Keeping Your Social Media Marketing HIPAA-Compliant

Social media can be a great tool for practices to reach out to patients, but staying in compliance with HIPAA is a major concern. A slip-up could make your practice look bad, but more importantly, it could put you in trouble with the law.

It can be tempting for practices to avoid social media altogether, but it really is one of the best avenues for connecting directly with patients. It is possible for your practice to be active on social media without violating HIPAA. Following these guidelines can help your practice stay on the safe side.

1. Get up to date on all the latest HIPAA laws.

Laws can change, so it’s best to check for updates every so often to make sure your social media marketing efforts are still in line with the current laws. The U.S. Department of Health and Human Services will have the most up-to-date information. If necessary, consult with a lawyer who has expertise in HIPAA laws–he or she will be able to guide you in what is acceptable and what is not.

You should also make sure your entire staff has training and up-to-date knowledge on all of the latest HIPAA guidelines. Even if only a few employees are allowed to post to your practice’s social media accounts, they need to be careful about what they post on their own personal accounts, as well. (More on personal accounts and posts in #4 and #5.)

2. Once you’re up to date on the law, write up a social media policy for your practice.

A policy lets your employees know what is acceptable to post, and what is not acceptable. Within this plan, you should also establish roles and responsibilities for anyone who will be posting.

You may also want to establish guidelines for smartphone use. High-resolution cameras can pick up details that could give away patient information. An employee could take a selfie and unwittingly pick up a patient’s private information in the background. Or, as with the high-profile case surrounding Joan Rivers’ death, someone could intentionally take a photo of a patient without the patient’s knowledge. That is a clear violation of the law, even if the photo isn’t shared on social media.

It is important that the policy be easily accessible to all employees, and that new employees are educated on the policy upon being hired. Fines for HIPAA violations can cost thousands of dollars, and in some cases, even result in jail time. Employees need to know that violations are unacceptable.

3. Remove all identifiers in posts.

With all of the information available online, even a seemingly-insignificant detail could identify a patient. In this case, it’s better to err on the side of caution–the slightest bit of laxity could get you in trouble. Even small details like date, time of day, and location can be enough to give away a patient’s identity. When disclosing a patient’s private health information, you need to remove the following identifiers:

• Names
• Geographic information (location)
• Dates (including a patient’s birth date, admission date, discharge date, date of death, etc.)
• Telephone numbers
• Fax numbers
• E-mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• URLs
• IP address numbers
• Biometric identifiers (e.g. finger and voice prints)
• Full-face photographic images and any comparable images
• Other unique identifying numbers, characteristics, or codes (This is the most difficult to comply with, because there is already so much information available on the internet that could identify a patient.)

If you really want to share information about an interesting case with your followers, speak in general terms. Talk about the condition and/or treatment method as an overview, rather than speaking on a particular case (i.e. “patients with [condition] often experience [symptoms],” rather than, “I saw a patient today with [condition] and [symptoms]”). Use the “elevator rule”–if you wouldn’t discuss this information in the elevator, you shouldn’t talk about it on social media either.

4. Keep your personal profiles separate from your professional profiles.

Even if you are an individual practitioner, you should have a separate personal profile if you want to discuss anything outside of healthcare. Patients are coming to your professional page primarily to learn more about your practice and get health tips, not to learn about your personal opinions outside of healthcare. If you want to share that kind of information, set up a personal profile to create appropriate professional boundaries.

Use the highest security measures possible for your personal profile (like 2-factor authentication), and don’t “friend” patients. The same goes for any of your employees. If you or an employee accepts a friend request from a patient, and the relationship crosses professional boundaries, that could lead to conversations that violate HIPAA guidelines. It’s best to avoid this slippery slope and keep your personal and professional relationships separated as much as you can.

That isn’t to say that you can’t share anything personal or candid on your professional social media pages–just use discretion when doing so. Don’t share anything that would open the door to a possible violation.

5. Don’t complain about your job on social media.

Everyone has bad days on the job–doctors are no exception. In our social media-savvy world, people are apt to vent about those frustrations on social media. The difference with doctors, though, is that venting in a public arena could inadvertently give up private details about a patient.

Most healthcare professionals know better than to post those sorts of things on a professional profile, but may not think twice about posting it on a personal profile. However, that can still get you in trouble. Even if you think you’re being anonymous, there is always a chance that someone will connect the dots. Take the 2007 case of “Dr. Flea,” who anonymously–or so he thought–blogged about his malpractice trial. He was found out, and ended up settling when the blog was brought up in the trial.

It’s good to vent and let your frustrations out, but do it in a private (i.e., offline) venue.

6. Don’t post any information about a patient without express written consent.

Even if a patient says it is okay to share information on social media, you should protect yourself and get it in writing. If you are interested in sharing information about patient success stories and progress, or want to post “around the office” photos that include patients, draw up a consent form and have it ready to go. When drawing up the form, consult with a legal advisor to make sure you are covering your bases. It might sound a bit overboard, but again, it’s always better to err on the side of caution.

7. Even if patients consent, make sure they are aware of the risks.

The best way to do this is to add an accessible disclaimer on your social media pages that spells out the risks of sharing private information on social media. The policy should state that by posting, patients agree to the policy and understand the risks of sharing information.

It is especially important to have this type of policy in place if you invite patients to share information. Even something seemingly as harmless as encouraging patients to post weight loss progress on your page could put you at risk if you don’t have the right policies in place.

However, it should be noted that if a patient or someone else shares private health information without being prompted, your practice does not assume responsibility. Patients are allowed to release their own information if they choose, but if you feel the conversation is approaching HIPAA violations, direct the conversation offline. If someone else is posting a patient’s information on your page, though, it’s best to delete it immediately and block that person if necessary.

8. Be careful about the tracking & measurement methods you use.

If you are boosting your posts or advertising on social media, be mindful of the tracking methods you are using to measure the success of your posts. In particular, tracking methods like the Facebook pixel have been called out for violating HIPAA. In December 2022, the U.S. Department of Health & Human Services (HHS) issued a bulletin stating that the Facebook pixel and other similar tracking methods are not HIPAA compliant. There have also been several recent lawsuits surrounding the use of the Facebook pixel.

If you are currently using a Facebook tracking pixel, remove it from your website and switch to a campaign type that does not require the use of a pixel. Though it means you get less information within the Facebook interface, you can still tie website activity back to Facebook through your analytics, especially if you are using campaign links.

In a nutshell, keep your posts very general unless you have express consent from a patient to share private information. If you have any doubts, don’t post until you know for sure that your post is safe. When it comes to private health information, there is no harm in being overly-cautious.