HIPAA and Social Media

HIPAA and Social Media

Published: July 8th, 2019

In today’s social media era, companies all over the world benefit from the ease of using social networks to communicate quickly and efficiently with their customers. Although slower to adopt, the healthcare industry has also joined the social media craze. Healthcare organizations utilize social media to attract, communicate, and interact with current and potential patients. Healthcare facilities and providers use social media to deliver important messages and new information about procedures and services.

With nearly 70% of US adults on social networks and 2.34 billion users worldwide, social media’s reach is not only expansive, but its’ opportunity can also be limitless. It has quickly become one of the most effective and essential tools for marketing and public relations in nearly every industry. However, despite all the benefits of social media, there are also considerable risks involved for HIPAA violations.

The HIPAA Privacy Rule prohibits the use of (Personal Health Information) PHI on social media networks, which includes posts or text messages about specific patients, in addition to images or videos that may result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose written in the consent form. Some of the most common HIPAA violations using social media include:

  • Posting images or videos of patients without written consent
  • Publishing information about patients that could allow a person to be identified.
  • Posting photographs or images taken from inside a healthcare facility where a patient or PHI are visible.
  • Sending pictures, videos, or text to a social media private group.

There are serious penalties for employees and healthcare organizations for that violate HIPAA. Which is why it is important that all workers are trained on HIPAA social media rules. Healthcare organizations must also implement a HIPAA social media policy to reduce the risk of privacy violations.

Helpful HIPAA social media guidelines for healthcare organizations:

  • Create and implement social media policies.
  • Ensure that every employee is trained on HIPAA social media rules and why they are necessary. Conduct annual training.
  • Give examples of what is and isn’t acceptable social media communication to ensure understanding.
  • Make sure employees are aware of the severe penalties involved with HIPAA violations, including termination, loss of license, and criminal penalties.
  • Make sure social media sites are approved by your compliance department.
  • Review and update social media policies annually.
  • Develop policies and procedures for the utilization of social media for marketing purposes.
  • Create a policy requiring employees to have separate personal and corporate accounts.
  • Develop a policy requiring the prior approval for any social media post from your legal or compliance department.
  • Implement controls that can flag potential HIPAA violations, and ensure all organizational social media accounts are monitored closely.
  • Keep a detailed record of all your organization’s social media posts.
  • Do not have any discussions on social media networks, with patients who have disclosed PHI on social media.
  • Make sure employees report potential HIPAA violations.
  • Make sure all social media accounts are included in your organization’s risk assessments.
  • Implement controls to prevent the unauthorized use of corporate social media accounts.
  • Moderate all comments on social media platforms.

For a HIPAA compliance social media checklist visit the Department of Health and Human Services Office for Civil Rights at:


For further questions regarding HIPAA social media requirements, contact the experts at MedSafe for a free consultation. MedSafe is the nation's leading one-stop resource for outsourced safety and health compliance solutions in healthcare.

Toll-free: (888) MED-SAFE