Can you actually be on social media and be HIPAA compliant? The thought makes most dentists shudder. But the truth is you absolutely can! You can unlock the power of social media by sharing genuine patient stories and interactions while successfully navigating proper HIPAA compliance. It may sound intimidating, but there are ways to avoid social media HIPAA compliance risks and enjoy sharing your practice at the same time.

For now, let’s put the focus on social media and HIPAA compliance, but you can also check out more resources for a dentists’ guide to HIPAA compliance websites.

Why social media is worth the “risk”

When it comes to social media and patients, your first thoughts might be to steer clear. However, doing so would mean missing out on a huge opportunity to connect with current and new patients, and your local community. An effective social media marketing strategy can help sustain and grow your practice.

As straightforward as it may sound, the social part of social media is what will be most beneficial for your dental practice. By being active on social media you can:

• Get more reviews and recommendations
• Respond to questions and patient concerns
• Manage your practice’s reputation
• Connect with the greater community
• Welcome and encourage new patients
• Build relationships with patients

Personal references and recommendations are some of the most powerful tools for driving new business. By getting your dental practice active on social media, you can be part of that conversation. You can also respond to questions and provide support to patients quickly and conveniently. Plus,  71% of people who have a positive interaction with a business on social media are more likely to recommend them. Staying active on social media means building a better reputation for your practice.

Why does being on social media matter to your patients?

Choosing a new dentist is intimidating. By curating a social media presence, you can give a potential client a peek inside your practice, introduce your staff, and put their nerves at ease before they even have their first appointment.

Plus, your current patients can enjoy the support and encouragement from your practice while staying aware of special events, promotions, and dental health education. Building relationships with your patients does not have to be restricted to scheduled visits.

Best Practices to be the Best Practice on Social Media

Effective social media marketing involves more than just posting regularly. To create a real, human experience on your social media, you should be choosing actual photos of patients and staff over stiff, staged stock photos. And don’t forget the importance of including videos in your social media content. This could entail jumping on trends, giving tours of the practice, introducing staff, or providing helpful dental tips. Social media platform algorithms favor video content, so you may want to allocate some resources to this type of content creation.

Making personalized posts and including videos can bring so much life to both your social media and your website as long as you are HIPAA compliant. HIPAA guidelines protect your patients and your practice and should be at the forefront of your mind any time you post online. Make sure you and your staff are fully trained on proper dental HIPAA practices and what is and is not appropriate to post, comment on, or share on social media.

Biggest HIPAA Compliance Risks for Dentists on Social Media

Any personal information you collect from your patients, AKA ePHI, whether that’s contact information, medical records, or photos you take—is protected under HIPAA.

You can have a successful, fun, and vibrant social media presence with proper dental HIPAA compliance by preparing for and avoiding these risk factors.

1. Posting gossip or patient stories (even without their name)

Sharing any identifiable information about a patient is a violation of HIPAA. This includes patient stories, medical images, or photos of patients—even if they are in the background or you cannot see their faces.

To minimize the risk of posting something that violates HIPAA on your practice’s social media, make sure your entire team is well-trained on proper social media practices, including what they post to their personal accounts. Something that seems harmless like telling a funny story about a patient can actually be a serious HIPAA violation. Also, only assign one or two people to be in charge of managing your social media accounts. Permit them some time daily to interact with your followers, answer comments and messages, and plan future content.

2. A device carrying Protected Health Information (PHI) is lost or hacked

The most common way that medical professionals get into trouble is if their personal device is lost, hacked, or stolen. If PHI is stored on that device without being encrypted, they could easily face consequences.

Pulling out your phone and snapping a photo may feel like the simplest way to gather content for your social media or website, but you need patient permission every time you take a photo.

Let’s say you or a team member snaps some photos throughout the day. It doesn’t matter if those photos are never meant to be shared—if they leave the practice at the end of the day with those photos still on their device (without being encrypted) they violate HIPAA.

Using a HIPAA-compliant, encrypted photo-storing process will protect you against this risk. My Social Practice’s dental photo storage app makes this process super simple. Patients can approve photos and sign a HIPAA form and/or post photos to their own account all within the app, making sure the photos you take are protected.

3. A photo or information is shared without the patient’s written consent

If a photo or any identifying information is shared on social media without a patient’s consent, they now have the right to contact the Office of Civil Rights (OCR). The OCR is responsible for enforcing HIPAA regulations and can investigate complaints of privacy violations. They can also report to the dental board or seek legal action.

In many cases, sharing information without a patient’s written consent will result in negative comments and reviews online, damaging the practice’s reputation. A patient could simply ask for an apology and for the image to be removed, but it’s not worth taking the risk of posting without consent.

Avoid being caught in any of these situations by having patients sign a new dental HIPAA form before posting anything that includes information about them.

4. Employees who are unfamiliar with HIPAA guidelines post on social media

One of the biggest compliance risks is simply being uninformed about HIPAA guidelines. Whether your dental team is posting on the practice’s page or a personal page, everyone should be familiar with the types of information that are in violation of HIPAA. This includes photos, comments, messages, and stories of patients without using their names. Don’t assume employees know what is and what is not acceptable to say or post. Give your team a thorough understanding of proper social media practices.

Training on proper HIPAA compliance should be an ongoing process within your practice. Review it regularly and with any new hires. Give access to the practice’s social media accounts to only one or two people.

What Happens When a Practice Shares Something without Consent

If PHI is posted on social media without a patient’s consent, your practice could face serious consequences.

The Office for Civil Rights (OCR) can impose significant financial penalties for HIPAA violations, with fines ranging from thousands to millions of dollars. In some circumstances, HIPAA violations can be considered criminal offenses and could lead to additional fines and/or imprisonment.

It can be especially damaging to your practice’s reputation and affect your business. Patients may lose trust in the practice and seek dental care elsewhere. This could also lead to bad reviews online. Patients can also take legal action for a HIPAA violation on an individual basis, resulting in costly settlements and legal fees.

In the most extreme cases, the dental board can revoke a dentist’s license for HIPAA violations.

To avoid the consequences of a HIPAA violation, make sure you have a HIPAA compliant dental website and social media. With the right policies, procedures, and tools in place, you can manage your dental practice’s social media accounts confidently.

Policies to Have in Place

In summary, a successful social media experience for your practice is founded upon a solid understanding of how to safely follow all HIPAA regulations. In order to avoid compliance issues, be sure to follow these tips:

• Review this guidance on HIPAA risk analysis. In particular, pay attention to the questions about how you manage your ePHI (electronic Protected Health Information).
• Create a social media policy for you and your staff. This should include who can post on behalf of the practice, when to take pictures or videos, how to store them, and a dental office photo release form.
• Do not take photos or collect any PHI on personal devices unless properly encrypted.
• Have patients sign a new HIPAA form before sharing photos.
• Encourage patients to share photos on their social media (this removes the risk for your practice)

Regularly review your social media policy and best practices with your team to ensure compliance.

You can have a HIPAA-compliant social media presence

Yes, there will always be risks, but you can prepare yourself and your dental staff to successfully interact with your patients and your community on social media while staying HIPAA compliant. Being active on social media is a great way to bring your dental practice to life, and make going to the dentist feel more enjoyable. Share the fun dynamic of your office, use your expertise to educate your audience in an engaging way, and watch your practice flourish online. 

Simplify your content collection process by downloading My Social Practices social media consent form printable. Then you will always be 100% HIPAA compliant 100% of the time!