HIPAA and Social Media: What You Need to Know

Published December 17, 2019 by 3 min read

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law before the rollout of major social media sites such as Facebook, Twitter, and Instagram. And as such, there are no specific HIPAA rules for social media. 

However, some HIPAA laws and standards apply to the use of social media by health care organizations and their workers. Because of that, each health care organization must implement a HIPAA social media policy to decrease the risk of HIPAA violations.

The HIPAA Privacy Rule forbids the use of protected health information on social media networks. Protected health information includes text, videos, and images about specific patients that can enable others to identify them.

Health care providers can only use patients’ protected health information in social media posts if their patients have given written consent. And the health care organizations can only use the patients’ protected health information for the purposes specifically mentioned in their consent forms.

Still, health care organizations can realize a number of benefits of using social media. For example, social media platforms enable health care providers to interact with their patients, involving them in their own health care. Additionally, health care providers can use social media to attract new patients. 

They can also use social media to more easily and quickly offer patients information about new services, as well as post health tips, details of events, staff bios, and new medical research, as long as they don’t include any patient protected health information (PHI) in their social media posts.

Despite the benefits, health care organizations that use social media platforms can still run the risk of violating HIPAA rules and patient privacy. 

According to the U.S. Department of Health and Human Services (HHS), most HIPAA violations in recent years have been caused by employees mishandling patients’ PHI, including by inappropriately sharing the information on social media sites. 

Violations under the HIPAA Privacy Rule include civil monetary penalties ranging from $100 per violation to $50,000 per violation based on a tiered structure. The annual maximum penalty is $1.5 million.  Criminal penalties could result in fines of up to $250,000 and up to 10 years in prison. Other consequences of violating the HIPAA Privacy Rule include the loss of medical licenses, termination of employee(s), and lawsuits.

However, by following HIPAA social media guidelines, health care organizations and their employees can use social media sites while maintaining HIPAA compliance and safeguarding patient privacy and patient information.

HIPAA Social Media Guidelines

To avoid violating the HIPAA Privacy Rule, your health care organization should follow these basic HIPAA social media guidelines:

  • Establish clear policies to cover the use of social media and make sure that all your staff members understand how HIPAA relates to social media platforms.
  • Educate all your employees on the acceptable use of social media as part of HIPAA training. Conduct annual refresher courses.
  • Offer employees examples of the acceptable use of social media and the unacceptable use of social media to improve their understanding of the issue.
  • Explain the possible penalties for HIPAA social media violations to all your employees.
  • Ensure your compliance department approves all new uses of social media sites.
  • Create policies and procedures on the proper use of social media for your marketing department, which should include standardizing how marketing takes place on social media platforms.
  • Review and update your social media policies annually.
  • Establish a policy requiring that your staff members keep their personal and corporate accounts totally separate.
  • Develop a policy mandating that your legal department or your compliance department approve all social media posts before they’re posted.
  • Monitor your company’s social media accounts and social media communications.
  • Implement controls to flag potential HIPAA violations.
  • Keep a record of social media posts using your company’s official accounts that save posts, edits to the posts, and the format of social media messages.
  • Don’t conduct conversations over social media with patients who have disclosed their protected health information on social media sites.
  • Require your employees to report any potential HIPAA violations.
  • Include your social media accounts in your company’s risk assessments.
  • Implement appropriate access controls to prevent the unauthorized use of your organization’s social media accounts.
  • Moderate all comments on social media platforms.

HIPAA compliance should be an ongoing part of your total compliance program. In addition, if you continually train your employees about potential HIPAA violations that can happen when they use social media, your organization will reap the benefits of social media tools.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo