Social Media Policy

• The Health Insurance Portability and Accountability Act (HIPAA)
• Federal Trade Commission Act | Federal Trade Commission

• Office of Communications, Chief Communications Officer and Assistant Vice President, Digital Strategy, Marketing and Brand
• Office of Communications leadership for each school at the Medical Center
• Privacy Office, Chief Privacy Officer
• Information Technology, CUIMC Chief Information Security Officer
• Academic Affairs, Dean of Students for each school at the Medical Center
• Faculty Affairs, Vice Dean Medical Staff
• Human Resources, Chief Human Resource Officer

The medical center uses social media for business communications and marketing purposes. All social media content and accounts that promote the medical center or use the medical center’s brand name or logo for medical center business purposes on behalf of the medical center require prior approval of the Communications Office.

Any use of social media on the medical center’s behalf must be conducted in a manner that is professional, protects the reputation and brand of the medical center and follows Columbia University policies, the terms of use for the social media site, and any applicable laws and regulations.

Prohibited conduct when using social media on the medical center’s behalf includes, for example, use of social media in any way that constitutes libel, false advertising, copyright or trademark infringement, harassment, professional misconduct, or a violation of privacy rights or other rights protected under the law. Further, use of social media to present information about health care topics should clarify that the content is meant for informational purposes only and not as medical advice.

The medical center permits the creation of social media accounts that officially represent medical center entities, including schools and departments. Social media account creation should be limited to those that are appropriate for the intended audience and can be reasonably maintained with up-to-date content.

Requests to create and register official accounts require submission of a request to the Office of Communications here. Accounts may only be created and administered by assigned faculty and staff of the medical center. Students may not be named as page administrators for pages other than approved student clubs and organizations. The creation of a social media account for any student club or organization identifying itself as affiliated with the medical center must be approved by the associated school’s Office of Communications and registered with the medical center’s Office of Communications. Student clubs and organizations may not use the Columbia logo or other branding and must clearly state in their description that they are student-run.

Approved social media accounts representing the medical center must be set up as business accounts. Approved social media accounts for departments or groups falling under more than one entity (i.e., NewYork-Presbyterian Hospital, Weill-Cornell Medicine) are subject to the policies and procedures of each organization.

The medical center Office of Communications must be designated as an additional administrator of social media accounts and related accounts and/or be provided the account login information for other social media accounts. This allows Communications to access these accounts and respond in the event of a crisis or the unavailability or departure of the site administrator.

The administrator of the approved social media site is responsible for the security of the site login credentials, using an official CUIMC e-mail address, and is responsible for the account’s usage, including, but not limited to, managing and monitoring all content associated with the approved social media account and removing any content that may violate this or other medical center policies.

The medical center reserves the right to block or remove or request the removal of the content of any post or account that:

• violates CUIMC policies, including, but not limited to, harassing, threatening, or profane language;
• violates privacy laws or intellectual property rights;
• endorses or implies an endorsement of any commercial entity or its products or services;
• is factually erroneous or libelous;
• involves political campaigning or lobbying;
• contains personal information (whether the commenter’s or someone else's), including home address, phone number, or e-mail address, to protect privacy.

The medical center respects the right of its staff to use social media as a medium of self-expression. When using social media for personal purposes, users should follow the guidelines and policies set forth herein to establish a clear line between their personal and medical center-related activities and to protect the legitimate business and legal interests of the medical center. In addition, medical center faculty, staff, trainees, and students shall refrain from engaging in personal use of social media during working hours. Limited, incidental use that does not interfere with performance of medical center duties or operations, is compliant with medical center policies and any applicable laws and regulations is acceptable.

Faculty, staff, trainees, and students shall not use social media for personal purposes in any way that might reasonably create the impression that the content is authorized, endorsed or controlled by the medical center. Staff shall not use the medical center, school, or Columbia crown logos, trademark or proprietary graphics in a manner which may reasonably denote that such use is on behalf of the medical center without express prior authorization, for example by posting a photo of staff engaging in activity that could be interpreted as disrespectful to patients or the quality of patient care while wearing scrubs or clothing with the medical center logo.

In this regard, if users identify themselves as being associated with the medical center on a social media site and if the nature or context of social media activity on such site could reasonably be misconstrued as representing the views of the medical center, then users should post a disclaimer such as, “My posts represent my personal views and not those of Columbia”. Any social media content that promotes the medical center, its staff or services, must be accompanied by a disclosure of the author’s relationship with the medical center (e.g., “#employee”) and must include the author’s actual name, not a pseudonym or alias, as required by Federal law and guidance regarding online endorsements.

Faculty, staff, trainees, and students at the medical center should remember that they are personally responsible for their own conduct when using social media for personal purposes. They should also be mindful that the medical center is a public accommodation and should not post content about, or any image of, the medical center, staff, patients, or visitors, that is vulgar, obscene, threatening, intimidating, defamatory, or a violation of the medical center’s policies against discrimination, harassment, or that reflects hostility on account of a legally protected class, status or characteristic, such as race, age, or disability.

Medical center workforce members should not disparage or discredit patients or visitors. Further, workforce members are strongly advised against posting content or images that could be perceived as mocking or disparaging a patient. Workforce members should not post any content, image, or video of themselves that identifies them as medical center staff and depicts them engaging in illegal conduct, such as acts of violence or the illegal use of drugs, or in conduct that violates any medical center policy.

Workforce members are encouraged to report to their manager or report to the Compliance Hotline online behavior by or regarding medical center workforce member that violates medical center policies; this includes hateful statements about any individual or group based on that individual or group’s race, national origin, gender, religion or other legally protected characteristics. Refer to additional policies at the end of this document.

Workforce members are discouraged from communicating with, connecting, or “friending” patients or patients' friends or family via social media and discourages workforce members from communicating connecting or “friending” direct reports in such a manner that may inappropriately blur the personal and professional relationship, result in an invasion of privacy, or create potential liability for the medical center.

Any use of social media to present information about healthcare topics should clarify that the content is meant for informational purposes only and not as medical advice.

The use of social media for doxing or online harassment is strictly prohibited.

Doxing (or doxxing): Electronic or physical publication of an individual’s personal information that may include private email, personal phone number, home address, personally identifying images, etc. on various platforms that intimidates, threatens or harasses the individual or encourages additional harassment. This may include personal information that identifies an individual that is not publicly available, or the individual has not authorized another person or organization to make publicly available.

Online harassment: The use of online communication that intimidates, threatens, targets, or otherwise causes harm to an individual or individuals. This may include, but is not limited to:

• Harassing messages, threats, or insults;
• Impersonation for malicious purposes;
• Publicly sharing personal or private information; and
• Encouraging harassment of others.

Social media websites provide opportunities for paid advertising. Advertising for medical center programs must be conducted by or be approved by the Office of Communications. Advertising campaigns must follow brand guidelines and may only be conducted through official social media channels.

In the event of a crisis (such as a fire, violent crime, etc.) social media administrators should refrain from posting about the incident on social media accounts until official statements have been released or until otherwise instructed by the Office of Communications.

All inquiries from news media should be referred to the Office of Communications, including when reporters contact you via social media.

Any medical center social media account that has been inactive for six months will be considered abandoned and the Office of Communications may request the account be terminated.

The confidentiality of patient information is governed by federal and state laws. If any provision of this policy conflicts with applicable law or regulation, the applicable law or regulation that affords the patient with the greatest privacy will govern.

Workforce members shall not use social media to disclose individually identifiable information about patients in any form (including photo, video, or written content) except with the patient’s written authorization using the CUIMC HIPAA Media Authorization form. The Office of Communications can be contacted at cumcnews@columbia.edu to obtain the authorization form. The signed authorization must be placed in the patient’s medical record.

• Photo, tape, audio or video recording in patient treatment areas is permitted only after obtaining permission from the Practice or Program Director in addition to the Office of Communications.
• Patients in treatment areas/practice locations are prohibited from photo, tape, audio or video recording without prior permission from the provider, program, or practice director.
• Faculty, staff, trainees, and students are prohibited from taking personal photos, video, tape or audio recordings in patient care areas to avoid inadvertently capturing patients or patient information.
• Photos, images or a narrative thought to be de-identified may be recognizable by the individual or others and may not comply with the definition of De-identified HIPAA Privacy Rule and thus permission should be obtained from the individual prior to using photos, images or narratives (e.g., case reports) involving patients or patient information even if they are thought to be de-identified. See Resources Below for Guidance on Patient Privacy and Publication or Dissemination of Case Reports
• Faculty and staff may photograph, video or audio record patients for treatment purposes. The electronic device used must comply with CUIMC Information Security requirements. Photography, video, or audio recording in NewYork-Presbyterian (NYP) facilities require NYP’s prior approval. Additional patient consent may be required.

Workforce members are not permitted to post content that disparages patients, or which is likely to alarm or offend them. Even if a patient is not identified by name, a disclosure could still violate privacy policies, the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws if there is a reasonable basis to believe that the patient could be identified from the disclosure.

Workforce members are not permitted to post patient information on non-official social media accounts, including personal social media accounts.

Personal phones, cameras and other devices shall not be used to photograph, film or record patients or to receive, store or transmit individually identifiable information about patients. Workforce members should only photograph, film or record patients using medical center-approved equipment.

Patient authorization is not required if the photo, video, or recording is taken by the provider or other authorized staff member and used solely for the purpose(s) of diagnosing, treating, or identifying the patient.

Social Media and HIPAA FAQs

Social Media and HIPAA Do’s and Don’ts

Without the legal right to do so, staff shall not use social media to disclose or otherwise misuse any intellectual property of the medical center, its affiliates, personnel, or contractors, such as logos, trademarks, and copyrightable materials. Staff should not use social media to disclose or otherwise misuse confidential information of the medical center such as trade secrets, business plans, business agreements required by law or contract to be kept confidential, and sensitive personal information such as an individual’s address, social security number, account number, health information or health insurance identification number.

Using copyrighted music, imagery, or other content in posts, stories, or videos is prohibited.

Medical Center-issued equipment and communication systems, including but not limited to the IT network, electronic mail system, computer hardware, software, tablets, laptops, telephones, cell phones, facsimiles, and other means of electronic and telephonic communications (collectively, “electronic systems and devices”), are intended to be used for medical center business purposes.

Incidental, limited use of medical center electronic systems or devices for personal purposes is permitted to the extent that such use does not interfere with performance of medical center duties or medical center operations and is fully compliant with medical center policies and applicable laws and regulations.

Business or commercial use of Medical Center-issued equipment is not permitted.

The organization may restrict access to websites, including social media sites, on select computers. Medical center-issued email addresses may not be used to create, register, or administer a personal social media or other internet account, nor to post content to any Internet site, unless for medical center authorized business purposes.

Faculty, staff, trainees, and students shall have no expectation of privacy in any data, information, or communications, accessed, stored, or recorded on medical center electronic communications equipment and systems. The medical center reserves the right to monitor use of their electronic communication equipment and systems for, among other reasons, ensuring patient confidentiality.

Accordingly, all telephone conversations or transmissions, electronic mail or transmissions or internet access or usage by a workforce member using a medical center issued electronic device or system may be subject to monitoring by any lawful means without notice. The medical center-issued devices and systems that may be subject to monitoring include but are not limited to computer, telephone, wire, radio or electromagnetic, photoelectronic, or photo-optical systems. See Acceptable Usage of Information Resources Policy.

Violation of this policy may lead to disciplinary action up to and including termination of employment, contract, or medical staff appointment. In addition, breach of HIPAA or other laws or regulations and may result in legal action.

• Acceptable Usage of Information Resources Policy
• Anti-discrimination and Discriminatory Harassment Policy and Procedures for Students
• columbia-university-non-retaliation-policy
• cctv-monitoring-and-recording-policy
• commercial-filming-news-documentaries-and-student-filming-policy
• electronic-data-security-breach-reporting-and-response-policy
• email-usage-policy
• HIPAA Privacy Rule and Patient Rights Policy | University Policies (columbia.edu)
• Marketing Involving Protected Health Information (PHI)
• Notice of Nondiscrimination
• privacy-and-information-security-sanction-policy
• anti-doxing-and-online-harassment-policy
• Recording Doctor's Office Visits
• statement-ethical-conduct-and-administrative-code-conduct
• content/standards-and-discipline
• content/use-university-name-facilities-and-equipment
• Website Accessibility Policy
• Statement of Ethical Conduct and the Administrative Code of Conduct | University Policies (columbia.edu)

• Guidance on Patient Privacy and the Publication or Dissemination of Case Reports
• Health Privacy | Federal Trade Commission

Columbia

• Request or Register a Social Media Account
• Submit a Content Request @ColumbiaMed
• Contact the Social Media Team