5 Ways Your PT Clinic Is Violating HIPAA on Social Media

In our digital world, social media is kind of like our lifeblood. It connects us to all of society—from talking to our loved ones to finding (and ordering) the goods and services we use daily. And regardless of how you might personally feel about social media, one thing is abundantly clear: Businesses (including rehab therapy clinics) must take to social media to promote their service offerings and grow their clinics in the years to come. 

If only healthcare marketing was as simple as that. However, because of the US’s stringent patient privacy and protection laws (i.e., HIPAA), healthcare organizations that deal in protected health information must tread carefully on social media and review sites. Even the slightest misstep can result in a HIPAA violation—and result in some pretty serious legal consequences. On that note, let’s talk about a handful of different ways your clinic may violate HIPAA when using social sites. 

(Disclaimer: This is not a comprehensive list of HIPAA violations that occur on social media—and you should always seek legal counsel when evaluating your clinic’s HIPAA protocol.)

1. You don’t collect media release forms. 

Does your clinic showcase testimonials on your website? Do you share patient stories on your Facebook? Do you post pictures or videos of your patients on Instagram? If the answer is “yes” to any of these, then there is one last—and critical—question to ask yourself: Did you collect a written media release form from the patients you feature online?

If you share any patient information online and do not collect signed release forms giving you permission to do so, you could land in some serious legal trouble. Patient privacy laws necessitate that patients give you explicit written permission to share their stories or images in your marketing materials. If you don’t have a media release form prepped and ready to go, take a gander at our template below.

{{inline-form}}

2. You post pics from inside the clinic—and don’t vet them. 

Taking pictures from inside the clinic isn’t necessarily an automatic HIPAA no-no—but it can cause unexpected trouble in a couple of different ways. For instance, if patients appear in the background of a photo—even the distant background—and they haven’t signed a media release form, you’ve technically violated HIPAA. And no, blurring them out isn’t enough; they’re still technically identifiable and therefore cannot be in the photo at all. If you don’t vet your social media pictures, it’s also possible to accidentally include PHI, whether it be on an unlocked computer screen or errant post-it note. 

Luckily, this violation has an easy fix: Simply treat all your pictures like you’re playing “Where’s Waldo” and look for visible patients and patient information. 

3. You respond publicly to patients who ask personal treatment questions on your Facebook page. 

I totally get it: Answering every comment left on your Facebook page—even the nasty ones—is a great marketing and brand-building tactic. However, if a patient (or a patient’s caretaker, friend, or family member) posts personal treatment questions on your Facebook, you cannot respond publicly. Instead, treat it like a HIPAA breach. Remove the sensitive data ASAP and make sure the appropriate person in your clinic contacts the patient directly. Then, report the incident to your compliance officer with the post’s date, a description of it, and when you discovered it. 

4. You verbally ask patients for permission to share their PT success stories on your website and social accounts—or you share the stories under patient pseudonyms. 

Alright, this patient privacy gaff is kind of a trick question (and a rehash of the first point I listed). If you’re verbally asking patients for permission to share any of their information online, that simply won’t cut it. As I said before, HIPAA guidelines are ultra strict and the law requires you to get written permission (e.g., a signed consent form) before you blast that info to the digital skies. 

In the same vein, don’t assume that a moniker or a pseudonym is enough to protect a patient’s privacy. Combined with any demographic information whatsoever, the patient could potentially be identifiable—once again putting you on the hook for HIPAA. At the risk of sounding repetitive, always get a signed media release form before broaching this type of marketing—even if you’re uncertain. It’s always best to be safe rather than sorry when it involves your patients and practice.

5. You follow your patients’ social media accounts. 

Have you ever just totally clicked with a patient? You know, one of those patients who’s an easy conversationalist and whose appointment always feels like the fastest one on your schedule? While you may be tempted to connect with them on your personal social account (or even via the clinic’s public accounts), try to resist that temptation. Because social media is so public, it’s better not to risk any accidental HIPAA violations through friendly conversation. After all, the patient’s social circle could connect the dots and deduce that the patient is receiving medical care at your clinic. (And this is the very thing that HIPAA aims to prevent.) It might sound harsh, but it really is in your best interest to steer clear of mixing your personal and professional lives on social media—especially when it comes to adding patients to your digital friend group. 

Though navigating HIPAA can feel daunting at times, remember that it exists to keep patients and their health information safe from harm. And even though HIPAA laws can sometimes feel like an overprotective parent, they really have everyone’s best interests at heart.