HIPAA & Social Media Rules
HIPAA & Social Media Rules

HIPAA & Social Media Rules

Have you been wondering if your organization is in compliance with HIPAA when it comes to your employees’ use of social media? Social media is becoming more and more prevalent in our lives and is becoming a risk to your organization. In her recent Hospice & Home Care Webinar Network webinar, Nancy Flynn lays out the essential steps needed to ensure you and your employees are following HIPAA guidelines. Below are 3 key takeaways from Nancy’s webinar to minimize risks while also maximizing HIPAA compliance.

1. Have Rules in Place for Social Media Usage In and Out of the Office.

Your policy should cover what is expected in the office as well as out of the office. There is no reason your employees should use their personal social media while at work. Not only will they be unproductive, but they may also post something confidential without realizing they are doing so.

It is important that your employee responsible for posting to business social media accounts is aware of what content is and is not permitted to post. Do not disclose any health or financial information about your organization, consumers, or your customers — and make sure nothing in your post could be considered offensive or discriminatory. If your post can be taken out of context or someone feels that they have been violated, you may be liable under HIPAA or other laws.

It is harder to monitor your employee’s social media when they are out of the office, however, your policy should cover what they are and are not allowed to post. Posts regarding your organization, employees, or your clients can be a direct violation of HIPAA. It can lead to lawsuits and fines if they do not comply. It is your duty to monitor internal, external, and personal (if your state allows it) social media to ensure they adhere to your policies.

2. Training your Employees

The best way to protect your organization is to train your employees on what is considered confidential, sensitive, proprietary, or private data. This may seem like a no-brainer, but unless your employees have been through comprehensive training and fully understand what information is included in these categories, they cannot be held accountable for something they were not aware of. It is your responsibility as an employer to ensure your employees not only comprehend your policy but also understand the intention of your policy.

Training should also include the use of company and personal mobile devices. Some information can only be shared through encrypted emails or a secure channel. Your policy needs to cover what information can and cannot be shared unless it is encrypted.

3. Consequences of Not Following Policy

Your policy should have clear consequences for not following the guidelines you’ve presented them with. This can range from disciplinary action to termination. Once your employee has taken all required training and has read your policy they will need to sign and date the policy acknowledging that they have read it, understand it, and will be following the guidelines set forth 100% of the time.

In addition, your training should include procedures needed if they accidentally violate the policy. For example, what happens if an employee downloads a confidential file to their phone and accidentally posts it on Facebook? Your staff needs to know how to handle these situations, even if they are unlikely to happen.

In the new world where social media is prevalent in everything we do, you must have a strong social media policy in place. Even if your organization doesn’t utilize social media, you cannot afford to ignore the implications it can have on your organization. To make sure your agency has an airtight policy in place, check out Nancy’s webinar Creating HIPAA Compliant Email & Social Media Content that Communicates Clearly with Patients & Peers.