Healthcare Information Security

HIPAA and Compliance News

Maintaining HIPAA Compliance in Social Media Interaction

HIPAA compliance must be a top priority, even when using social media to communicate.

By Savanna Myer of Evariant

- Social media is everywhere – it’s used as a way to reach friends, family, consumers and even patients. In the healthcare industry, users of social media must be aware that there is a fine line between personal and professional information sharing.

HIPAA compliance essential in social media interactions

Known for its strict HIPAA compliance standards, the healthcare industry has used traditional marketing campaigns to provide patients with information through offline channels such as billboards, pamphlets, mail, etc. With technology having such an impactful reach, traditional ways of sharing information with patients is no longer the norm – social media is on the rise, and with that, HIPAA compliance must remain a priority when sharing sensitive healthcare information.

Through social media, consumers and patients alike are connected 24/7, allowing consumers to obtain the information they seek and need. With social media having such a wide audience, using it to deliver information in the healthcare industry is more important than ever before. In fact, a DC Interactive Group report found that 26 percent of all hospitals in the U.S. participate in social media, and another study revealed 92 percent of all marketers surveyed indicated their social media efforts have generated more exposure for their business.

It’s clear that healthcare marketers have a huge opportunity to increase awareness of its hospital or health systems offerings by engaging with consumers through this platform. But when implementing social media efforts, they need to ensure the information being shared is secure and compliant with HIPAA regulations.

Learning what is acceptable to share via social, what is not

READ MORE: HIPAA Regulation Updates Bring Mixed Reactions, Concerns

When looking to share patient success stories or positive patient experiences, sharing images on a hospital or health system’s social channels is a great way to spread awareness while having a third party validate these achievements.

In February of 2009, with permission from the patient, Henry Ford Hospital engaged with a live Twitter audience to provide real-time updates on a procedure. Doctors, students and the general public followed the live tweets to see the successes of the surgery in real-time. By having people from all over the nation tune into the live surgery, Henry Ford Hospital was able to educate a large audience through one single platform.

Alternatively, in times of crisis, social media offers the ability to connect with others who are near and far, alerting them of the disaster at hand. Hospitals and health systems are at the heart of the crisis – they can provide updates on those in the affected areas while updating those watching from afar.

While these examples of social media sharing provide a look into how to share, the important question is when is it considered a HIPAA violation? Typical misuses of social media that violate HIPAA regulations include:

  • Sharing unauthorized “gossip” about a patient, even if the name is disclosed.
  • Posting pictures without consent.
  • Putting up content that contains patient information in clear view.

How to balance HIPAA compliance with social media activity

READ MORE: ONC, OCR Fact Sheet Discusses HIPAA Health Data Exchange

There are many benefits to sharing information and success stories socially. While HIPAA compliance is a major priority, there are plenty of ways to stay social and secure. Below are some tips to maintain HIPAA compliance:

1. Stay away from patient gossip

Don’t try and anonymize a patient’s identity. If a patient comes into the hospital – a local hospital – it’s easy enough for social media followers to figure out who the patient is if their name, age, gender and cause of visit is being promoted.

2. Discuss diseases, treatments and research

A specific patient shouldn’t be talked about. However, posting about general diseases, treatments and research is perfectly acceptable for social sharing – patients, friends and family want to know.

READ MORE: ONC Reviews HIE Security, Interoperability under HIPAA

3. Identify who the social administrator will be, don’t leave that role up to anyone

Ensuring there is a go-to person dedicated to social media allows for hospitals and health systems to have a protocol in place, which will help to avoid any unnecessary mishaps.

4. If you wouldn’t say it in an elevator, don’t put it online

Simple rule to follow – keeping this in mind helps to decipher what is appropriate, and what is not.

5. Recognize the tone in drafting social media posts

If the person posting on social media is having a bad day, make sure that isn’t transparent in the post – the designated social media marketer is a representative of a much larger initiative besides themselves.

6. Keep personal and professional lives separate

The “keeping your personal life separate from your professional life” holds true for social media too – everything is public and employees should remember that when utilizing social media.

Through social media, healthcare marketers can not only increase awareness of individual hospital and health systems, but also provide patients with information for accurate decision making. Social media allows hospitals and health systems to create a positive patient experience outside the walls of their facility.

Savanna Myer is IT officer and compliance manager at Evariant. Savanna leads information security at Evariant. She has almost 10 years of experience in information security, focusing on HIPAA and compliance within hospitals systems. Savanna has worked for multiple hospital systems, including the Ohio State University. She holds a BA and a MS in Psychology, as well as a MS in Information Security and certifications in Data Loss Prevention and Risk Management.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks