A photo used without patient permission, discussing a patient’s treatment, revealing insurance information—most dental professionals would understand these as blatant violations of HIPAA on social media. But it turns out that some violations are much more subtle than that.
At the 2023 Yankee Dental Congress in Boston, Kelly Koch, director of dental relations at Compliancy Group, discussed social media best practices within the overall umbrella of HIPAA compliance. Speaking to a full room, Koch addressed such topics as dealing with reviews appropriately; the different reasons that an updated and compliant website can attract more dental patients; some social media dos and don’ts; and subtle ways you could be in HIPAA violation on social media without realizing it.
Yelp and other reviews
Dentists are searched more on Yelp than even restaurants, says Koch, and the temptation to respond to reviews can be powerful. But she cited several examples, including that of a privately owned dental practice in Texas that was fined $10,000 for revealing a patient’s full name, insurance information, treatment plan, and cost information in its response, to keep in mind if you decide to comment on a patient review.
You might also be interested in: Respond to dental patient reviews—but not like this
“Respond, but be careful,” she said, adding that even unintentionally sharing protected health information (PHI), which includes information related to a patient’s treatment and payment information, is a HIPAA violation.
In fact, she said, it’s actually a violation to respond to a patient's online review using any language that supports or confirms they’re a patient. “Anything revealing PHI can place a practice at risk for not complying,” she said.
She provided several examples of what would seem benign ways of responding to a review but were in fact HIPAA violations. For example, it’s appropriate to say “thank you,” but not “thank you for coming in,” as that confirms the person is or was a patient.
Bottom line? “The only permissible way to respond is with a thank you or asking the patient to contact your office,” she said.
Update your social media and website
Social media channels that you don’t use much or websites that don’t have current information are problematic in several ways. They can give the impression that your practice, like your online presence, is outdated. A poor online presence is also a missed opportunity for providing valuable information to patients and giving them a peek at your practice culture.
But there’s another reason to keep your web presence updated that you might not have thought of: It helps reassure patients that you’re covering your bases with their information. “Patients worry about HIPAA violations,” says Koch. An updated online presence helps them feel that “your website is secure.”
Other social media dos and don’ts
Other tips and best practices to help dental pros with HIPAA compliance and their social media presence include:
Google yourself. “The internet’s a scary place. You want to know what’s out there about you,” Koch said.
Consider using social media experts to boost and maintain your online presence.
Maintain updated use and disclosure statements for posting any photos, patient testimonials, etc.
Keep your social media responses anonymous. Always respond to feedback from the practice, not a personal account.
Don’t delete the (hopefully very occasional) negative reviews you get. “Everyone has a bad day,” she says. “It shows reality and being human.”
Practices to avoid include:
- Don’t email or text patients without their consent
- Don’t alter consent
- Don’t repeat or use PHI, or reply or use PHI
- Don’t reply or post information that confirms the identity of a patient
- Don’t respond to a patient’s sharing of their diagnosis or service