Social Media for Healthcare: Your HIPAA Compliance Checklist

Managing social media in the healthcare industry can feel like swimming with sharks in treacherous waters. Why? Compliance with HIPAA, the Health Insurance Portability and Accountability Act, is complicated and intense, especially when it comes to social media since interpretation can often land you in muddy waters.  No wonder only 26% of hospitals and 36% of physician practices in the U.S. are active on social media.

But the knee-jerk reaction to skip out on social media completely comes at a cost for healthcare organizations. For example, 80% of patients that are active on social media are using it to research doctors and hospitals while reading up on medical news and information, making social media a prime opportunity to get your organization and providers in front of potential patients.

While many providers still feel the risk is too great, it’s important to note that forgoing a branded company social media profile isn’t a complete mitigation of risk. Not even close. In fact, the biggest social media risk when it comes to HIPPA is your patients and employees. According to a recent study by Nuclear Research, 77% of employees who have a Facebook account also use it while at work, some up to two hours per day. A 2012 survey revealed that 90% of physicians use at least one social media site for personal use and over 65% use at least one site for professional purposes. And don’t forget about those patients that are also using social media. Most HIPAA violations that occur within the confines of social media happen unintentionally; meaning social media users were unaware that their post, comment or tag violated the privacy of a patient.

For example, a nurse posting about a rough night on her floor with a patient post-heart attack violated HIPAA by compromising the privacy of the patient. Another party could see the nurse’s post, know where she works and may be able to identify who that patient was. Same goes for the doctor working with that patient, or the patient sharing that room, who is later discharged and shares a similar image. Confused yet?

The point is, HIPPA compliance on social media is complicated – but the risks are present whether your organization is “on” social media or not. So, if you have to mitigate risk and enact social media policies anyway, you might as well realize the benefits of social media, too.

Knowing that the rights of the patient always come first, follow this checklist to get your healthcare organization on its way toward a successful social media program that is HIPAA compliant.

  • Make friends with Legal and Compliance Departments. It may feel like a drag to have them look through and approve everything you want to do in regard to social media (and this checklist), but it will greatly reduce risk. Involving legal and compliance from the beginning will ensure everyone is on the same page when it comes to social media and that any review or approval process is streamlined.
  • Develop a social media strategy. Your social media strategy should include things like which social media platforms to use and the posting frequency, all while establishing goals and objectives for your social media program. Part of your social media strategy should include a crisis communications plan; your public relations or legal team can provide support here.
  • Identify a social media team. This will be the dedicated individuals responsible for posting, responding, and monitoring social media for your healthcare organization. The size of the team will depend on your organization, but consistency is key. Identification of these individuals should be based on their familiarity with HIPAA, your organization (think tenure), and social media. Those who aren’t comfortable using social media should not be part of this dedicated team – that is something they could learn at another time.
  • Train ALL employees on Social Media Use and HIPAA. Employees and providers often unintentionally violate HIPAA on their own social media accounts, for example, talking about a rough day at work or a sweet story that melted their hearts. Having an employee-use policy will help clearly reinforce compliance and reduce confusion. Remember: ANY post that gives ANY possibility of patient identification can be considered a violation, whether intentional or not. This training should also include reminding patients of this policy every time they update their HIPAA paperwork.
  • Create a content strategy and calendar. Having a content strategy and calendar created in advance will help ensure that you are HIPAA compliant by giving you time to have all of your posts reviewed and approved by the legal team. Content to consider includes events, new research findings, awards and recognitions that your team has received, bios and profiles of providers, and interesting health tips and information.
  • Listen and keep track. Be on the lookout for any social media posts that may compromise your HIPAA compliance. The sooner you find it, the faster the issue can be resolved. Avoid deleting posts unless your friends in legal say it’s ok. Whatever documentation processes your organization has, adopt it for social media to keep records. This could be as simple as taking screenshot, pasting links, and including a quick summary in an email to the proper representatives.
  • Report on activity. In your social media strategy, set goals and objectives for the social media program. Reporting on a regular basis will give you time to reflect on what you have done and how it has helped you reach your goals.

Interested in using social media for your healthcare organization? Talk to one of our experts today.


About Ethos

Ethos is a multiplatform branding agency that develops and executes integrated marketing campaigns across multiple channels for companies inside and outside of Maine.

At Ethos, we believe that the most effective way to set a company’s marketing course is by finding its core truth – its ethos. We know that once we discover and communicate that core truth, we can truly make a difference for each client’s unique marketing and business objectives.

With Ethos, you get more than a marketing agency. You get a long-term partner whose goals are your goals.

Learn more about the Ethos approach and the work we’ve done for our clients. Want to have a conversation about your brand’s core truth? Contact us!

Written By

The ETHOS Team