hipaa and social mediaWhile social media has become common practice, HIPAA and social media are not necessarily associated in the eyes of many professionals. In most industries, regulating social media use isn’t a severe issue, but healthcare professionals must take extra precautions to prevent potential social media HIPAA violations.

Whether you have employees who post about their workday on Facebook or your practice uses social media for marketing purposes, professionals should be aware of potential HIPAA implications.

HIPAA Policies and Procedures

The Department of Health and Human Services (HHS) provides extensive guidance on HIPAA and social media use. A quick way to determine if you are engaging in HIPAA compliant social media is to go through the HHS Social Media Policies Checklist to see if you follow HHS standards.

Social Media Policies

The use of social media must follow current standards to prevent HIPAA violations. Improperly trained employees can expose your organization. A clear set of social media policies can help avoid common social media mistakes.

Endorsing on Social Media Can Be Problematic

Liking, following, or friending an entity may give off the wrong signal, which is why you must evaluate what doing any of these actions might convey to your audience. Any activity involving other entities should be carefully assessed because even tacit endorsement can be misinterpreted.

The previously mentioned HHS checklist suggests organizations must determine entities that are appropriate to follow/like. HHS guidance states that in many cases, a follow/like may convey the following:

  1. Following an entity may imply endorsing the entity as a whole. 
  2. Simply liking a post may imply only endorsing the posted content. 

However, how your audience interprets any of your actions on social media is purely subjective and varies from one person to another. 

Comment Moderation

According to HHS guidance, the submission of user-generated content or comments is recommended but should be moderated to remove: 

  • Partisan political views 
  • Commercial endorsements 
  • Racist, offensive, unlawful or discriminatory content or language.


Some applications and sites have specific guidelines for using trademarked images. It is best to ask for permission from sites or other sources.

Using Protected Health Information

Protected Health Information (PHI) is any information that can be used to identify an individual patient. This includes names, addresses, birth dates, social security numbers among other information that can be traced back to an individual patient. Social media posts should never contain any PHI. HIPAA regulations forbid the use of PHI in marketing or social media campaigns as well.

What Can be Allowed on Social Media as a Health Care Professional or Group?

Restrictions regarding HIPAA and social media are many. What is appropriate to post? Here are a few options:

  • Health tips
  • Events of interest to your patients
  • Health awareness days
  • New findings and research related to your target audience
  • Achievements or awards your organization was granted
  • Advertisements that don’t contain any PHI
  • Posts about your staff, such as profiles or bios