HIPAA and Private Messaging on Social Media Platforms

Private messaging on social media platforms is becoming increasingly popular as a way for businesses to communicate with their customers. It offers convenience and accessibility, especially for businesses where time is of the essence. Unfortunately, due to HIPAA regulations, healthcare providers can’t simply use these tools like most other types of businesses can. In this blog post, we will discuss why private messaging on social media platforms can be problematic for HIPAA compliance and what healthcare providers can do to ensure they are using these platforms correctly.

Before we continue, please be aware that we are not lawyers and this does not constitute legal advice. Please consult with an attorney if you have questions or concerns about HIPAA compliance.

 

Understanding HIPAA Laws

HIPAA laws were implemented to protect the privacy of patients’ medical information, including any communication between healthcare providers and patients. Therefore, sending medical information over social media platforms is a violation of this law, unless patients have given their explicit consent to communicate through these channels and understand they are waiving those protections. Healthcare providers need to ensure they understand HIPAA laws and how they apply to social media platforms before using them to communicate with patients. These rules are often more complex than providers and practice administrators are aware. Violations of these rules have led to two-year corrective action plans with the Department of Health and Human Services Office for Civil Rights. These include significant fines as well as monitoring of HIPAA programs. Learn more about these situations here and here.

 

Why using Social Media Private Messaging is Problematic from a HIPAA Perspective

In order to comply with HIPAA regulations, healthcare providers must ensure that any third-party software or company they use signs a BAA (Business Associate Agreement). A BAA establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI between the patient and their providers. This type of agreement is necessary if business associates can potentially access PHI during their work. However, major social media platforms will not sign a BAA, and therefore you should steer clear of sharing any PHI.

While Private messaging on social media platforms may appear more secure than, say, posting information on a public page, these tools are not secured in the manner required by HIPAA related to protecting conversations with patients. Before using these tools, the patient must acknowledge they understand the tool does not meet HIPAA security requirements, and that they want to use it anyway.

 

Maintaining HIPAA Compliance on Social Media

Because social media platforms do not sign BAAs with healthcare providers, it’s best to keep any PHI out of private messages. There are two options for doing this. Regardless of which method you choose, all HIPAA privacy and security policies such as these should be in writing. Furthermore, your staff must be trained to understand them.

 

Turn off Private Messages Altogether

This is the safest option to ensure HIPAA compliance. The process varies by platform; below are links explaining how to turn off PMs. The downside to this option is that patients and potential patients will not be able to message you with general questions, such as inquiries about your hours and availability, directions to your clinic, etc. Therefore, we recommend that you have an extensive FAQ page on your site that you link to prominently from your social media pages, as well as a robust “About us” section on your social media page with all of your general information. (Note: Instagram and Twitter do not have a native way to turn off messaging altogether; the articles below cover various ways to limit messages.)

• Instagram
• Facebook
• LinkedIn
• Twitter
• Pinterest

 

Implement Automatic Replies on Social Media Private Messaging

If you would rather not remove the ability to message with patients and prospective patients altogether, you might consider setting up an auto-reply message stating your policies around PHI so that when a patient messages you, they know what you can and can’t reply to in messenger. The content of this reply should be carefully written. You should consider seeking the advice of an attorney or HIPAA consultant who can make sure the message is properly stated.

 

Conclusion

While the use of social media platforms in healthcare has several advantages, it also presents significant risk if not used within HIPAA guidelines. To protect the privacy and confidentiality of the patients, healthcare providers must implement secure, HIPAA-compliant communication methods. As technology continues to advance, it is essential for healthcare providers to stay informed about HIPAA laws and remain vigilant to mitigate any potential risk when using social media platforms. By following these guidelines, healthcare providers can communicate with patients, maintain the confidentiality of health information and comply with HIPAA laws.

 

Additional Resources

• Privacy Questions Everywhere – Ep 304  (from Help Me with HIPAA)
• 5 Steps For Securing Your Social Media – Ep 339 (from Help Me with HIPAA) 
• Social Media and PHI as Oil is to Water – Ep 226 (from Help Me with HIPAA)
• Amazon, Facebook, and PHI oh my! – Ep 369 (from Help Me with HIPAA) 
• HIPAA Compliant Apps – Ep 303 (from Help Me with HIPAA)
• The HIPAA Guide: Is Facebook Messenger HIPAA Compliant? (from The HIPAA Guide)
• The HIPAA Journal – Is Facebook Messenger HIPAA Compliant? (from The HIPAA Journal)
• Is Google Hangouts HIPAA Compliant? (from JotForm)
• Is Google Workspace HIPAA Compliant? (from Compliancy Group) 
• Responding to Reviews and HIPAA (from ReviewTrackers)
• Is LinkedIn HIPAA Compliant? (from Paubox)
• Social Media HIPAA Compliance: The Ultimate Guide (from Paubox)