HIPAA Violations must be avoided. Your med spa’s social media sites are a great way to keep in touch and communicate with your clients. But before you respond to a comment about how great and wonderful your med spa experience was, you should be aware of potential harmful consequences when you do respond. These harmful consequences relate to HIPAA.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996, and although it deals mainly with health insurance companies, the law also requires the protection of the confidentiality and security of patient information. Your med spa’s client’s business is valuable, and so is their privacy. Make sure that you protect their personal information just as you would your own.
So, when you respond back to those very kind words your clients left on your Facebook page or blog, keep these things in mind:
THEY KNOW YOU, BUT YOU DON’T KNOW THEM
Your clients might post about their wonderful experience at your med spa and mention staff members by name. That’s great, and perfectly legal. You, on the other hand, should not return the favor and confirm their statement. Confirming their statement is an acknowledgement of their status as a patient, and that is a big no-no with HIPAA. If you want to comment, saying “thank you for your kind words” should be good enough. You responded back kindly without acknowledging your relationship to them. But, saying “it was great having you as a Botox patient” is revealing to the world something the patient would probably want to keep private.
ADVICE IS A DISH BEST SERVED IN PRIVATE
Your med spa’s site might have a discussion forum. That in itself is not a bad thing, but when your med spa starts to dole out medical advice in it, that could lead to bad things. One way this could become a HIPAA violation is if the person on the forum happens to be a current client, and during the discussion your medical staff inadvertently refers to the person as being a client (“Oh yes, I remember you now. You came in for that treatment last month!”).
Play it safe and don’t give out medical advice online. If your medical staff feel the need to provide medical advice to someone on their online forum, have them schedule an appointment and give the dish privately.
P.S. There’s no problem posting medical articles or journals on your site. This can be an alternative to giving medical advice.
DISCLAIMERS (AKA C.Y.A.)
Maintaining patient confidentiality can be a difficult job sometimes, but you can make it easier by reminding your online community (in the form of a disclaimer) that your website is a public place and that everything is visible to everyone. With that in mind, your community will at least be aware of the perils of posting information they may not want other people to know. They’ll be more cautious with their posts, and you’ll have an easier time managing the content and avoiding a HIPAA red flag.
PICTURES ARE WORTH A THOUSAND VIOLATIONS
Before and after pictures are a great way for med spas to display their expertise. But before you post those pictures, make sure you have the patient’s written consent allowing your med spa to use those pictures. Anonymity cannot be guaranteed by blacking-out the eyes or just showing the body. Do it right and ask the client for permission to use the pictures.
Remember, nothing is private online. Utilize social media to promote your med spa business, but make sure to protect your clients’ privacy.
