Handling private posts about the organization in HIPAA compliant way
Scenario: A Facebook or Instagram user discusses a negative patient experience on their private timeline. That user has friends or followers that are Hospital employees. The employee screenshots the non-public post and sends it to our risk management team. Or, the employee decides (against our policy) to reply to the post as a Hospital representative.
Question: Is it a violation for thevemolpyee to screenshot the private post? Shuld the risk management team add the screenshot and scenario into our QDC system? For legal protection and to track with the care teams?
Also, correct me if I'm wrong, but we should not as a Hospital employees reply to a private post like that unless the Hospital is actually tagged in it, right?
Thank you for your help, I am working on updating our policies.