HIPAA Violations and What Your Med Spa Needs to Know

HIPAA violations must be avoided. Your med spa’s social media sites are a great way to keep in touch and communicate with your clients, but they are also a danger zone. Before you respond to a comment about how great and wonderful a patient's med spa experience was, you should be aware of potential HIPAA-related consequences. HIPAA is the federal Health Insurance Portability and Accountability Act of 1996, and although it deals mainly with health insurance companies, the law also requires the protection of the confidentiality and security of patient information. Your med spa’s client’s business is valuable, and so is their privacy. Make sure that you protect their personal information just as you would your own. So, when you respond back to those very kind words your clients left on your Facebook page or blog, keep this piece of advice in mind: they know you, but you don't know them.

HIPAA and Social Media

Your clients might post about their wonderful experience at your med spa and mention staff members by name. That’s great, and perfectly legal. You, on the other hand, should not return the favor and confirm their statement. Confirming their statement is an acknowledgement of their status as a patient, and that is a big no-no with HIPAA. If you want to comment, saying “thank you for your kind words” should be good enough. You responded back kindly without acknowledging your relationship to them. But saying “it was great having you as a Botox patient” is revealing to the world something the patient would probably want to keep private.

Doling out medical advice in your comments can also become a HIPAA violation. If the person on the forum happens to be a current client, and during the discussion your medical staff inadvertently refers to the person as being a client (“Oh yes, I remember you now. You came in for that treatment last month!”), then you have a HIPAA violation on your hands. Play it safe and don’t give out medical advice online. If your medical staff feels the need to provide medical advice to someone on their online forum, have them schedule an appointment and give the dish privately. P.S. There’s no problem posting medical articles or journals on your site or social media. This can be an alternative to giving medical advice.

HIPAA and Patient Confidentiality for Medical Spas & Aesthetic Practices

Maintaining patient confidentiality can be a difficult job sometimes, but you can make it easier by reminding your online community (in the form of a disclaimer) that your website is a public place, and that everything is visible to everyone. With that in mind, your community will at least be aware of the perils of posting information they may not want other people to know. They’ll be more cautious with their posts, and you’ll have an easier time managing the content (and therefore avoiding a HIPAA-related red flag).

HIPAA Compliant Texting

Empower your practice and staff with HIPAA Compliant Texting, which enables you to text new patients and existing patients. HIPAA compliant options make it possible to enjoy the convenience of SMS texting without any of the risk of security breeches.

Before and After Images on Website and Social Media

Before-and-after pictures are a great way for med spas to display their expertise. But before you post those pictures, you must first make sure you have the patient’s written consent allowing your med spa to use their photos. Anonymity cannot be guaranteed by blacking-out the eyes or just showing the body. Do it right and ask the client for permission to use the pictures. Remember, nothing is private online. Utilize social media to promote your med spa business, but make sure to safeguard your clients’ privacy.