it’s not just a title for another CEO. It is a job that handles the most important responsibility in today’s experience economy, the responsibility to: manage your daily patients’ service problems, contribute to build strong corporate culture, and to full-fill your brand’s promise.
I will share five practices to minimize any threats and exposure your healthcare organization could take. If these practices work on the medical practices level then you can scale them to work on the hospital level.
1 – Keep it educational policy.
- Encourage employees to be ambassadors for your brand than to waste time trying to stop them from using social media. Social media networks are extension to your online brand presence and a place where you connect your fans emotionally to your brand. The patient could visit you one time but if the patient follows you online, the connection will mostly stay forever
- The policy awareness should start from the interview and goes along the way during meetings and HR/PR updates. Everyone should be educated about the proper way to use their personal social media accounts and not to mix it with hospital’s use
- Social media is an opportunity to build relationships with patients, the brand naturally is helped by the culture. To have a culture, you need a team, make sure they have real time mindset. Real-time means reacting in real, or near-real time. It’s about relevant action to solve problem that could hurt your brand offline or online and it’s better to manage it offline before it escalated online. Remember, the longer and higher a patient complaint lives in an organization, the more it grows
- Organize educational events inside the hospital via tweetup and Facebook to arise awareness of the social media by discussing a a new HIPPA violation case and how to prevent it happening at the hospital
- To make your policy work, you need to make it friendly, simple and short. Include some tips on agenda books, hallways screens, and optional tips via text messages
2 – Keep a checklist in handy.
- You want every member of your organization to know the process of how to ask happy patients for online review, the URLs of your social media networks, and understanding the rules of administering your social media accounts
- Hospitals have very strict rules regarding patient privacy. Your marketing or patient experience department need to provide a consent specific for patients who don’t mind appearing on YouTube or Facebook for testimonial. The consent must have the patient full name, signature, along with at least one witness. Scan the consent immediately and shred it afterwards
- Get the patient approval for any picture you take or video you record even if it’s verbal, get the patient to see what you will post online and become permanent record on the web
- Try to keep patients information shared online anonymous, only first name or nickname
- Keep your video camera inside a safe place. Make it accessible to limited employees
3 – Get your IT department involved in crafting your policy. IT personnel understand computer networks, users permission and privileges, and the basic ways to secure your network, prevent hacking and exposing your shared folders to public. Here are some of the best practices I’ve implemented.
- Always secure your computer every time you leave your workstation
- Use privacy screens on all your hospital computers
- Do not store PHI on portable devices unless it’s your off-site backup devices
- Keep your practice management system passwords private
- Separate your operation network from guest network both wired and Wi-Fi
4 – Engage your patients offline to motivate them to come online. You don’t need consent for the following:
- Offer free vitamin B12 (Doctor’s approval needed) for patients who write Facebook recommendation or support a hashtage of your cause
- Make a tablet accessible in the waiting room to show your patient’s testimonials and successful patient’s treatment stories
- Offer free lipo-light session for exchange of sharing their visit experience on Yelp.com
- Make a signage at the gates to offer directions and tips to use hospital’s facilities when they checkin
- Offer patients exclusive access to educational webinars by registering into the hospital’s email newsletter
5 – Do not do the following:
- Do not tweet or comment any medical information that has no trusted source and always make sure to keep your personal opinion away from the hospital, you can RT or mention but use common sense otherwise
- Do not take any photo or video with your personal mobile, use the hospital’s resources only
- Do not engage into online conversation with your patients unless you are on HIPAA compliant medium
- Do not post any before/after pictures of patient’s procedures without trademark them in way that can’t be replicate
There’s no sense trying to create a social media policy from scratch (Mayo Clinic & Kaiser Permanente‘s social media policy are available online). Many healthcare organizations have already done some of the work already so adapt their work and change as your business and/or culture needs. Remember, the Internet revolution is still ongoing and new media tools are coming to your business whether you like it or not.
A day is coming where patients visiting your practice or hospital will record the whole visit via Google Glass and upload it to YouTube without your knoweldge!