I Know Who You Are, and I Saw What You Did
Social media, your practice, ethics and laws
By Nancy J. Beckley, MS, MBA, CHC*
Who isn’t on social media?
Therapists on social media platforms such as Facebook, Twitter, LinkedIn, and Instagram are in good company. Have you “connected” with the Office of the Inspector General (OIG), the United States Department of Justice (DOJ), CMS, your Medicare Administrative Contractor, your representatives in Congress, the APTA? It seems everyone is on social media, so all must be okay, correct?
Have you joined Facebook Groups? Many are devoted to topics of interest to the physical therapist: general groups targeting new physical therapists and clinical practice questions; specific groups targeting those learning how to enroll in Medicare and submit a claim; groups for those involved in cash-based only physical therapy, and on and on. Some groups allow for “joining” instantly; others require that you “request” to join and answer a few questions in order to be approved. “Private” groups are more exclusive; they require an invitation and an approval, and an underlying paid membership. Do you think private groups are really private? Maybe you, as the practice owner, do not actively participate in therapy groups, but do you know what your employees are doing online that may reflect on your practice?
Are you already wondering where to start? It’s impossible to consider every law and context, so this article will focus on just a few different scenarios.
HIPPA Privacy Considerations
Under the Health Insurance Portability and Accountability Act (HIPAA), patients have a right to privacy, and providers are required to give patients a Notice of Privacy Practices (NPP), which is adhered to by you and your staff. This example demonstrates the significant consequences of not understanding HIPAA:
The Office of Civil Rights (OCR) received a complaint alleging that a California physical therapy practice “had impermissibly disclosed numerous individuals’ protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations. OCR’s investigation revealed that the practice: Failed to reasonably safeguard PHI; Impermissibly disclosed PHI without an authorization; and Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA’s requirements with regard to authorization.”
This physical therapy practice agreed to settle violations of the HIPAA Privacy Rules with OCR. The settlement agreement was an admission of civil liability by the practice. They were required to pay a $25,000 fine, adopt and implement a corrective action plan, and annually report compliance efforts for a one-year period. Is someone in your practice posting pictures? Are they for marketing purposes? Are the pictures for the purpose of requesting advice on clinical interventions?
Every posting on social media about a patient carries the risk of an impermissible disclosure and/or breach. Do you post pictures of patients without the requisite permission and authorization as required under HIPAA and other privacy laws? Do your employees describe a case online and ask for clinical guidance without understanding the risk to your practice from the Office of Civil Rights?
Seeking and Giving Coding and Billing Advice:
Have You Just Admitted to Submitting a False Claim?
Therapists often seek billing and coding advice on Facebook and may reveal practices that are in violation of Medicare policy, federal laws, or other payer policies. Consider this: “Even though dry needling is not a covered service under Medicare, we bundle it with manual therapy and use that code; we have no trouble getting reimbursed by Medicare.” Providers may also see advice about how a therapist, who is pending Medicare enrollment and credentialing with various health plans, can treat patients and bill for services. A recent response to this frequent question was “We have the new therapist treat all patients, but hold the claim for Medicare, and bill under another therapist that is credentialed for other plans.” So when the managed care fraud enforcement specialist (yes, managed care plans have fraud enforcement departments) sends an official letter (or appears at your clinic to conduct an investigation) demanding to know why you submitted a false claim in violation of state insurance laws and provider policy, it is not likely that a screen shot of the original poster’s advice will be of any help in mitigating potential liability.
Have postings from employees revealed your practice’s coding and billing policy, and will this inadvertently subject your practice to an audit and/or investigation? Consider posting like this: “I am doing an affiliation at a private practice right now, and we have been told that if a Medicare patient is double-booked, that we should bill the Medicare patient for group therapy, and if the other patient is not Medicare, we should bill for 1:1 services.”
After reviewing these samples, what would your intent be at your practice? How would you incorporate “prevention” into your social media policy? How do you respond to employees who have violated your Code of Conduct or social media policy? Consequences should be spelled out in your employee handbook, and going over social media policy should be part of a new hire’s training. Social media postings may unintentionally be in violation of federal health care laws as well as federal and state privacy laws. What happens on Facebook, stays on Facebook forever! Does your practice have a social media policy?
1https://socialmedia.mayoclinic.org/2012/04/05/a-twelve-word-social-media-policy. Accessed Sept. 8, 2019.
Nancy J. Beckley, MS, MBA, CHC, is certified in Healthcare Compliance and provides consulting services to therapy practices on developing and implementing compliance programs, responding to audits and investigations, and due diligence support for mergers and acquisitions. She is located in Milwaukee, Wisconsin. She can be reached at firstname.lastname@example.org.
*The author has a professional affiliation with this subject.