Part 2: Keeping Healthcare Social Media Compliant: 3 Areas of Focus
According to Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA), social media compliance risks is one of the top 5 five “hot topics” for compliance and ethics professionals in 2016. And for good reason: According to the Department of Health and Human Services, the majority of HIPAA violations from recent years have occurred from employees mishandling Patient Health Information (PHI). Many of these incidents occur during inappropriate social media sharing and can result in HIPAA penalties including fines from $100 to $1.5 million or criminal penalties including fines up to $250,000 and 10 years in prison. The financial impact is not limited to fines, as brand reputation damage to an organization can be significant, hard to quantify, and take years to repair. Other punishments targeted to individuals can include the loss of a medical license or termination from employment.
This is why the important topic of social media is next up in our series on maintaining compliance when marketing in healthcare. When it comes to social media, there are three primary buckets where you should keep a crisp focus:
HIPAA Compliance in Social Media
There is a clear and simple rule of thumb when it comes to HIPAA compliant social media posts: It’s ok to talk about medical conditions, treatments and research. It’s not ok to talk about specific patients or their personal health information. There are, however, very specific circumstances where a patient can consent to having their information shared, but for the purpose of this article, we will say “don’t.”
Here are a few examples of common social media HIPAA violations:
- Sharing of photographs, or any form of PHI without written consent from a patient. (A patient can post a self-identified picture on a company social media page, but it is not ok for the company to post that same picture or use it for other purposes without written patient consent).
- Posting information about a patient to unauthorized individuals, even if the name is not disclosed.
- Sharing comments or pictures that even inadvertently have PHI visible (such as a patient file in a corner of the picture).
The way to avoid these mistakes is through thorough employee training on your organization’s HIPAA Privacy and HIPAA Security policies that occurs at hiring and on a regular annual basis (at a minimum). Social media policy should be a well defined as part of this training, whether it is used during working or non-working hours, and personal and professional profiles should be kept separate.
Here’s what to do if a HIPAA breach occurs on social media:
- Immediately report to your compliance officer what happened and when, including the date the breach was discovered.
- Notify all affected by the breach, including individuals affected, covered entities and their business associates. This must occur with no unreasonable delay at a maximum of 60 days after discovery.
- Your compliance officer should ensure appropriate notification procedures are followed, including providing notice to the secretary of HHS and the media if the breach involves more than 500 individuals.
- Employees involved in the breach should be re-trained on HIPAA Privacy, HIPAA Security and any additional social media policies and procedures (at a minimum).
Federal Trade Commission Rules
When it comes to the FTC, disclosure is the word of the day. There are many different ways that social media posts can be considered endorsements of a particular drug, procedure or treatment. In many cases, the FTC is ok with this, as long a disclosure of the endorsement is very clear in the post. Typical disclosures include phrases like “Company X provided this product for me to try.” We highly encourage you to review FTC guidelines to get a feel for the specifics of what is considered an endorsement and how to disclose it. You also should include phrases like “Not medical advice,” “Not for emergency use,” or “Consult your physician” to further limit your liability.
Medicare Compliance in Social Media
There are very specific marketing guidelines when it comes to Medicare and social media. Some of these include:
- Agents cannot make an unsolicited contact through social media for the purposes of enrolling a Medicare beneficiary into a Medicare Advantage or Prescription Drug Plan.
- Set profiles to private and advise beneficiaries to move to a private form of communication before discussing their unique situation.
- Stay away from false claims (obvious), but also exaggerations and partisan information.
- Remember anything you post could be reviewed by Centers for Medicare and Medicaid Services for compliance if it ultimately led to a sale. It’s a good idea to have them review anything you post in advance to ensure compliance.
Want a quick overview? Watch the video below to learn more about compliance for your social media marketing strategy.
The information we’ve shared is by no means comprehensive. We encourage to review HHS, FTC and Medicare guidelines for more information. It’s also smart to consult with a HIPAA lawyer to ensure every move you make on social media remains in strict compliance with the law. For a free audit of your healthcare marketing email process, contact us and stand by for our next topic in the series, healthcare search marketing compliance.