Privacy and HIPAA

Sidebar: Staying HIPAA Compliant on Social Media

January 9, 2017 12:55 pm

Sharing patient information is a sensitive matter, particularly where compliance with the Health Insurance Portability and Accountability Act (HIPAA) is concerned. Nonetheless, health information and success stories can be shared on social media in compliance with HIPAA regulations. Here are a few key points that hospitals and health systems should keep in mind, regardless of which platform they are using, before sharing content with millions by posting it online. 

Don’t Talk About Patients

Ensuring patients remain anonymous is a difficult task, and more often than not, attempts to do so are unsuccessful. For example, in 2010, five nurses at Tri-City Medical Center in Oceanside, Calif.,  were fired after they were caught talking about a patient on Facebook. a They didn’t mention patient names, share photos, or provide any identifying information; however, the conversation was enough to violate HIPAA. When an employee gives just enough context, it’s not hard for readers to determine who the patient just by learning the time frame or geography coupled with condition.

Do Talk About Conditions, Treatments, and Research

Although discussing a specific patient’s condition or treatment is inappropriate, general topics about conditions, treatment options, research, and other topics are acceptable. Avoid the specifics with, “I saw a patient last Tuesday with xyz condition…” and generalize the statement to read, “Children with xyz condition typically present with these symptoms….” Patients, family, and friends who are looking for information on certain diseases and treatments will find it helpful to learn more about local hospitals and health systems and their offerings and medical options.

Don’t Be Anonymous

Anonymity breeds bad behavior. It encourages users to say things they shouldn’t. Whoever is leading the hospital or health system’s social media handles should oversee all platforms being used, ensuring that there is an appropriate cadence for posting out materials and that social media users are following best practices. The social media administrative leader should have a plan in place for responding to negative posts. He or she also should create a schedule for posting new information. In times when there are no current events or company achievements to promote, a calendar will help to keep content coming.

Follow the Elevator Rule

As a rule of thumb, if the topic isn’t one that can be discussed in an elevator with a group of people, then it shouldn’t be exposed online where it can be found by hundreds of thousands of people. Before publishing a post, the post should be examined to verify that it is acceptable for social media. Reading the post out loud can be a helpful part of this step. Particular care should be taken when replying to people in real-time venues like Twitter. It’s not necessary to respond right away, and if there’s any doubt at all, a friend or colleague should be asked for his or her reaction before it is posted.

Check the Tone

Social media isn’t the place to vent about work. If an employee who is charged with posting on social media is frustrated, the employee should take a moment to pause and reevaluate. There is too much on the line to potentially share personal thoughts and feelings to a large audience of past, present, and future customers. Unfortunately, humor also can be taken in the wrong way, as everyone’s sense of humor is subjective. In such instances, too, it is best to obtain a second opinion before moving forward with publishing a post.

Don’t Mix Personal and Professional Lives

It should be common knowledge that employees should keep personal life separate from professional life. The same should be understood for social media platforms. Friending patients on social media networks isn’t a good idea, and checking your privacy settings on a frequent basis is a good habit to get into, because they change from time to time. Anything put online could become public.

If users want to have a professional presence on social media, they should create a page apart from their personal accounts. However, hospital or health system employees who violate HIPAA when using their personal accounts still are held responsible, as are their employers. For example, at the Oakwood Hospital in Dearborn, Mich., a nurse used her personal Facebook account to let off some steam after an emotional shift, writing a strongly worded post about the victim of a shooting incident that was being covered in the news. b It didn’t take much for the hospital to put two and two together, and days later the nurse was fired.


a. Fink, J., “ Five Nurses Fired for Facebook Postings,” Scrubs, June 14, 2010.

b. Katarsky, C., “ Nurse Fired for HIPAA Violation After Discussing Cop-Killer Patient: Was It Fair?” Healthcare News & Insights, Aug. 24, 2010.



googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );