Social media has certainly changed the way that we keep our businesses (and our lives) private and secure. In its best form, it’s a way to connect with others, learn new information and promote our businesses. In its worst, it becomes gossip on steroids. What was once a complaint to a friend during a happy hour session has now become a Facebook post that is seen by hundreds or even thousands of people (most of whom don’t know anything about the situation, let alone realize that you were just letting off some steam).

Let’s face it: not all of us are thinking through the consequences of a social media post before we hit ‘publish’. Sometimes we think we’re being clever with a post, only to find out that it hurt feelings instead of being funny. Other times, we’re simply hoping someone else will share our anger or pain when we put it out there to a broad audience, then realize we’ve overshared with a huge group of people who don’t understand. We can also think we’re doing something positive and helpful with a post, but see it backfire when the people we were trying to help feel violated or that you shared a confidence that was not yours to share.

All of these issues are magnified when it comes to the healthcare field. Unlike personal life (and many other types of industries), those in the healthcare field must abide by HIPAA rules and regulations when it comes to utilizing social media. There’s a reason for HIPAA, of course. As a patient your PHI (Private Health Information) needs to be kept private. It’s your right as a citizen and as a patient and at no time should you feel that your health confidences, history or diagnoses have been violated.

While HIPAA has been in existence since 1996, it’s not been until recently that those in the industry even had to consider how it applied to social media. However, as more and more people turn to Facebook, Twitter and Instagram, it’s become obvious that we all need to be more conscious of what we’re posting.

Did you know?

There are 18 identifying factors regarding PHI that you must avoid posting about if you want to abide by HIPAA rules. These include obvious things like name, social security number and address, but they also include not-so-obvious things like: vehicle identifiers, neighborhoods and physical descriptions. When posting about a patient (especially in a small town), something as innocuous as ‘My favorite toddler just completed round 2 of chemo today!’ can easily lead to that patient being identified by those who see the post—and that’s a huge violation.

Violations of these rules can result in fines, termination of employment, lawsuits and discretization of institutions, such as was the case in this example:
In an incident with particularly harsh repercussions, a student nurse moved by her three-year-old chemotherapy patient’s bravery took a photo of the boy and posted it on her Facebook page. Even though she had privacy settings in place, another nurse not among that student nurse’s Facebook friends came across the post and photo. This nurse informed the hospital. This HIPAA violation got the student nurse expelled from the nursing program and the nursing program bounced off of that hospital’s list of accepted schools from which to draw student nurses. Even when motivated by the best intentions, HIPAA violations can result in severe consequences. (source:

Those in complementary industries, such as Chiropractic, Vision Care, Dentistry and Massage Therapy, also fall under covered HIPAA entities and must abide by HIPAA policies and guidelines.

Why Should We Care?

As a healthcare company, you are responsible for taking care of those who come to you for help. You should not look at HIPAA compliancy as a ‘necessary evil’ or something you need to navigate so as not to get into trouble with the law. You should instead view it as a set of guidelines that help you in your quest to provide the absolute best care for your patients.

One seemingly small HIPAA violation can have disastrous consequences for your practice. As was mentioned above, an innocent and even positive post resulted in a termination and a discrediting of a school’s entire program. Similarly, a post that inadvertently refers to a patient’s PHI can not only result in fines or other punishment, it can also tarnish your reputation and make current and future patients doubt if they can trust you as a healthcare provider. When you put it like that, it becomes pretty clear that learning about and abiding by HIPAA guidelines is well worth the investment of time and resources.

Utilizing HIPAA’s training resources, you can better educate your staff on what is and is not acceptable when it comes to their social media presence. You can lay out guidelines for them that are concise, irrefutable and consistent. Although you can never 100% guard against a HIPAA violation as we all make mistakes, you can at least do your very best to ensure that your entire team is as educated as possible.

Social media can be a fun way to connect with family and friends, a great way to find out what’s going on in the community or in the world and can also open up new doorways for businesses to engage with their customers and clients. As a healthcare entity, you can still benefit from the many perks of social media and you should absolutely be doing so. Once you’re educated on how to avoid HIPAA violations, you’ll see that social media can still benefit your business and that you don’t need to be afraid of ‘being social’!

Angela Woltman is CEO of eSpark Media, an Omaha-based company specializing in social media marketing, website design, SEO and professional content writing.  They are a HIPAA-certified business.  If you have more questions on how to make your business’s social media HIPAA compliant, please contact Angela at [email protected].