Privacy Officer's Roundtable

HIPAA & Social Media Marketing

  • 1.  HIPAA & Social Media Marketing

    Posted 10-05-2020 10:43 AM
    I would like your input on the following scenario please?

    A hospital-employed provider uses a third party to oversee their own social media marketing and to solicit patient reviews. The provider gives the third party the names of happy patients and then the third party reaches out to the patients on social media and asks them to leave a positive Google review of the provider.

    Is the provider allowed to give the patient's name and contact information to the third party to contact the patient if they do not have a BAA?   If they do have a BAA?  If so, should the BAA be signed by the provider or the hospital?

    Is there anything else that should be considered?

    Thank you!
    Cinda





    ------------------------------
    Cinda
    Compliance/Ethics & Privacy Director
    Ohio
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: HIPAA & Social Media Marketing

    Posted 10-06-2020 06:08 AM
    So if I'm understanding correctly, this physician is considered part of the organization's workforce vs someone who just has privileges at the hospital. Based on that assumption, the answer is that the BAA would be with the hospital. However, I would consult with legal counsel first because by taking this approach you're condoning this behavior and allowing this physician to basically go rogue and contract on behalf of the organization. There was a lot of this nonsense going on in other spaces during the onset of COVID.

    My rationale for speaking to counsel first, is that there should be and perhaps is an overarching way for an organization to solicit reviews and market the organization including individual physicians. It makes it tough for an organization when individual staff members go rogue and contract on behalf of the organization for their own benefit without following policy and / or going through proper channels.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: HIPAA & Social Media Marketing

    Posted 10-06-2020 09:10 AM

    Thank you Jennifer and Brenda, for your responses.  I certainly will look into this more thoroughly!

    Cinda

     

     

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    2020 SCCE Membership


  • 4.  RE: HIPAA & Social Media Marketing

    Posted 10-06-2020 10:03 PM
    I would not want an employed provider acting in such an independent capacity and would stop the practice. Then we would need to perform a risk assessment to determine the level of violation that may have occurred. I would think any actions taken by the provider should be at the direction of the employer hospital and any potential BA relationship should be governed by the hospital's policies and privacy department.

    ------------------------------
    Nancy O'Neill, RN, CHC, CHPC
    Sr. Director, Corporate Compliance/Privacy Officer
    Tampa General Hospital
    Tampa, FL
    noneill@tgh.org
    Responses are my own and not the view of my organization.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: HIPAA & Social Media Marketing

    Posted 10-07-2020 07:54 AM

    Thank you Nancy!

     

    All the responses I've received have given me invaluable input and have helped me determine my next steps.  I truly appreciate this group!

     

    Cinda

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    2020 SCCE Membership