Step #4 Understand the Rules for a HIPAA-Compliant Social Media Strategy

This blog is part four of an eight-part series on launching your hospital’s social media strategy.

You’ve completed Steps 1, 2 and 3 of launching your hospital’s social media strategy. Now it’s important that you have a clear understanding of what you need to do to avoid HIPAA violations.

Some hospitals are allowing HIPAA anxiety to keep them from embracing social media platforms such as Facebook, Twitter, YouTube. LinkedIn, Foursquare and blogging. But there are now more than 900 U.S. hospitals engaging patients through these social media. And there is solid information to keep you on firm ground, if you follow these nine no-nonsense rules. Thanks to David Harlow, a healthcare law and consulting attorney, for many of these ideas. 

Understand HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA)  is a federal law that says that a patient has control of his or her own protected health information. No one else can release that information without consent of the patient.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) gives state attorneys general the right to pursue violations of patient privacy as well.

The exception: The patient’s protected health information can be used for healthcare operations. It can be shared internally, from a hospital to a physician, from a physician to a hospital, and to payment companies for insurance purposes. But this information cannot be released beyond that circle without the consent of the patient.

The key point: The same rules regarding patient privacy that apply to everything else you do in healthcare also apply to social media activities.  Remember that even the fact that the patient/doctor relationship exists is itself Protected Health Information.

Consult with your legal advisers early and often.

This blogpost is not meant to provide legal advice – just guidelines for implementing a HIPAA-compliant social media strategy. Seek legal advice for your particular hospital.

Limit liability by establishing clear policies and procedures.

Determine a coherent set of internal and external policies and procedures regarding patient privacy that are tailored to your hospital.

Involve leaders, evangelists and frontline staff in the development of these policies and procedures. These policies should: explain appropriate use of social media platforms

  • explain appropriate use of social media platforms
  • clearly define how information posted there will be used
  • specify what degree of privacy can be expected
  • state clearly that these forums are not to be used for personal medical advice
  • state clearly that the site is NOT monitored 24 hours a day, seven days a week

Post these policies prominently on your social media sites and incorporate them into off-line documents such as your Notice of Privacy Practices.


Train your staff in policies and procedures.

You have a code of conduct. Now you just need to extend it one step beyond an Internet usage policy to cover social media platforms as well.

Make sure that all your employees who are participating in your social media have been trained, that they clearly understand your policies and procedures and that they follow them.

Social Media guru Ed Bennett has gathered a nice collection of policies on his website, Found in Cache.


Do not practice medicine online.

While it is possible to conduct a hospital-patient relationship online, best practice would be to initiate the relationship in real life and obtain appropriate authorization from the patient to continue the dialogue on line. Even then, don’t practice medicine online.

Some patients are more open than others, and are willing to post details about themselves that others consider private. If someone posts these details in a public forum, that posting constitutes consent to the disclosure itself. Your response, however, should never disclose protected health information.


Take conversations offline.

When you feel that comments or questions on your social media platform are approaching HIPAA violations, take them offline. Ask the patient to call your hospital for more details.

Prominently post your policies and procedures on all your social media platforms.

For instance, on Facebook have a separate tab for policies. On your blogposts, place a policies link just before your comments section. Make sure patients understand your policies and know how your hospital will interact with them. When you include prominent disclaimers and plenty of warnings, these postings constitute consent to the public discussion.

Regularly monitor your social media platforms.

Review your social media platforms at least daily. That helps you respond quickly to the good and bad that comes your way, and helps you build those strong, trusting relationships that can be so powerful. You should remove any posts or comments that violate HIPAA regulations by disclosing protected health information. Whenever you remove a comment or post, be sure to follow best practices by briefly explaining why.

Review this blogpost for a calming voice when you start worrying about negative comments. And remember our core values at the heart of hospital social media. When a patient posts his or her own protected health information on your hospital Facebook page or in your blog comments, it is not a violation of HIPAA. That’s because he is free to release his own information.

Here are some questions and answers that  may help as you monitor your social media platforms.

“Is our hospital liable for non-employee postings on forums we host?”

No. Andrea White, a senior account supervisor who is a specialist in health policy implementation at Lovell Communications in Nashville, Tenn, writes that Section 230 of the Communications Decency Act “protects you as a sponsor of an online forum. A healthcare provider cannot be held liable for postings made by other parties just because it owns or sponsors the forum.”

David Harlow adds an additional cautiion, however. “This law may help if you’re being sued for lewdness or slander,” he says, “but in the healthcare privacy realm we’re held subject to a different set of standards. There are numerous overlapping regulatory schemas.

“It becomes important to be able to monitor and potentially take down information if it reveals private information protected by HIPAA. Even if it’s posted and you don’t get to it right away, if you run a schedule of scanning and scrubbing on a daily basis, that will work in your favor.”

“Can we remove posts randomly?”

Yes, according to White, with one important caveat. “You can take down or leave up comments as you deem necessary with no consistency in the practice and you are covered either way. However, if you edit a third party’s post then you become the co-author and assume liability. The moral is that you need to either respond to a comment, delete it, or leave it as it is. But NEVER edit it.”

“What liability do we have if we invite participation in a forum?”

White adds another caution: “According to case law precedent, if you invite illegal activity then you assume liability. If you want to invite new moms to post baby photos or ask weight loss program participants to track their results in a support group forum, then make sure you have a terms of use policy where they are voluntarily giving you permission to publish that information.”

“Are we liable for postings by a patient’s family or friends?”

No, says John Cummins, an editor with Health Leaders Media. He writes:

“I asked the Department of Health and Human Services’ Office of Civil Rights about it. They replied: ‘Entities subject to the HIPAA Privacy and Security Rules are covered entities: health plans, healthcare providers, and healthcare clearinghouses. Generally speaking, a covered entity would not be responsible for the actions by a patient’s friends or family.’”

“What if patients post photos they have taken in the hospital on social media sites?”

No problem, if you post signage saying that picture taking is not permitted. John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, and a nationally recognized expert in HIPAA compliance, advises hospitals to post signs at the entrance to the emergency department or near emergency department examining rooms stating that picture taking is not permitted. That way, if a visitor ignores the rules, takes a picture and posts it online, the hospital can at least demonstrate that it was exercising reasonable measures to protect patient privacy. “To me, the posting prohibiting picture taking would represent another example/level of ‘due diligence’ on the part of the hospital,” Parmigiani says.

Kate Borten, CISSP, CISM, concurs. Borten is president of The Marblehead Group, a firm that provides information security and privacy consulting for the healthcare industry. Borten explains that HIPAA expects healthcare providers to take “reasonable” measures to protect patient privacy, but also “accepts situations such as waiting rooms where patients can be seen by the public or a family member accompanying a patient to a bed in the ER. As long as the hospital wasn’t doing something out of the norm, then it shouldn’t have any liability when a member of the public snaps a picture.”

Borten casts some additional light on hospital’s responsibilities. HIPAA makes an “absolute distinction” between the hospital’s workforce (a term defined in the regulations) and everybody else. “Organizations are responsible for the actions of their workforce, but not for the rest of the world,” Borten says.

Visit and revise your policies and procedures regularly.

As social media evolves, as technology increases, as you gain more experience and as your comfort level grows, you will need to revise and update your policies and procedures. Plan to review them about every three months.

Follow these steps and you should steer clear of HIPAA violations. Remember to contact your legal department to make sure that your policies and procedures are in compliance.


66 replies
  1. here
    here says:

    Currently it sounds like Movable Type is the preferred blogging platform available right now.
    (from what I’ve read) Is that what you’re using on your blog?

  2. 86Billie
    86Billie says:

    I have noticed you don’t monetize your blog, don’t waste your traffic,
    you can earn extra cash every month because you’ve got high quality content.
    If you want to know how to make extra $$$, search for: best adsense alternative
    Wrastain’s tools

  3. Laurie
    Laurie says:

    I actually have a question. I received a than-you note from a family of a patient I took care for. Is it legal to post the note on social media if it does NOT include any names of family that sent it or the name of their loved one I took care of? Would this be against HIPPA violations?

  4. 会社設立 大阪
    会社設立 大阪 says:

    大阪、兵庫での会社設立で失敗しない為に。資本金や決算期等の選択によっては、今後の税金が大きく変わる場合もあります。融資の申込や助成金申請も事前に押さえておくべきポイントがあります。会社をご検討中の方 まずはご相談ください。
    コミュニケーション重視 私たちは専門サービス業であることを自覚しお客様とのコミュニケーションに日々努めています。
    融資に強い! 幅広い金融機関との人脈ネットワークがございます。TPOに合わせてご紹介致します。
    助成金・補助金に強い 事務所内に社労士が在籍しており、助成金・補助金は逃しません。
    税務調査に強い 700を超えるお客様との契約があり、対応事例を多く蓄積しております。社長が納得されるまで交渉します。

  5. 2016人気新作のスーパーコピー
    2016人気新作のスーパーコピー says:

    2016人気新作のスーパーコピー商品は発売、唯一の正しい、最高品質のスーパーコピー,オメガ スーパーコピー,ブランド スーパーコピー, ヴィトン スーパーコピー、スーパーコピー ロレックス、シャネル スーパーコピー、財布 ,スーパーコピー 時計弊社は正規品と同等品質のコピー品を低価でお客様に提供します。品質保証も2年です

  6. 中国に進出して50年余りの日本シチズン会社、50歳の年に「ネット」、中国で控えめ起動時計ネット直販。1月24日、本紙記者からシチズン時計(中国)有限公司(略称シチズン」)による
    中国に進出して50年余りの日本シチズン会社、50歳の年に「ネット」、中国で控えめ起動時計ネット直販。1月24日、本紙記者からシチズン時計(中国)有限公司(略称シチズン」)による says:

    中国に進出して50年余りの日本シチズン会社、50歳の年に「ネット」、中国で控えめ起動時計ネット直販。1月24日、本紙記者からシチズン時計(中国)有限公司(略称シチズン」)によると、2007年の試運転の1段の時間後、IWC スーパーコピーシチズン中国でネット直販公式サイトが開通し、2008年には一層の発展。

  7. penetration
    penetration says:

    At Oxford and Cambridge, a sophister (from sophist with spurious -er
    as in philosopher) was a second- or third-12 months scholar (what Americans would name
    a junior” could be a senior sophister).

  8. dog training
    dog training says:

    Simply want to say your article is as surprising.
    The clarity in your post is just nice and i can assume you’re an expert
    on this subject. Well with your permission let me to grab your feed to keep up to
    date with forthcoming post. Thanks a million and please continue the
    enjoyable work.

  9. ブランドコピーの専門店スーパーコピー豊富に揃えております、最も手頃ず価格だお気に入りの商品を購入。弊社フクショー(FUKUSHOW)ブランド腕時計、雑貨、小物最新作!エルメス バーキ
    ブランドコピーの専門店スーパーコピー豊富に揃えております、最も手頃ず価格だお気に入りの商品を購入。弊社フクショー(FUKUSHOW)ブランド腕時計、雑貨、小物最新作!エルメス バーキ says:

    ブランドスーパーコピーバッグ、財布、靴、時計ブランド偽物、偽物ブランド、ルイヴィトンコピー、 ロレックスコピー、シャネルコピー、グッチコピー、エルメスコピー、 ボッテガ?ヴェネタコピー、 バーバリーコピー、ミュウミュウコピー、トリーバーチコピー、バレンシアガコピー、ディオールコピー、ブルガリコピー、ブラダコピー、 ドルチェ&ガッバーナコピー、オメガコピー、フランク ミュラーコピー、gagaコピー。2015ヴィトン最新逸品 腕時計 休閑気質 ヴィトン 腕時計 独特魅力 腕時計
    ブランドコピーの専門店スーパーコピー豊富に揃えております、最も手頃ず価格だお気に入りの商品を購入。弊社フクショー(FUKUSHOW)ブランド腕時計、雑貨、小物最新作!エルメス バーキンスーパーコピー時計N品のみ取り扱っていまずのて、2年品質保証。エルメス食器,スーパーコピーブランド激安販売シャネル 財布スーパーコピー,スーパーコピーブランド 財布激安販売エルメス スーパーコピー,スーパーコピーブランド激安販売売スーパーコピーロレックス スーパーコピー,スーパーコピーROLEX激安販売IWC スーパーコピー,スーパーコピーIWC時計激安販売エルメス時計スーパーコピー,スーパーコピーhermes時計激安販売ボッテガ ヴェネタスーパーコピー,スーパーコピーブランド財布激安販売スーパーコピー時計スーパーコピーブランドバッグ時計コピー激安販売

  10. 日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピ
    日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピ says:

    日本最高級スーパーコピーブランド時計激安通販専門店,高品質時計コピー,2015最新作、国際ブランド腕時計コピー、業界唯一無二.世界一流の高品質ブランドコピー時計,当店はスーパーコピー時計専門店,販売以下世界一流ブランドコピー時計:ロレックスコピー、ウブロコピー、オメガコピー、シャネルコピー…ンプルに見えて目を奪われてしまう独創的なブルガリのラインアップです。1884年ブルガリの創始者ソティリオ?ブルガリが銀細工師の一族としてイタリ アにオープン。ブルガリ?ブルガリシリーズ。古代ローマの円形競技場をモチーフにした時計「アンフィテアトロ」、若い世代向けの腕時計「ソロテンポ」を発 表。2000年には新会社ダニエル?ロード&ジェラルド?ジェンダ オート?オルロジュリー社を設立しました。本物ブランド時計に間違える程のスーパーコピー時計通販!スーパーコピーは業界n級品最高品質に挑戦!ロレックスコピー,パネライコピー,ウブロコピー,オメガコピー,ルイ?ヴィトンコピー,エルメスコピーを初め世界中有名なスーパーコピーブランドを激安で通販しております!HERMES(バッグ、時計) CHANEL(バッグ、時計)LOUIS VUITTON(バッグ、時計) BVLGARI時計Christian Dior(バッグ、小物) COACH(バッグ)GUCCI(バッグ、小物) ROLEX(時計)OMEGA(時計) IWC(時計)

  11. says:

    Nice read, I just passed this onto a colleague who was doing a little research on that.
    And he actually bought me lunch as I found it for him smile Therefore let me
    rephrase that: Thank you for lunch!

  12. proof
    proof says:

    Just want to say your article is as astounding.
    The clarity to your submit is simply nice and i could suppose you’re an expert on this subject.
    Well together with your permission allow me to seize your RSS feed to keep up to date with coming near near
    post. Thank you a million and please carry on the enjoyable work.

  13. marek
    marek says:

    Hello very nice blog!! Guy .. Beautiful .. Superb .. I will bookmark your web site and take the feeds also?
    I’m glad to find numerous useful information here within the publish,
    we’d like develop more strategies in this regard, thanks for sharing.

    . . . . .

  14. Julio
    Julio says:

    Political Factors The media have made politics quite a spectacle.
    Have a shot at look at ones own navy when ones own barracks and even place room proceeds
    grade 10 designed for construction archer. Clash of
    Clans: Clan Wars ‘Preparation Day’ discussed.

  15. Cyril
    Cyril says:

    Quality seems to be an inbuilt thing in case of the
    citizen eco drive watches. However, they’re also a great
    investment in the sense that they’re made of components that retain, if not
    increase value as time goes by. With a lighter, elastic strap, the new monitors are much more comfortable
    to wear.

  16. Scotty
    Scotty says:

    Hello admin, i found this post on 16 spot in google’s search
    results. You should decrease your bounce rate in order to rank
    in google. This is major ranking factor nowadays.
    There is very useful wordpress plugin which can help you. Just search in google for:

    Lilas’s Bounce Plugin

  17. reneboormank19.A
    reneboormank19.A says:

    You’re so awesome! I don’t believe I have read something like
    this before. So wonderful to find somebody with
    original thoughts on this topic. Seriously..
    thank you for starting this up. This site is one thing that’s needed
    on the web, someone with a little originality!

  18. Brigitte
    Brigitte says:

    What’s up all, here every person is sharing these knowledge, therefore it’s fastidious too read this webpage, annd I used to
    payy a quick visit thiis webpage every day.

  19. es impact windows
    es impact windows says:

    When I initially commented I seem to have clicked the -Notify me when new comments are added-
    checkbox and from now on whenever a comment is added I get
    four emails with the same comment. Is there an easy method you can remove me from that service?

    Review my site :: es impact windows

  20. funny post
    funny post says:

    Aggressive San Diego mommy makeover DUI attorneys. The
    next mommy makeover step is to undo what the consequence would be higher.

    For this reason, many DUI lawyers or attorneys. Your lawyer
    will always take the test. Lancaster, CA citizens can now reach back seven years or older.
    So what you have been arrested for the leasing. More often than not, but have strict
    DUI negotiation standards.

    Feel free to surf to my site :: funny post

  21. Anderson
    Anderson says:

    Hi, i think that i saw you visited my blog so i got here to return the choose?.I
    am trying to in finding things to improve my web site!I assume its ok to use a few of
    your ideas!!

    My blog: pet farm saga free download – Anderson,

  22. Kattie
    Kattie says:

    What’s up to every body, it’s my first pay a visit of this blog; this blog carries remarkable and actually fine data in support of readers.

    Feel free to visit my homepage :: (Kattie)

  23. hookah vape pen health risks
    hookah vape pen health risks says:

    Smoking is a physical habit, not just a drug habit.
    Electric cigarettes or electric cigarettes, are the newest products in the quit-smoking industry.
    Since my discovery, I try to store my NJOY electronic cigarettes in cold places whenever possible, and
    I noticed it has definitely extended the life of my NJOYs.

  24. Smithk5
    Smithk5 says:

    My brother recommended I might like this website. He was totally right. This post truly made my day. You cann’t imagine simply how much time I had spent for this info! Thanks! edkdcdkdkceffadk

  25. Maurice Kamdem Kamwa
    Maurice Kamdem Kamwa says:

    What a great blog? I did enjoy every bit of it while learning at the same time because it was not informative but educative as well. Thank you!

    My only concern with HIPAA and Social Media has to do with this comment “When a patient posts his or her own protected health information on your hospital Facebook page or in your blog comments, it is not a violation of HIPAA. That’s because he is free to release his own information.” which I completely agree but where do you draw the line to authenticate the source of the information to prove that it was actually posted by the patient considering the high rate of internet impersonators, hackers, and self defametors?

    Personally, I am thinking with regard to the HIPAA complaint and Social Media, they should include a clause saying that if you post your protected health information online for any other reason other than treatment or seeking assistance, it should be consider a violation tantamounting to a fine or punishment.

  26. Dogma
    Dogma says:

    Can/should an un-trained Behavioral Health staff member set up a secondary personal social media site, without established “formal” policies and “patient rights” warnings…what cautions do you suggest?

  27. Dan Hinmon, Principal
    Dan Hinmon, Principal says:

    Thanks for asking, Carlos. Please contact an attorney for a definitive answer on this, but if no protected health information is disclosed, there would be no HIPAA violation. In addition, the closed forum provides additional protection.

  28. Carlos
    Carlos says:

    Does a close forum of doctors discussing clinical cases with no patient names, pictures or videos, (only clinical info) constitutes a HIPAA violation?

  29. Shawn Nakamoto
    Shawn Nakamoto says:

    I have a question about how you determined the 900 hospitals across the nation who have a social media presence? For Hawaii, only Queen’s Medical Center was listed. Our health care system, Hawaii Pacific Health has a Twitter feed, two Facebook pages, as well as a LinkedIn page. I also know that Kaiser Permanente Hawaii has a social media presence.

  30. Dan Hinmon, Principal
    Dan Hinmon, Principal says:

    Thanks, Nick. I’m glad you enjoyed it. Please let me know if you have any other ideas on this important subject of HIPAA. We need more hospitals to get past this hurdle!


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *