Social Media and HIPAA: How to Be Smart in the Digital World and Remain Compliant


November 12th, 2019

Social media and HIPAA compliance are becoming real concerns in the digital world. Find out how to balance engagement with staying compliant.

social media and hipaa

HIPAA was passed long before the launch of social media networks. In fact, HIPAA, passed in 1996, preceded the digital world. However, social media and HIPAA have now become a real concern in the 21st century with HIPAA updating its policies on the subject. There are many benefits to leveraging these sites for healthcare, but it comes with a warning. Many healthcare providers have been the subject of fines and violations due to noncompliant social media activities.  

The First Rule of HIPAA and Social Media

social media HIPAA

Rule number one: don’t post protected health information (PHI) on social media! The HIPAA privacy rule prohibits the use of PHI on any social media profile for any reason. This includes text and images. The only exception is if you have written permission from the patient to do so. For example, many providers include testimonials or case studies around a specific patient’s journey. This type of content can be very compelling, but, of course, requires patient authorization.

As providers, patients, and other stakeholders navigate the modern digital world; it’s often a murky area of what’s legal and what’s not. That’s why every healthcare organization should have documented rules about social media. Social media is not the channel to discuss PHI or even respond to questions or reviews with any snippet of PHI.

While it’s certainly human nature to want to respond on social media, the approach must be compliant and careful. In these types of channels, providers may feel helpless, as consumers basically have free reign to review the provider. However, the provider doesn’t have that same luxury.

Such a case occurred this year in which a dental practice responded to a Yelp review and allegedly disclosed PHI. The settled the dispute with OCR for a $10,000 fine. OCR found that the organization had actually violated HIPAA on several occasions.

How Providers Can Respond Compliantly on Social Media

Providers do have options when responding on social media. But they must always be HIPAA compliant. Here are some ways to craft compliant responses:

  • Respond in general terms with a standard response: while many other companies reply with specificity, that’s a no-go here
  • Reach out to the patient directly rather than responding on social media
  • Draft a response that says you’ll be in touch with them to discuss their concerns (with this approach, you are telling others that you are aware of the situation but will handle it offline)

Responses like these should be documented in your social media training for staff. Training on social media and HIPAA should occur before the employee comes on board and be further supported with refresher training.

What Are the Most Common Social Media HIPAA Violations?

Along with responding to patient posts or reviews, several other violations have been repeat offenders, including:

  • Posting of images or video of patients without approval
  • Gossiping about patients
  • Using any type of information that could lead to a patient’s identification
  • Sharing images within a healthcare organization where PHI is visible (i.e., don’t take a picture of a physician at his desk while there are patient files there!)
  • Distributing any content about patients within a social media private group (it may be private, but it’s still not compliant)

HIPAA Social Media Guidelines

Your organization should have HIPAA social media guidelines. Here are some ideas on what to include:

  • Ensure awareness with HIPAA compliance and social media through consistent training
  • Provide examples to staff on what would be a compliant type of post
  • Communicate to staff the consequences of HIPAA noncompliance
  • Review and update policies annually based on new rules, regulations, and usage
  • Make sure that company and personal profiles are separate
  • Maintain a record of social media posts in the event of an audit
  • Encourage staff to report any possible violations
  • Moderate all comments on platforms
  • Include social media in your risk assessments

While there are many constraints with social media, the healthcare industry shouldn’t just abandon it. Social media is a way for you to provide critical information, share industry news, and promote patient stories (with approval). You just have to balance your social media engagement strategy with remaining HIPAA compliant.

< Return to Blog Page