Social Media and HIPAA: Avoiding Violations and Employee Claims

Jul 12, 2016 at 01:50 pm by Staff

As a healthcare provider or facility, there are steps you can take to minimize the risk of incorporating social media into your marketing or patient engagement strategy, while still adhering to HIPAA regulations. As you might know, HIPAA is short for the Health Insurance Portability and Accountability Act of 1996, a portion of which is meant to protect the rights of patients.

To avoid HIPAA violations, the best place to start is to understand the risks that social media can pose to a healthcare facility, create a social media policy that clearly sets your expectations as a healthcare provider on social media, then communicate this plan to your employees and train them to strictly adhere to it.

Understanding Social Media and HIPAA

It does not matter if your healthcare organization participates in social media or not. If your employees are using social media platforms, even privately, you are at risk for HIPAA violations and possible employee claims. If your organization engages in social media to attract or support patients during their wellness journey, or for recruiting purposes, knowing how to avoid HIPAA violations while using social media protects you, your patients, and prospective candidates' privacy, while still achieving your social media goals.

Social media is a broad term that includes a variety of applications. It can provide a combination of communication sharing capabilities, media storage, and the display of photos, text transmissions or shared experiences. Anyone in your workforce can communicate broadly to an identified group (or to the world should a post go viral). Each social media platform comes with a unique set of risks and should be addressed carefully within your social media policy. Common social media applications to consider include the following: Facebook, LinkedIn, Twitter, Instagram, personal and company blogs, websites, photo sharing sites such as Flickr, and texting via messaging applications like WhatsApp or Facebook Messenger.

Privacy Breach

HIPAA violations within the healthcare social media landscape can begin with the platform itself. Although some platforms such as Facebook and Linkedin include privacy settings, not all of the platforms do. Despite security measures on some of the social media platforms, not all users are aware of them and thus a HIPAA breach can easily occur. Even employees who share their experiences under tight privacy settings may inadvertently state a patient's name or describe a patient's story, thus identifying the patient to the public. These actions can also be downloaded, screenshotted, or shared by others in a group, and therefore violate HIPAA rules.

Data Storage and Control Concerns

In most cases, user information and data shared is stored and controlled by the social media platform. Because of this, once the post or send button is pressed, the information is out there forever. The information can then be stored, saved and shared by other users, thus violating HIPAA.

Hidden Uses of Data

Social media accounts can be faked or hacked with malicious intent. Occasionally, data pulled from social media accounts is used to inappropriately investigate employees and prospective candidates. This type of snooping by managers or human resource workers can lead to HIPAA claims because the employee's right to privacy is being violated.

Third party providers also have permission from some social media platforms to collect personal information from its users and share that information with other third parties, such as advertisers. Many consumers would consider this a breach of their privacy. This is why websites, blogs, and any social media intended for use by a healthcare facility must include both a Terms of Use and Consent disclosure that inform users of how their data will be used before they engage with you on any social media networks.

Avoiding Social Media and HIPAA Breaches

The potential for social media and HIPAA violations within your practice or facility is probably more present than you think. You may not be aware of the risks until it is too late and a suit has been filed against you. The consequences of delaying or ignoring the impact of social media and HIPAA risks could be devastating!

To avoid social media and HIPAA violations, you must require that your facility creates a comprehensive policy which considers a broad range of social media platforms and their inherent risks. Formulating a policy that addresses the privacy concerns of social media and HIPAA will assist you in proactively taking the steps needed to mandate how employees use social media in and out of the workplace.

By setting solid ground rules for corporate and personal social media use, you can protect yourself and your healthcare facility from revealing confidential patient information and the costly process of litigation.

Tracy O'Clair is the CEO/President of TOCmedia, a digital marketing agency providing social media management, email marketing and blogging solutions to small business owners. She can be reached at