What Is HIPAA?

HIPAA is the Health Insurance Portability Accountability Act signed into law by President Bill Clinton in 1996. This law has received considerable attention lately due to the growth of health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers. One of HIPAA’s primary purposes is to protect a patient’s health information from being put on social media channels and to never disclose protected health information.

HIPAA Privacy Rule 

The HIPAA privacy rule bans the use of protected health information on all social media networks. This includes any information about patients that could result in them being identified. Protected health information (PHI) can only be used publicly or in social media posts if the patient has given explicit consent in writing.

What Healthcare Related Posts Can Be Put On Social Media? 

Social media can be used for posting health tips, details of events, new medical research, staff bios and general marketing as long as no PHI is included in the posts.  

Common Violations

Posting images and videos of patients without consent, posting gossip about patients, posting information of which a patient could be identified by, sharing images or videos taken inside of a healthcare facility in which patients or PHI is visible.

HIPAA Social Media Best Practices 

  • Communicate the possible penalties for social media HIPAA violations with staff: termination, loss of license, and criminal penalties
  • Ensure all uses of social media sites and profiles are approved by your compliance department
  • Review and update company policies on social media annually
  • Develop policies and procedures on the use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting
  • Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations