HIPAA Rules and Social Media

Oct 1, 2022 | Consultants

by Mario Fucinari • 


HIPAA privacy rules were enacted in 1996; the Security Rule came later in 1998. When the regulations were enacted, social media networks such as Facebook were not yet launched. Social media has replaced traditional methods of news and social information. Marketing also uses social media, but beware of the rules for social media pertaining to HIPAA and protected patient information.

Like it or not, social media is a popular vehicle to allow individuals or organizations to interact with the public. We use social media to keep up with friends and family, get perspectives on the day’s topics, or even choose a health care provider. Whenever patient information is used, it poses a significant risk for violations of HIPAA rules and regulations.

The Privacy Rule in HIPAA governs any patient information that is seen, heard, or read. Particular exceptions include treatment, payment, or health care operations. The privacy rule also applies to social media information transmitted by providers, staff, or business associates.

A business associate is any person, except employees of the provider, who receives, transmits, or otherwise uses patient health information. The business associate must sign a business associate agreement (BAA) if they have access to patient health information. One such example may be a marketing company.

All providers and staff must be trained at least one hour per year on topics related to HIPAA. Organizations must be aware of privacy rules when using patient information or interacting with patients on social media. It is human nature to want to defend the reputation of the providers, staff, and facility. A survey by Zendesk revealed that 97% of polled individuals said bad customer service changes their buying behavior, and 87% said that good customer service would change their buying behavior. 1

A review written by a disgruntled person may be easy to write because they are often non-face-to-face. If a provider and their office receive a favorable review, we often note it, but it eats away at us when a negative review is submitted. Customers’ opinions are rarely fact-checked or debated. A negative comment may even be submitted by someone who has never been a patient at the clinic or was believed by the provider to have a favorable outcome. Every provider and staff member must realize that engaging this person in a debate on social media is not recommended. Patients may want to see a response to a review, but it should be brief, and the conversation should quickly be moved to a secure platform as soon as possible. Debates often inadvertently involve details of the patient’s care that may be construed as an improper release of protected information. Even acknowledging that the patient was under treatment at your office may be interpreted as violating the Privacy Rule.

Information or testimonials about specific patients, images, videos, or other information may be construed as a HIPAA violation. Even if a patient gives permission to release information, the release cannot be undone if they recant it. Generally, I often recommend avoiding posting anything you would not say in an elevator or a coffee shop. If you are uncertain about the post or advertisement, check with a certified compliance officer before publishing.

Photographs that may seem innocent, such as a workplace birthday party, may have patient files with the name visible nearby or in a file cabinet. Even if the name is not disclosed, if one is gossiping about a patient and the identity can be deduced, it may be considered a HIPAA compliance violation. Pictures of distinctive tattoos, birthmarks, and other identifying features should be avoided unless they are part of the patient’s chart. If you wish to publish the photographs, express permission must be signed by the patient, describing specifically the permitted purpose of the disclosure. To maintain control of the images, I recommend allowing photographs for clinical reasons to be taken only using facility-owned equipment.

Parents have the right to control the treatment of their minor children. In the case of a minor, “informed permission” must be granted by the parent, legal guardian, or representative. The permission should be in writing. Exceptions not allowing the release of information to a parent would include when consent by the parent is not required, when the minor obtains care at the direction of a court or a person appointed by a court, and when the minor is considered an emancipated minor. If a provider feels the content of the protected information may cause harm to the minor if released to the parent, they may restrict the release. If a provider reasonably believes that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s representative could endanger the child. 2

In addition, you should form policies and procedures to control photography by patients, family, and visitors. Cell phones are the most popular cameras available to the public. Instead of muting the cell phone, I recommend posting notices in the reception room and treatment rooms to turn cell phones off.

You or your compliance officer should train staff on your organization’s policy on social media posting, photography, and responses to posts or patient reviews. Photographs of patients must be controlled and may require a “modeling” authorization. In addition, doctors should be trained not to respond directly and impulsively to reviews. Written policies and procedures on these issues should be part of the organization’s training, documenting the training and acknowledging the policies and procedures signed by the providers and staff. If a violation should occur, you must be specific about the consequences of violating the policy. All providers and staff should be trained at hire and at least annually after that. An effective HIPAA compliance program is consistent, equal, and ongoing.

Effective marketing strategies often include social media. Learning the pitfalls of marketing and conversing on social media could lead to fines and embarrassment. Negative reviews are better handled personally and not on public forums.

  1. The business impact of customer service on customer lifetime values.” Zendesk Blog, Last updated on October 6, 2020, www. Zendesk.com.
  2. Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?” U.S. Department of Health & Human Services, https://www.hhs.gov/hipaa/for-professionals/faq/227/can-i-access-medical-record-if-i-have-power-of-attorney/index.html.

About the author

Dr. Mario Fucinari is a Certified Professional Compliance Officer, Certified Physician Practice Manager, Certified Insurance Consultant, and a Medicare Carrier Advisory Committee member. He serves as Director of Risk Management and Compliance for Curis Functional Health. Dr. Fucinari is on the Speaker’s Bureau for ChiroHealthUSA, NCMIC, and Foot Levelers. Contact Dr. Fucinari for classes such as Front desk procedures, Medicare, documentation, coding, or rehabilitation training. For further information or questions, you may email him at Doc@Askmario.com or check his website at www.Askmario.com.