Patient Privacy (HIPAA)
UF Health Social Media Best Practices

Social media managers are responsible for monitoring their channels during and after business hours. You must set push notifications from the social media accounts you manage manage. When possible, you should set privacy settings should be set so that users may not upload their own photos or videos to our page or channel.

Unless a patient has completed a media release form, do not post patient information, even if you think you have “de-identified” it. It often is possible to identify patients even if you do not include their names or other obvious identifying information. Realize that details, such as your name, your place of work/study and the date/time stamp can make it easy to identify patients you describe, particularly to the patients themselves and their families and friends.

UF Health has very specific guidelines to taking video and photos within the hospital and clinics. Please reach out to the UF Health social team if you ever have any questions or concerns.

Obtain a Media Release Form

To have a patient complete a media release form, please contact:

Ken Garcia
Media relations specialist
352-273-9799
kdgarcia@ufl.edu

Protected Health Information

Protected health information includes photographs and videos of the patient, even if the patient asked for the photo/video to be made or consented to it being made. It is best to return such photos to the patient, as long as no other patients are in the photos. A media release form from UF Health Communications must be completed prior to sharing any photos or videos, including with a patient. Please see Core Policy 01.072 – Photography and Audio Recordings at UF Health Shands for further guidance.

  • Posting one’s own PHI – If an individual identifies himself or herself as a patient and then voluntarily shares his or her own PHI with the audience via a comment, we may allow the comment to remain on the site. 
  • Posting of another’s PHI – Comments, photos, videos or any other type of content containing PHI pertaining to another person (e.g., comments about a friend or neighbor), must be deleted immediately by the page administrator or their designee when discovered. See exception pertaining to parents/legal guardians commenting about their own children below.

Before deleting content, please take a screenshot and send the image to UF Health Communications, along with a note of when the content was deleted and why.

Exception: UF Health social media sites may allow parents of minors to post comments containing the PHI about that parent’s own child when there is a clear admission that the “poster” is that parent of the minor. Such comments, although permissible, may be removed per additional removal criteria listed below.

Posting of Super-Confidential Health Information

  • Comments containing super-confidential health information, regardless of who posts the information, must be deleted immediately when discovered. Super-confidential health information: Certain health information incurs an additional layer of confidentiality. This includes information pertaining to diagnosis, treatment and/or examination related to Mental Health; Substance Abuse (including drugs or alcohol); HIV/AIDS (and testing of); Sexually Transmitted Diseases, and Genetic Information as defined and protected by specific federal/state laws and regulations.

Humanitarian/Overseas Trips

  • Patients treated on international humanitarian trips have a right to privacy, even if they were treated outside of the U.S. Treat these patients’ identities and medical information, as well as photos, videos and audio recordings featuring them, with the same respect you would show those of a patient receiving care in the United States. Disclosing information about a patient treated in another country could be a violation of that country’s privacy laws, as well as U.S. and Florida laws and UF and UF Health Shands policies. See also: the UF Social Media Use, Guidelines and Policy Implications document on the UF HR website (http://www.hr.ufl.edu/emp_relations/policy/social_media.asp https://hr.ufl.edu/forms-policies/policies-managers/social/) and UF Health Shands Social Media Policy (HR#322). Before you post information, pictures/videos, recordings featuring patients from an international humanitarian trip, please contact the appropriate Privacy Office for approval. Official UF visits to other countries may invoke national privacy protections different than those in the United States. When data are collected and exported, for example individually identifiable photographs, the national laws of the country visited must be followed.

Confidentiality of student and applicant records

  • Federal laws (including the Federal Education Records and Privacy Act, or FERPA), Florida law and UF regulations governing the confidentiality of student (education) and applicant records (and information from such records) apply to social media use. Information from student, alumni or applicant records (including but not limited to academic records, disciplinary records, correspondence through e-mail or other means, or any other records concerning students at the University of Florida or applicants to the university) should never be released via social media. For more information about the privacy of student and applicant information, please view the following resources:

Research and intellectual property

  • Releasing unpublished research data or unprotected intellectual property would impair its protection. In keeping with UF’s Intellectual Property Policy ( https://generalcounsel.ufl.edu/media/generalcounselufledu/documents/Intellectual-Property-Policy.pdf) and UF Health Shands Intellectual Property policy (HR 313), you may not release unpublished research data or unprotected intellectual property through social media.

Other forms of restricted information

  • Revealing other forms of restricted records, data or information via social media is strictly prohibited. Records so protected include but are not limited to Social Security numbers, financial information, employee medical information, limited access employee records pursuant to Section 1012.61, Fla. Stat., trade secrets, copyrighted materials, and other materials that the university has agreed shall be maintained confidentially.

Misrepresentation

  • You may not portray yourself as acting on behalf of the university or any part of the university, such as the academic health center, IFAS, a college, department or any other unit, or present a social media account as an official university account unless authorized to do so. When using social media in a personal capacity, you must take reasonable precautions to indicate that you are engaging in the activity as a private person and not as an employee, agent or spokesperson of the university. Permission to use any University of Florida service marks, trademarks or logos must be requested from University Strategic Communications and Marketing.

Inappropriate comments

  • All content is bound by the UF Acceptable Use Policy. Further, users are expected to abide by applicable laws, regulations, rules and policies including the University Student Code of conduct, the University’s Sexual Harassment Policy and other regulations and policies concerning public communications.
  • When discovered, a unit social media manager must immediately remove inappropriate comments about the organization or a staff member that are offensive, abusive and/or insulting. UF Health social media sites may allow negative comments relating to quality of care that do not meet the removal criteria above, unless such comment contains PHI pertaining to another person or is super-confidential in nature.
  • Further in this document we share instructions about how to respond to such comments.

Other comments

  • Accounts run by UF units are subject to public records laws and freedom of speech considerations. For these reasons, comments and other content added by users other than the social media managers should be removed from the social media pages only when there is a very compelling reason to do so. Content should not be removed solely because the managers or other unit personnel dislike it, or solely because it puts UF Health in a negative light. Prior to deleting or hiding a comment, please contact the UF Health social media team to make them aware of the situation.
  • If an individual offers a comment that would serve as a follow-up marketing or public relations patient testimonial or newsworthy story, the UF Health Communications team will contact the individual to secure an Authorization to Use or Disclose Patient Information for Communications Media form. This consent form will cover not only distributing the message through social media sites but also using it in other UF Health marketing, promotion and news efforts.
  • Responding to comments: Responding to a patient who greets you on a social media platform is OK. Providing medical advice or information is not, even if the patient requests it. Not all comments will require a response; some comments may be simple statements or praise, or tips for other UF Health or UF customers. 
  • When responding, staff shall remove any PHI contained in the original message. See also CP3.36 De-identification of Patient Information for additional information.
  • If the comment requires a more in-depth answer, AND is not a complaint per CP1.16 Patient and Family Complaints and Grievances, our response should promise an answer within a set amount of time (preferably 48-72 hours, or two to three business days). Due to the nature of this type of marketing, the response shouldn’t have a “corporate” tone. An example of this response, which should be posted to the site for the world to see, would be: Thank you for contacting UF Health. Due to the nature of this issue, we will need some time to respond. Please be patient. We will respond to you within three business days.
  • If the message requires an in-depth response, AND is not a complaint, and the content is outside the scope of the site administrator or department hosting the site, then the site administrator must work with the appropriate department liaison(s) to craft a response. If a site administrator is unsure of who to contact to address a comment, he or she may contact a UF Health Communications member for assistance.

Complaint/grievance

  • The standard response should not be handled privately and should say something like: Thank you for contacting us UF Health. We appreciate your feedback and your concerns are important to us. In order for us to follow-up with you appropriately, please contact a patient representative at 352-265-0123 with issues and or concerns.
  • The definition of a patient complaint/grievance, as per Shands Core Policy CP1.16 is as follows: Patient Grievance – a formal or informal, written or verbal complaint that is made to the hospital by a patient, or the patient’s representative, regarding the patient’s care, abuse or neglect, issues related to the hospital’s compliance with the CMS Hospital Conditions of Participation, or a Medicare beneficiary billing complaint related to rights and limitations provided by regulation or a complaint alleging violation of patient confidentiality.
  • IMPORTANT: Comments that are complaints or grievances must be sent immediately when discovered to the UF Health social media team, who will send to the designated facility’s complaint-management representative and other UF Health senior leadership, who will then determine the applicability of CP1.16, Patient and Family Complaints and Grievances. These individuals will work with UF Health communications staff to develop an appropriate response to the comment(s). Typically these responses will be handled privately, but we may decide that our response will shed light on a particular concern or issue and how UF Health is managing that issue, and thus the response will be appropriate on the social media platform. It is also important to note that UF Health staff must adhere to Core Policy 3.14 Email and Calendar Use when transmitting electronic messages to patients or other individuals. CP3.14 prohibits the sending of emails which contain PHI to external email addresses (i.e. those ending in yahoo.com, hotmail.com, etc.) unless that email transmission is encrypted.
  • IMPORTANT: All comments that are deleted should be saved in a Word document and submitted to the UF Health social media team for record-keeping, in compliance with the Florida public records law. A screenshot of the comment is an acceptable means for documenting a removed message.

“Facebook terms and conditions” to be posted on each Facebook Page: The Facebook terms and conditions document in Appendix A to these guidelines must be customized appropriately (see [brackets] for customizable areas) and posted on a tab on each UF Health-approved Facebook account.

Additional information about blogs: Blogs started by employees and hosted on other domains are considered personal blogs. These blogs must not be advertised or run as official UF or UF Health blogs. If such a blog contains discussion of health-related issues or work matters, the employee should post a disclaimer stating that the blog is not an official UF or UF Health blog, and that the opinions expressed there are his or her own personal opinions and not those of UF or UF. Employees who discuss work matters on personal blogs should be well- versed in appropriate social media behavior and should not violate privacy or other laws that relate to their work environments.

Training: Social media advisers and unit social media managers will be required to attend initial training on social media management, strategies, policies and guidelines. Subsequent training sessions may be offered as new information becomes available and may be mandatory or optional. Social media monitors and unit social media managers should proactively pursue updates, which may come from the web services team, the UF Health Communications social media team, UF Health Communications,  or University Relations.