By Alex R. Thiersch, JD, CEO of the American Med Spa Association (AmSpa)

A well-executed social media campaign can be extremely beneficial to a medical aesthetics practice. Millions of businesses use social media channels—such as Twitter, Facebook and Instagram—to increase their brand awareness, and successful social media campaigns can help build strong bonds between practices and their patients.

Unfortunately, medical aesthetic practices and medical spas are particularly susceptible to certain types of social media violations that can attract the attention of the federal government, and investigators will not care whether or not you were aware of these transgressions. You must educate yourself about what you can and can't post on social media channels to stay on the right side of health care privacy laws.

---

---

Understanding Your Identity

It's important that medical aesthetic and medical spa physicians, owners and operators understand that these practices are, in fact, medical institutions—unorthodox medical institutions, certainly, but medical institutions nonetheless. However, they exist in an unusual market. The services they offer are elective, so they typically market themselves in ways that traditional health care outlets do not. They often present their services as commodities, in much the same way as outlets such as traditional spas and salons do. And because the medical aesthetics market is expanding, there is a great deal of competition for a prospective client's attention, so marketing campaigns need to be cost-efficient and effective.

This is why many medical aesthetic practices and medical spas turn to social media to help publicize their businesses. However, it is shockingly easy for such a practice to expose itself to patient privacy issues with even the most harmless-seeming social media activity.

An Introduction to HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a piece of legislation that regulates the many ways in which the business of health care is conducted in the United States. Since its adoption, however, it has become virtually synonymous with the issue of patient privacy. HIPAA's Privacy Rule prohibits medical institutions from sharing protected health information, which it defines as anything that can be used to identify a patient. This includes any information at all that could possibly reveal the identity of the patient—his or her e-mail address, street address, name, birth date, Social Security number, etc. All this must be kept completely confidential.

If a medical institution is found to have violated HIPAA, it may be subject to very substantial fines—sometimes hundreds of thousands of dollars per violation. Additionally, many states enforce even stricter patient privacy statutes, so medical institutions must go to great lengths to ensure that absolute patient privacy is observed at all times.

See No Evil

There are three major ways that medical aesthetic facilities and medical spas often violate patient privacy laws on social media without even being aware of it.

1. Publicly reaching out to a patient. If you are connected with clients via a social media channel, such as Facebook or Twitter, it might seem like a good idea to reach out to them after a visit to publicly thank them for coming in. Ideally, this could build a relationship with these clients and entice their friends to follow suit. Unfortunately, this seemingly innocuous act may constitute a violation of HIPAA (and possibly a gaggle of state laws), because you're revealing that person is one of your patients.

You can still thank your patients via social media; however, you just need to be very careful about how you go about doing it. Consider reaching out to your patients using the private messaging feature of whichever social media platform you are using. You will not be able to reach your client's friends, but you'll still strengthen your relationship with your client. However, as any number of disgraced celebrities will tell you, it's very easy to post something to the public that you intended to keep private. Use extreme caution if you decide you want to attempt this.

Also, if you're starting a Facebook campaign, establish a fan page rather than a standard user page. That way, your facility's followers won't be visible to users.

2. Publicly responding to a positive comment from a patient. Let's say that one of your clients posts the following on your practice's Facebook wall: "Had a great Botox treatment here today!" You may be inclined to post a response, such as: "Thanks! We hope to see you again soon!" However, it is important to understand that even this can represent a breach of a patient's privacy, since you're confirming that your practice provided the customer with treatment.

This is an emerging legal issue that has yet to be put to the test by litigation, and it could be argued that, by publicly posting that message, the patient is tacitly waiving his or her HIPAA protection. Unfortunately, HIPAA and other state-based privacy laws are very strict, so it's probably not a good idea to test them.

You can attempt to avoid falling into this trap by stating on your social media channels that, although you appreciate all comments, the best way to deliver them is via e-mail or to call the practice directly. If you do this, you can avoid appearing unappreciative and reduce your potential exposure to patient privacy violations. Alternatively, you can try to draft a form that acknowledges that a patient who signs it wishes to waive his or her HIPAA protection for social media; however, this form would need to be very complex in order to stand up to legal scrutiny.

3. Responding to negative reviews. Yelp is a social media service that allows users to rate the experiences they have with businesses. As of the fourth quarter of 2015, more than 86 million unique visitors per month use mobile devices and 75 million unique visitors per month use desktop computers to refer to Yelp's more than 95 million user-generated reviews, so make no mistake: This service is immensely powerful. The success or failure of businesses can be determined by their Yelp reviews alone.

This can empower ordinary people and, ideally, lead businesses to provide exceptional service to everyone. Yelp even encourages the businesses that are critiqued to become part of conversation, allowing owners and operators to respond to reviews and engage with users.

Unfortunately, Yelp's enforcement of its user content guidelines is spotty, so it can have a dark side for businesses. Some reviews are unfair, made by people who have ridiculous expectations or axes to grind. Additionally, some Yelp users post negative reviews if they aren't allowed to pay the prices they want to pay for products and services, regardless of whether those prices are reasonable. And those negative reviews can impact prospective customers—even if a business has a preponderance of four- and five-star reviews, readers are often compelled to peruse the handful of one-star reviews for entertainment purposes or to familiarize themselves with the worst-case scenarios.

Most businesses have recourse for dealing with problematic Yelp reviews—they can openly engage critical users using the service and attempt to demonstrate that they'e done nothing wrong. The owners and operators of medical aesthetic practices, however, absolutely cannot respond to these posts, because if they do, they could identify unhappy users as patients, thereby violating patient privacy statutes.

The best way for medical spas to combat bad Yelp reviews—the only way, really—is to encourage satisfied customers to post positive reviews. Unfortunately, this means that you're essentially asking customers to work to promote your business for free, but there is little else that can be done to address the situation without violating patient privacy laws.

Given the importance of Yelp and the lack of a level playing field regarding its reviews, the owners and operators of medical aesthetic facilities may be tempted to engage in what is known as "astroturfing"—using employees or associates to post fake positive reviews in order to bolster ratings. However, they must resist that urge, as astroturfing can be interpreted as consumer fraud. New York state regulators recently issued enormous fines to several facilities for astroturfing.

The Final Word

Social media can be a valuable tool in the promotion of a medical aesthetic practice, but its use can also be fraught with peril. Owners and operators of these practices should make sure that everyone involved in their social media campaigns—as few people as possible, ideally—understands that it is critically important that patient privacy be respected at all times. Few practices can survive the penalties associated with these violations, so they must be avoided at all costs.