A Complete Guide to HIPAA Social Media Rules

  Over 72% of the American population using some form of social media on a daily basis. The popular online platforms have swept the business world as a reliable way to reach, educate, communicate, and draw in new clientele. However, if your business falls into the health and medical care category, you must follow HIPAA social media rules for all online actions. These rules outline what you can and cannot share, say, or post on both business and personal pages of the establishment and all staff. Unfortunately, many private facilities shy away from any form of social media engagement due to fear of violating HIPAA rules. This leaves these businesses missing out on valuable audiences that are not only listening, but looking for them online. Do you run or work for a business in the health care sector and are ready to take your visibility online? Follow along to discover how to be HIPAA compliant on social media and what this looks like for your pages.

HIPAA and Social Media

The Health Insurance Portability and Accountability Act (HIPAA) established in 1996 works to protect the privacy and health information of patients to ensure complete confidentiality. This act came into play long before the introduction of social media but clearly impacts what health institutions can and cannot share online. When in breach of the HIPAA social media guidelines, violators face lofty penalties which could include a fine or even loss of license. For this reason, the importance of HIPAA compliance on social media is crucial for both the institution and patients alike. HIPAA outlines that any and all PHI must be kept off of social media platforms unless express permission has been granted by the patient.

What Is PHI?

In order to follow the HIPAA social media rules and maintain compliance, individuals must first understand what's classified as PHI. PHI stands for personal health information. This includes all information about a patient, their care, and any details that could expose their identity. This includes but is not limited to:

  • Names, including nicknames social media handles
  • Address or location hints
  • Dates such as birthdate, appointment dates, treatment duration dates
  • Phone or fax number
  • Email address
  • Web URLs or social media links
  • Social security number and any other account numbers
  • Medical record or health plan number
  • Photographs and scans
  • Vehicle description or number plates
  • Fingerprints, retinal scans, or voice recordings
  • Anything that could give hints regarding the patient's identity

The only time in which any of this information can be shared on social media pages is when a patient has given express written permission. However, the patient must have a clear understanding of exactly how the information will be used and the purpose of sharing their details. A signed agreement including clear indications of how the information will be used must then remain on file. This is essential to confirm the patient's willingness to participate. Verbal agreements are not sufficient permission. Lack of physical proof of permission may result in HIPAA violations.

What's Not Allowed

So what does this look like for your online sharing? The PHI information outlined above must not be divulged in any way, shape, or form on a digital platform for all health and medical field professions. This includes posts, comments, replies, or online messaging.


Your business account and any associated personal accounts may not share photographs of patients, details of their treatment, or any other PHI indicators. This could include success stories or information about how you treated handled a situation. You cannot repost details from reviews or client pages. Even if you do not mention the patient's name or demographics, giving a detailed description of their condition, the treatment, and even the results could expose the identity of the individual and breach their privacy rights. Even if the patient has shared their story on their own page, you must gain express permission before sharing any details. You also cannot repost their account as this would give direct reference to the individual. This applies to posts on social media, blogs, forums, and any other online platforms.


A simple mistake that could breach HIPAA compliance on social media is the acknowledgment or disclosure of information in comments. These comments could be either on your own post or another user's social media account. Even if the information is available elsewhere, the business is not permitted to disclose details. This includes stating that they treated that particular case, when it happened, who was involved. This applies to news posts, patient posts, other medical professionals, and any other online resources.


Businesses are encouraged to respond to comments on both social media platforms and sites such as Google My Business. Responding to comments and reviews is a great way to build relationships and boost engagement for your establishment. Unfortunately, a HIPAA violation can occur when replies reveal too much information. This can include calling the reviewer by name, making reference to their treatment, or even defending the actions of the clinic by explaining the details of a situation. Seeing as it is human nature to defend or acknowledge details, responding to feedback can be a difficult area in the health care profession. If you are ever unsure about what you can and cannot communicate in a reply, it's always best to offer less. If a comment has asked questions or stated information that you cannot safely reply to, you can always share this. Leave a comment stating that privacy laws do not permit you to disclose information and where they can contact you if they have any concerns.

Online Messaging

Online messaging platforms have made group messaging and communication easier than ever. However, if you choose to use these online messaging platforms for work applications, there are guidelines you will need to follow. Just the same as replies, you are not permitted to share any PHI in direct messages or private chats. As per HIPAA, this applies to any online and offline conversations with individuals who are not privileged to the information. Furthermore, any online conversations with other staff members or practitioners may not disclose PHI or revealing details. Because these conversations are now part of the digital cloud of social media, the conversations run the risk of being exposed. When discussing specifics of a patient, treatment, or in-office situation, all conversations should be private and offline.

What Is Allowed

While these social media rules may feel limiting, there are still several post formats and engagements you can partake in. Social media HIPAA compliance should not be a confusing or scary experience. Just like any other business, health care accounts are still encouraged to engage with individuals online. Do this by offering helpful information and insights with their posts, comments, and replies.

Posting With Compliance

Without disclosing information, there are several posts that you are permitted to share online. Any patient-generic information or advice that could benefit your patients may be posted on both social media and blogs. This could include tips and advice about health conditions or even research articles about a relevant concern. The key to these information pieces is not referencing actual cases. As long as you do not mention your own experiences with treating clients or the cases you have observed, you will not be in breach of any social media rules. You may also share information about events you will be taking part in. This could include upcoming specials, promotions, or celebrations. You can even brag about accomplishments such as receiving a business award or specialist certificates. Many practices find it beneficial to introduce their staff and practitioners online with a brief bio and photograph. This encourages familiarity for clients who wish to seek treatment from your facility and serves as a business promotion for lead generation.

Responding to Reviews

Reviews have become as valuable as a personal recommendation for potential clients. How you respond to your reviews could make or break your growth. Of course, as discussed above, even information revealed in reviews does not permit you to share PHI. When responding to both positive and negative reviews, the safest options for HIPAA compliance include:

  • Thanking the reviewer for their feedback
  • Asking the reviewer to contact your office for questions, clarification, or to resolve problems
  • Offering a solution to problems via in-person consultation or free appointment

These responses ensure your audience that you do care about the client's concerns. They will understand that you value feedback and take measures to provide the best possible service and experience.

Engaging in Conversation

When you are online with a business account, you are representing the views of your establishment with every interaction. This means the posts you like, comments you leave, and shares you save are all reflecting on your business. It is important to consider all online actions and understand what messages they will send to consumers. This is applicable for any industry but especially true in the health sector. You may reply directly to comments on your posts, without mentioning names or disclosing information. You can also comment on posts by other professionals and even share their posts on your own page with appropriate credit. If your posts follow HIPAA social media guidelines, conversing about promotions or upcoming events should be safe. Just remember if you wish to share photos of events and celebrations that all individuals who appear in the content must sign a release form.

Who Must Comply?

The HIPPA social media rules do not only apply to the official business accounts of a health practice but all relevant staff members as well. Anyone who has access to PHI must comply with the guidelines and may not share confidential information online. For personal accounts, exclude any mention of work-related content outside of events, promotions, and public knowledge. If your staff does choose to engage in social media and are affiliated with the health facility, their actions may also reflect on the views of the business. For this reason, many businesses will enforce social media guidelines among their staff. This may include policies around friendships with patients, public conversations, and sharing controversial opinions. Your practice may offer consequences in the event of a staff member breaching HIPAA social media guidelines on their personal accounts. It is recommended and encouraged that you monitor these actions frequently to reduce risk.

Maintaining HIPAA Social Media Rules

In a recent survey, it was revealed that 40% of health care workers were not aware of any rules or regulations regarding social media activity. It is important to recognize that training and proper information regarding HIPAA guidelines is the responsibility of the health care facility. Staff members who have not been educated on the guidelines should not be expected to seek the information themselves. The only time in which a business may expect this is when it's outlined in the conditions of employment. To ensure your staff members are always acting under HIPAA compliance on social media, always provide regular training. This will ensure all staff members are aware of the rules and can be held responsible for breaches of the rules.

HIPAA Compliance on Social Media

Now that you understand the purpose of HIPAA social media rules and guidelines, you can ensure your social media activity is never in breach. From providing staff training to understanding what you may and may not share, you can rest assured that your business will never face fines or license suspensions due to your online presence. Still have questions about what you are and are not allowed to share? Get in touch with us today to discover how we can bring clarity to your HIPAA compliance concerns and ensure your business will never be at risk.