skip to Main Content

Bizzuka Blog

Social Media Use and HIPAA Compliance

There are those who believe that the terms “social media” and “HIPAA” don’t belong in the same sentence. They argue that, to avoid risking a breach in patient privacy (and there have been many), healthcare professionals should not use platforms like Facebook, Twitter, Instagram and others.

Their position is understandable. Social media were created to allow people to share their lives and connect with others. The Health Insurance Portability and Accountability Act (HIPAA) was established to protect patient privacy by defining individually identifiable information and establishing how this information may be used, who may use it, and under what circumstances it can be used.

Considering the dichotomy, it stands to reason that never the twain should meet.

Unfortunately, in light of our technologically enhanced culture, it’s nigh impossible to prevent social media use by healthcare workers.

Social media engagement is now the number one activity on the web. Practically everyone (1.2 billion of us) have a Facebook profile, another 300 million use Twitter, and sites like Instagram, Pinterest, and Snapchat are rapidly growing in popularity.

Furthermore, thanks to smartphones, social media has gone mobile. It’s much easier to post an update to a social network than in the days when hospital and physician practice employees were tethered to a desktop computer.

Even if the IT department locks out access to social media on the healthcare facility’s network, people can still get there via their mobile devices.

In light of these facts, perhaps a better solution than prevention is to figure out how to make the use of social media HIPAA compliant.

Much has been written on the topic and guidelines are well established. Take into account these key points:

1. Understand the nature of the social media platforms and how they work. That includes understanding Facebook privacy settings, the difference between using the “@” symbol and sending a direct, private message on Twitter, and the sharing capabilities built into Instagram, Snapchat, Pinterest and others.

2. Never refer to a patient by name. Also, be sure not to give out any information, no matter how general it may be, that has the potential to identify the patient.

3. Never “friend” patients on Facebook. That could lead to serious ethics issues that result in HIPAA violations.

4. If you would not say it to a colleague on an elevator, don’t share it on social media. That’s a useful litmus test. Another is, if you wouldn’t want to see it printed in the newspaper, refrain from sharing it.

5. Don’t post anonymously. These days, it’s difficult to maintain anonymity online and such practice could breed bad behavior.

6. Don’t mix personal and professional. The blog KevinMD suggests using separate accounts for your personal and professional lives. For example, if you want to maintain a professional presence on Facebook, create a Page that is separate from your personal profile.

Those are some of the don’ts. Here are some dos.

1. Do establish clear social media usage policies and procedures and require staff members to adhere to them.

2. Train your staff on those policies and procedures. It’s one thing to make staff aware of the guidelines, and another to take time to train them on their use.

3. Post policies and procedures on all your social media platforms. Include them in the about section of your Facebook Page, make a page for them on your blog, and include a link to them in your Twitter and other social network bios.

4. Monitor your social media platforms. Remove posts or comments that violate HIPAA regulations as quickly as possible.

5. Revise your policies and procedures as needed. Social media continually evolves; your policies and procedures will need to change right along with it.


The penalties for patient privacy violations can be severe, even resulting in your dismissal. The patient could also file suit against individuals or the facility.

An article in The Hospitalist, a publication of the Society of Hospital Medicine, states that although HIPAA “does not afford patients the right to bring a private cause of action against a physician, state law often does grant patients such a right.”

It goes on to say, “state medical boards often have the right to impose penalties, monetary and non-monetary, on a physician for privacy violations. These can include suspension or termination of medical licensure.”

Bottom line: the same rules that apply to patient in all your other healthcare-related activities also apply to social media. So long as you know “where the fences are” in terms of HIPAA privacy restrictions, more than likely you will not run afoul of them.

Image source: Flickr Creative Commons

Back To Top