259 Grand Ave, Ste 100 • Grand Junction, CO 81501


Ryan/Sawyer Marketing in Grand Junction, CO

Social Media in Health Care, Part 5 | The HIPAA in the room

Engaging your brand in social media is kind of a no-brainer – unless you’re in the healthcare industry. In our experience, some health organizations have been hesitant to foray into social media due to confusion about what to discuss, how to engage with patients, or fear of running afoul of HIPAA regulations.

This series attempts to break down the basics and offer some guidance as to how to navigate the social media waters.


Of course, we can’t talk about using social media in health care without mentioning HIPAA, a privacy rule managed by the U.S. Department of Health & Human Services. For those unfamiliar, the Health Insurance Portability & Accountability Act of 1996 (HIPAA) creates national standards to protect individuals’ medical records and other personal health information. It gives patients more control over their health information, sets boundaries on the use and release of health records, establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information, holds violators accountable, and it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.

Phew! For social media use, it means more stringent regulations and requirements that govern how you treat patients in an online space.

In a nutshell, you can’t use any part of a patient (name, photo, description, or a host of other identifiers) without written consent from the patient or guardian. Period.

That complicates things a bit when you want to feature a testimonial from a patient, or talk about a heart-warming story with a photo of someone finishing their last chemo treatment. If a provider sees the Batmobile in a parking spot in the parking lot, you can’t post anything about it as it’s unique and people in your town probably knows who drives it (even if you blur the license plates). You have to get written permission. Yes, it kills some of the mood of the event and spontaneity of the post, but you just have to do it.

With HIPAA, it’s better to ask for permission than forgiveness!

Have your legal counsel or department assist with the formation of a policy and make sure that legal team is involved with any breach. And make sure you understand what HIPAA considers to be a violation: an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) [of a patient].

  • Common examples of social media HIPAA violations include:
  • Posting “gossip” about a patient, even if unnamed, to unauthorized individuals.
  • Sharing photos or any form of PHI without written consent from a patient.
  • A mistaken belief that posts are private or have been deleted when they are still visible to the public.
  • Sharing what appears to be innocent comments or pictures, such as a nurse celebrating her birthday, but which happens to have visible patient photos or information (e.g., files underneath, a patient in the background, a unique car in the parking lot)

The basic rule of thumb is to only post something you would say in an elevator or coffee shop to a complete stranger. When in doubt about whether or not it’s ok to post something, leave it out. If you still think it’s a good thing to post about, ask someone for clarification or help with the matter.

hippa hippo in social mediaAs an organization, it’s your responsibility to thoroughly train employees on your HIPAA Privacy and HIPAA Security policies and procedures upon hiring & annually thereafter. Integrate your social media policy into all of your other policies and procedures, and have a clear, widely distributed company policy on the use of social networking sites both during working and non-working hours.

As for what HIPAA considers to be Protected Health Information (PHI), it’s a long list. Make sure to remove anything from a post that could identify a patient, such as:

  • Names
  • Geographic information
  • Dates (including a patient’s birth date, admission date, discharge date, date of death, etc.)
  • Phone and/or fax numbers
  • E-mail addresses
  • Account numbers: Social Security, Medical record, Health plan beneficiary, certificate/license, or any other account number
  • Vehicle identifiers, serial numbers, including license plates
  • Device identifiers and serial numbers
  • URLs and IP address numbers
  • Biometric identifiers (e.g. finger and voice prints)
  • Full-face photographic images and any comparable images
  • Other unique identifying numbers, characteristics, or codes (this is the most difficult to comply with because there is already so much info available online that could identify a patient.)

Don’t fall into the trap of thinking you’re too small/rural/too few followers to get caught for violations. And don’t underestimate the severity of HIPAA violation penalties. According to HHS, the majority of violations have occurred from employees mishandling PHI via inappropriate social sharing.

Violations under the HIPAA Privacy Rule can result in fines ranging from $100 – $1.5 million, or they can levy criminal penalties which can result in fines up to $250,000 and up to 10 years in prison.

Other, more obvious, consequences of violating HIPAA include lawsuits, the loss of a medical license, or employee termination.

If a HIPAA breach occurs on a social network, immediately take the following steps:

  • Report to your compliance officer a brief description of what happened, including the date of the breach and the date of the discovery.
  • If it is determined a breach has occurred, you are required to provide notification to the patient affected. Individual notifications must be provided ASAP, never more than 60 days after the discovery.
  • In addition, your compliance officer will ensure appropriate notification procedures are followed including providing notice to the secretary of HHS and to the media if it is a breach involving more than 500 individuals.
  • Employees involved in the breach must at a minimum be re-trained on HIPAA Privacy, HIPAA Security and all social media policies and procedures.

hipaa social media someecard







Sources: “Posting with caution: the Dos and Don’ts of Social Media and HIPAA compliance.” Healthcare Compliance Pros.

Wikipedia and Health and Human Services.

Have any questions? Get in touch