In recent years, social media has become widely used as a marketing tool. Today, millions of businesses use social media channels, such as Twitter, Facebook and Instagram, to offer information, testimonials and special deals in an attempt to attract new customers and increase their brand awareness. Using social media is a relatively low-cost alternative to more traditional forms of advertising, and successful social media campaigns can help build strong bonds between businesses and their customers.

Sounds great, right? But while a well-executed social media campaign can be extremely beneficial to your business, one that is poorly run can cost you dearly. In fact, medical spas and medical aesthetic practices are particularly susceptible to certain types of social media violations that can attract the unwanted attention of the federal government and, if you commit one, Uncle Sam will not care whether or not you were aware of them. It's up to you to educate yourself about what you can and can't post on social media channels—here's a quick guide that will help you better understand the situation.

Getting Hip to HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an enormous piece of legislation that does a lot to regulate the ways in which the business of health care is conducted in the United States. However, since its adoption, it has become synonymous with the issue of patient privacy. Simply put, HIPAA's Privacy Rule prohibits medical institutions from sharing protected health information, which it defines as anything that identifies a patient. This can include information, such as a patient's e-mail address, street address, name, birth date, Social Security number, etc.—anything at all that could possibly reveal the identity of the patient must be kept completely confidential.

The government takes the issue of patient privacy very seriously. If a medical institution is found to have violated HIPAA, it is potentially subject to very substantial fines—hundreds of thousands of dollars per violation in some cases. This is no joke. What's more, most states have even stricter patient privacy statutes on their books, so it is imperative that medical institutions go to great lengths to ensure that patient privacy is observed at all times.

“I've had cases where somebody was taking a picture of their coworker, and it happened to be that, in the background a patient appeared who was just passing by—who wasn't the subject of the photograph, but nevertheless was captured,” says Michael Sacopulos, president of Medical Risk Institute, an organization that specializes in reducing medical providers' exposure to litigation. “It got posted online, and that's a violation.”

Aesthetics Innovation

Avoid falling into the trap of disclosing a patient relationship; state on your social media channels that, although you appreciate all comments, the best way to deliver them is via e-mail or to call the facility directly. Alternatively, you can ask the patient to sign a form that acknowledges that patients wish to waive their HIPAA protection for social media; however, this would be an extremely difficult proposition due to the necessary complexity of such a form.

It's important for medical spa and medical aesthetic practice physicians, owners and operators to understand that these facilities are, in fact, medical institutions—unorthodox medical institutions, certainly, but medical institutions nonetheless. Therefore, they are subject to the rules and regulations that govern medical institutions, including HIPAA. Sure, there are some grey areas pertaining to the medical status of treatments, such as microneedling, but conscientious medical spa and aesthetic medical practice physicians, owners and operators must realize that hewing to the laws that govern more traditional health care outlets is the best way to reduce their businesses' exposure to potentially crippling fines and disciplinary action.

“I don't think that any of this is terribly onerous,” says Sacopulos. “If you put yourself on the other side of the reception desk, it's what you would want. I tell people that I don't even want to work with them if they're going through lots of gyrations about how they can bypass some of these privacy issues, because I think that just leads to a mind-set that's going to get you into trouble. And what we should really do is think about how we can keep this stuff confidential, because that's what the patients want anyway. It's just good business.”

A Strange Space

Despite the fact that medical spas are medical institutions, they exist in an unusual market. The aesthetic services they offer are elective, so they must market themselves in ways that traditional health care outlets typically do not in order to get clients in the door. Many medical spas present their services as commodities, in much the same way as retail outlets do. And because the medical spa market is growing, there is more competition for the prospective customer's attention than ever before, so marketing campaigns in this space need to be cost-efficient and effective.

This is why many medical spas turn to social media to help promote their businesses. And, as mentioned earlier in this article, a well-executed social media campaign can do wonders for the bottom line. But it is shockingly easy for a medical spa to expose itself to patient privacy issues with even the best-intentioned, most harmless-seeming social media activity, so it is imperative that you understand what these pitfalls are and how to avoid them.

There are three major ways that medical spas and aesthetic medical facilities tend to violate patient privacy laws on social media without even knowing it.

1. Publicly reaching out to a patient. If you are connected with clients via a social media channel, such as Facebook or Twitter, you might think that reaching out to those customers after a visit to publicly thank them for coming in seems like a great way to build a relationship and entice their friends to follow suit. And if you were not operating a medical institution, you'd probably be right. Unfortunately, since you are operating a medical institution, this may constitute a violation of HIPAA (and possibly a raft of state laws), because you're revealing that particular client is one of your patients.

One way around this is to reach out to your patient using the private messaging feature of whichever social media platform you choose to use. You will not be able to reach your client's friends this way, but you'll still be able to strengthen your relationship with your client. However, you'll need to be very, very careful if you decide to do this—as any number of disgraced celebrities will tell you, it's incredibly easy to publicly post something that you intended to keep private. It's probably best to simply not attempt to do this.

Also, if you're starting a Facebook campaign, make sure that you establish a fan page rather than a standard user page. That way, your facility's followers won't be visible to whoever peruses your its Facebook page.

2. Publicly responding to a positive comment from a patient. Let's say that one of your medical spa's patients posts a positive comment on your Facebook wall—something along the lines of, “Had a great Botox treatment here today!” Your natural inclination may be to post a response, such as: “Thanks! We hope to see you again soon!” It's only polite to acknowledge the compliment, after all. However, by the letter of the law, this too can represent a breach of a patient's privacy, since you're stating that you provided said customer with treatment.

Now, it should be noted that this is an emerging legal issue that has yet to be put to the test by litigation. It would not be outside the bounds of reason to argue that by taking the initiative to publicly post that message, your patient is tacitly waiving his or her HIPAA protection. But HIPAA and other state-based privacy laws are very strict, so it's probably not in your best interest to test them.

One way to avoid falling into this trap is to state on your social media channels that, although you appreciate all comments, the best way to deliver them is via e-mail or to call the facility directly. That way, you can avoid looking unappreciative and reduce your exposure to patient privacy violations. Alternatively, you can draft a form that acknowledges that patients wish to waive their HIPAA protection for social media, and then ask the patient to sign it; however, this would be an extremely difficult proposition due to the necessary complexity of such a form.

3. Responding to negative reviews. Yelp is a social media service that allows its users to rate the experiences they have as customers with businesses. In the last quarter of 2014, Yelp claimed more than 135 million unique visitors per month refer to its more than 71 million user-generated reviews, so make no mistake: Yelp is immensely powerful. Businesses are routinely made or unmade by their Yelp reviews alone.

In some ways, this is great. It empowers ordinary people and, ideally, it leads businesses to provide exceptional service to everyone—not just critics and big-shots. Yelp even encourages business owners and operators to become part of conversation, allowing them to respond to reviews and engage with users on a personal level.

Unfortunately, there is a dark side to Yelp. It has user content guidelines, but its enforcement is spotty (as might be expected, given the amount of content on the service), so not everyone plays nice. Some Yelp reviews are unfounded and unfair, made by people who have ridiculous expectations or axes to grind—former employees, for example. What's more, some Yelp users become drunk with power, to the point where they post negative reviews if they don't get products and services at the prices they want to pay, whether or not those prices are reasonable. And those negative reviews can have an outsized impact on prospective customers—even if an outlet or restaurant has a preponderance of four- and five-star reviews, readers often gravitate to the handful of one-star reviews in order to familiarize themselves with the worst-case scenarios.

Most businesses have recourse for dealing with problematic Yelp reviews—they can engage the unhappy party publicly on the service and attempt to show other users that they've done nothing wrong. Medical spa owners and operators, however, absolutely cannot respond to these posts, because if they do, they may violate HIPAA and related state laws by identifying the user as a patient.

There are no two ways about it: this stinks. It's not fair to medical spa owners and operators, but it's the way that it is. Even if a user posts something that is patently false, a medical spa cannot defend itself. It is enormously frustrating.

The best way for medical spas to combat bad Yelp reviews—the only way, really—is to encourage their happy customers to post positive reviews for their business. This certainly does not guarantee follow-through—you're essentially asking customers to work to promote your business for free, after all—but there is little else that can be done to address the situation without violating patient privacy laws.

You may be tempted to engage in what is known as “astroturfing”—using employees or associates to post fake positive reviews in order to bolster your ratings—but you must resist that urge; doing so constitutes consumer fraud. A recent crackdown in New York state saw several facilities receive enormous fines for astroturfing.

The Best Defense

Social media can be a wonderful tool for promoting a medical spa, but can also be fraught with unseen danger. Make sure that everyone involved in every social media campaign conducted by your medical spa—as few people as possible, ideally—understands that it is of paramount importance that patient privacy be respected in every interaction. Few medical spas can survive the penalties associated with these violations, so it is imperative that you do whatever is necessary to avoid them.

Alex R. Thiersch, JD is the founder and director of the American Med Spa Association (AmSpa), an organization created for the express purpose of providing comprehensive, relevant, and timely legal and business resources for the medical aesthetic industry throughout the United States. For more information about becoming a member, log on to www.americanmedspa. org. Alex can be contacted at alex@americanmedspa.org.