Step #4 Understand the Rules for a HIPAA-Compliant Social Media Strategy

This blog is part four of an eight-part series on launching your hospital’s social media strategy.

You’ve completed Steps 1, 2 and 3 of launching your hospital’s social media strategy. Now it’s important that you have a clear understanding of what you need to do to avoid HIPAA violations.

Some hospitals are allowing HIPAA anxiety to keep them from embracing social media platforms such as Facebook, Twitter, YouTube. LinkedIn, Foursquare and blogging. But there are now more than 900 U.S. hospitals engaging patients through these social media. And there is solid information to keep you on firm ground, if you follow these nine no-nonsense rules. Thanks to David Harlow, a healthcare law and consulting attorney, for many of these ideas. 

Understand HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA)  is a federal law that says that a patient has control of his or her own protected health information. No one else can release that information without consent of the patient.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) gives state attorneys general the right to pursue violations of patient privacy as well.

The exception: The patient’s protected health information can be used for healthcare operations. It can be shared internally, from a hospital to a physician, from a physician to a hospital, and to payment companies for insurance purposes. But this information cannot be released beyond that circle without the consent of the patient.

The key point: The same rules regarding patient privacy that apply to everything else you do in healthcare also apply to social media activities.  Remember that even the fact that the patient/doctor relationship exists is itself Protected Health Information.

Consult with your legal advisers early and often.

This blogpost is not meant to provide legal advice – just guidelines for implementing a HIPAA-compliant social media strategy. Seek legal advice for your particular hospital.

Limit liability by establishing clear policies and procedures.

Determine a coherent set of internal and external policies and procedures regarding patient privacy that are tailored to your hospital.

Involve leaders, evangelists and frontline staff in the development of these policies and procedures. These policies should: explain appropriate use of social media platforms

  • explain appropriate use of social media platforms
  • clearly define how information posted there will be used
  • specify what degree of privacy can be expected
  • state clearly that these forums are not to be used for personal medical advice
  • state clearly that the site is NOT monitored 24 hours a day, seven days a week

Post these policies prominently on your social media sites and incorporate them into off-line documents such as your Notice of Privacy Practices.


Train your staff in policies and procedures.

You have a code of conduct. Now you just need to extend it one step beyond an Internet usage policy to cover social media platforms as well.

Make sure that all your employees who are participating in your social media have been trained, that they clearly understand your policies and procedures and that they follow them.

Social Media guru Ed Bennett has gathered a nice collection of policies on his website, Found in Cache.


Do not practice medicine online.

While it is possible to conduct a hospital-patient relationship online, best practice would be to initiate the relationship in real life and obtain appropriate authorization from the patient to continue the dialogue on line. Even then, don’t practice medicine online.

Some patients are more open than others, and are willing to post details about themselves that others consider private. If someone posts these details in a public forum, that posting constitutes consent to the disclosure itself. Your response, however, should never disclose protected health information.


Take conversations offline.

When you feel that comments or questions on your social media platform are approaching HIPAA violations, take them offline. Ask the patient to call your hospital for more details.

Prominently post your policies and procedures on all your social media platforms.

For instance, on Facebook have a separate tab for policies. On your blogposts, place a policies link just before your comments section. Make sure patients understand your policies and know how your hospital will interact with them. When you include prominent disclaimers and plenty of warnings, these postings constitute consent to the public discussion.

Regularly monitor your social media platforms.

Review your social media platforms at least daily. That helps you respond quickly to the good and bad that comes your way, and helps you build those strong, trusting relationships that can be so powerful. You should remove any posts or comments that violate HIPAA regulations by disclosing protected health information. Whenever you remove a comment or post, be sure to follow best practices by briefly explaining why.

Review this blogpost for a calming voice when you start worrying about negative comments. And remember our core values at the heart of hospital social media. When a patient posts his or her own protected health information on your hospital Facebook page or in your blog comments, it is not a violation of HIPAA. That’s because he is free to release his own information.

Here are some questions and answers that  may help as you monitor your social media platforms.

“Is our hospital liable for non-employee postings on forums we host?”

No. Andrea White, a senior account supervisor who is a specialist in health policy implementation at Lovell Communications in Nashville, Tenn, writes that Section 230 of the Communications Decency Act “protects you as a sponsor of an online forum. A healthcare provider cannot be held liable for postings made by other parties just because it owns or sponsors the forum.”

David Harlow adds an additional cautiion, however. “This law may help if you’re being sued for lewdness or slander,” he says, “but in the healthcare privacy realm we’re held subject to a different set of standards. There are numerous overlapping regulatory schemas.

“It becomes important to be able to monitor and potentially take down information if it reveals private information protected by HIPAA. Even if it’s posted and you don’t get to it right away, if you run a schedule of scanning and scrubbing on a daily basis, that will work in your favor.”

“Can we remove posts randomly?”

Yes, according to White, with one important caveat. “You can take down or leave up comments as you deem necessary with no consistency in the practice and you are covered either way. However, if you edit a third party’s post then you become the co-author and assume liability. The moral is that you need to either respond to a comment, delete it, or leave it as it is. But NEVER edit it.”

“What liability do we have if we invite participation in a forum?”

White adds another caution: “According to case law precedent, if you invite illegal activity then you assume liability. If you want to invite new moms to post baby photos or ask weight loss program participants to track their results in a support group forum, then make sure you have a terms of use policy where they are voluntarily giving you permission to publish that information.”

“Are we liable for postings by a patient’s family or friends?”

No, says John Cummins, an editor with Health Leaders Media. He writes:

“I asked the Department of Health and Human Services’ Office of Civil Rights about it. They replied: ‘Entities subject to the HIPAA Privacy and Security Rules are covered entities: health plans, healthcare providers, and healthcare clearinghouses. Generally speaking, a covered entity would not be responsible for the actions by a patient’s friends or family.’”

“What if patients post photos they have taken in the hospital on social media sites?”

No problem, if you post signage saying that picture taking is not permitted. John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, and a nationally recognized expert in HIPAA compliance, advises hospitals to post signs at the entrance to the emergency department or near emergency department examining rooms stating that picture taking is not permitted. That way, if a visitor ignores the rules, takes a picture and posts it online, the hospital can at least demonstrate that it was exercising reasonable measures to protect patient privacy. “To me, the posting prohibiting picture taking would represent another example/level of ‘due diligence’ on the part of the hospital,” Parmigiani says.

Kate Borten, CISSP, CISM, concurs. Borten is president of The Marblehead Group, a firm that provides information security and privacy consulting for the healthcare industry. Borten explains that HIPAA expects healthcare providers to take “reasonable” measures to protect patient privacy, but also “accepts situations such as waiting rooms where patients can be seen by the public or a family member accompanying a patient to a bed in the ER. As long as the hospital wasn’t doing something out of the norm, then it shouldn’t have any liability when a member of the public snaps a picture.”

Borten casts some additional light on hospital’s responsibilities. HIPAA makes an “absolute distinction” between the hospital’s workforce (a term defined in the regulations) and everybody else. “Organizations are responsible for the actions of their workforce, but not for the rest of the world,” Borten says.

Visit and revise your policies and procedures regularly.

As social media evolves, as technology increases, as you gain more experience and as your comfort level grows, you will need to revise and update your policies and procedures. Plan to review them about every three months.

Follow these steps and you should steer clear of HIPAA violations. Remember to contact your legal department to make sure that your policies and procedures are in compliance.

Hatchbuck Form

Subscribe to receive weekly updates straight to your inbox.


37 replies
  1. Scotty
    Scotty says:

    Hello admin, i found this post on 16 spot in google’s search
    results. You should decrease your bounce rate in order to rank
    in google. This is major ranking factor nowadays.
    There is very useful wordpress plugin which can help you. Just search in google for:

    Lilas’s Bounce Plugin

  2. reneboormank19.A
    reneboormank19.A says:

    You’re so awesome! I don’t believe I have read something like
    this before. So wonderful to find somebody with
    original thoughts on this topic. Seriously..
    thank you for starting this up. This site is one thing that’s needed
    on the web, someone with a little originality!

  3. Brigitte
    Brigitte says:

    What’s up all, here every person is sharing these knowledge, therefore it’s fastidious too read this webpage, annd I used to
    payy a quick visit thiis webpage every day.

  4. es impact windows
    es impact windows says:

    When I initially commented I seem to have clicked the -Notify me when new comments are added-
    checkbox and from now on whenever a comment is added I get
    four emails with the same comment. Is there an easy method you can remove me from that service?

    Review my site :: es impact windows

  5. funny post
    funny post says:

    Aggressive San Diego mommy makeover DUI attorneys. The
    next mommy makeover step is to undo what the consequence would be higher.

    For this reason, many DUI lawyers or attorneys. Your lawyer
    will always take the test. Lancaster, CA citizens can now reach back seven years or older.
    So what you have been arrested for the leasing. More often than not, but have strict
    DUI negotiation standards.

    Feel free to surf to my site :: funny post

  6. Anderson
    Anderson says:

    Hi, i think that i saw you visited my blog so i got here to return the choose?.I
    am trying to in finding things to improve my web site!I assume its ok to use a few of
    your ideas!!

    My blog: pet farm saga free download – Anderson,

  7. Kattie
    Kattie says:

    What’s up to every body, it’s my first pay a visit of this blog; this blog carries remarkable and actually fine data in support of readers.

    Feel free to visit my homepage :: (Kattie)

  8. hookah vape pen health risks
    hookah vape pen health risks says:

    Smoking is a physical habit, not just a drug habit.
    Electric cigarettes or electric cigarettes, are the newest products in the quit-smoking industry.
    Since my discovery, I try to store my NJOY electronic cigarettes in cold places whenever possible, and
    I noticed it has definitely extended the life of my NJOYs.

  9. Smithk5
    Smithk5 says:

    My brother recommended I might like this website. He was totally right. This post truly made my day. You cann’t imagine simply how much time I had spent for this info! Thanks! edkdcdkdkceffadk

  10. Maurice Kamdem Kamwa
    Maurice Kamdem Kamwa says:

    What a great blog? I did enjoy every bit of it while learning at the same time because it was not informative but educative as well. Thank you!

    My only concern with HIPAA and Social Media has to do with this comment “When a patient posts his or her own protected health information on your hospital Facebook page or in your blog comments, it is not a violation of HIPAA. That’s because he is free to release his own information.” which I completely agree but where do you draw the line to authenticate the source of the information to prove that it was actually posted by the patient considering the high rate of internet impersonators, hackers, and self defametors?

    Personally, I am thinking with regard to the HIPAA complaint and Social Media, they should include a clause saying that if you post your protected health information online for any other reason other than treatment or seeking assistance, it should be consider a violation tantamounting to a fine or punishment.

  11. Dogma
    Dogma says:

    Can/should an un-trained Behavioral Health staff member set up a secondary personal social media site, without established “formal” policies and “patient rights” warnings…what cautions do you suggest?

  12. Dan Hinmon, Principal
    Dan Hinmon, Principal says:

    Thanks for asking, Carlos. Please contact an attorney for a definitive answer on this, but if no protected health information is disclosed, there would be no HIPAA violation. In addition, the closed forum provides additional protection.

  13. Carlos
    Carlos says:

    Does a close forum of doctors discussing clinical cases with no patient names, pictures or videos, (only clinical info) constitutes a HIPAA violation?

  14. Shawn Nakamoto
    Shawn Nakamoto says:

    I have a question about how you determined the 900 hospitals across the nation who have a social media presence? For Hawaii, only Queen’s Medical Center was listed. Our health care system, Hawaii Pacific Health has a Twitter feed, two Facebook pages, as well as a LinkedIn page. I also know that Kaiser Permanente Hawaii has a social media presence.

  15. Dan Hinmon, Principal
    Dan Hinmon, Principal says:

    Thanks, Nick. I’m glad you enjoyed it. Please let me know if you have any other ideas on this important subject of HIPAA. We need more hospitals to get past this hurdle!


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>