HIPAA and Social Media, hipaa social media, HIPAA Compliant

HIPAA and Social Media: Best Practices


May 15, 2022 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Social media has become an essential part of promoting business, but you must consider how HIPAA and social media intersect as a healthcare provider or company. Whether responding to an online patient review or increasing patient engagement through social media posts, misunderstandings in managing social media can be detrimental to your practice. How can your practice use social media without violating HIPAA requirements? HIPAA compliant social media use comes down to a few things – know what information you are allowed to share and who you can share it with, and inform your employees of such.

HIPAA and Social Media: What Can Be Shared and With Whom?

Your practice may want to share patient testimonials on your website or social media pages about social media. HIPAA allows this only when patients provide prior written consent. Without consent, sharing PHI in public forums is a HIPAA violation.

Although you cannot share PHI on social media, it can still be a valuable tool for promoting your practice. Some ways you can use social media include:

  • Providing health tips that patients might find useful
  • Promoting upcoming events patients might like to attend
  • Sharing honors or awards your practice has been granted
  • Posting profiles or bios of your staff
  • Advertisements of your services as long as they do not contain PHI (including names, photos, or any other personally identifiable information)
  • Discounts or special offers on services you provide

Is Facebook HIPAA Compliant?

As arguably the most popular social media platform, one of the first questions asked about HIPAA and social media is about Facebook. Is Facebook HIPAA compliant? Well, that depends on its use. If your practice uses Facebook to promote your services to a general audience, HIPAA isn’t a factor. However, once PHI is introduced to the platform, the use of Facebook violates HIPAA. Why would you want to input PHI into Facebook?

Facebook is often used for advertising to “look-a-like” audiences. These are audiences that represent your current client base demographics. Look-a-like audiences are built by uploading your clients’ demographic information to Facebook. HIPAA strictly forbids this practice because Facebook will not sign a business associate agreement (BAA), leaving PHI vulnerable to unauthorized use or disclosure.

Additionally, your practice should not send friend requests to patients as it undermines their confidentiality – the use of the Facebook Messenger and Calling features are also not HIPAA compliant. The answer to the question “is Facebook HIPAA compliant” is no under most circumstances. The only ways to use Facebook and maintain your compliance are through ads targeting a generic audience or sharing patient testimonials (but only with their explicit permission first).

HIPAA and Social Media Training for Employees

HIPAA compliant social media use ultimately comes down to employee training. When employees are unaware of HIPAA’s restrictions on social media, they can expose your practice to HIPAA violations and costly fines. Small practices have been fined for social media violations like responding improperly to patient reviews and posting patient images without their consent. Avoiding these types of incidents is straightforward – train employees on best practices.

Suppose your practice uses Facebook to attract new patients, respond to online reviews, or post patient testimonials. In that case, the employees managing your social media accounts must understand HIPAA-compliant social media practices. Even employees who aren’t charged with managing your social media should understand what is and is not allowed. This is especially true when smartphones and social media have become the norm at work.

This Article is Contributed by the HIPAA Compliancy Group

Need assistance with HIPAA compliance? The Compliancy Group can help!

Ethics of Texting: Do’s and Don’ts

Explore clinical, legal & ethical requirements for text messaging with clients & patients.

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

HIPAA Compliant Social Media for Professionals

Tips and tricks for using social media to grow your practice without violating legal requirements.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...