At this point, who doesn’t use some form of social media?  I’m not very technologically savvy, but even I have social media accounts—they’re great for staying in touch with my family on the west coast. Of course, when it comes to how I use my personal account, I still must use discretion regarding what I post.

For example, I have a Labrador retriever. We brought her to the beach with us for vacation, and she loves to play fetch. She also likes to invite others to play with her; she’ll trot up to people walking the beach, drop the ball at their feet, and sit patiently—just waiting for them to pick it up. If they pick up the ball and throw it, they’re hooked. On our last day, our pup dropped her ball at the feet of a young girl who was walking on the beach with her dad and their dog. The girl started playing fetch with my dog, and they must’ve played for about 10 minutes. I thought that would make a great picture, and then my discretionary conscience kicked in: That’s not my child, and if I were in her father’s position, I wouldn’t want a stranger taking a picture of my child—especially in the age of the Internet. Needless to say, I left the beach without a picture, but I do have a nice memory.

This example is a personal one, which leads me to my first tip: Keep personal and business social media accounts separate. Now let’s consider your practice.

Do you socialize safely?

Social media can be an important and powerful business marketing tool (in the right hands). As I understand it, having social media can improve your practice’s visibility in online searches. Thus, as a business owner, you want to use social media; but you must consider how you’re going to use it and who in your company will actually do it.  There are many social media outlets, but let’s use Facebook as an example:

  • Who establishes your company’s account?
  • Who within your company is allowed to post for your page?
  • Who decides what content to post?
  • Who is going to respond to comments?
  • What is the protocol for responding to comments—both positive and negative?
  • How much time will you devote to maintaining the page?

Some practices use social media to tell patient success stories or to post pictures of their practice. This is a great way to promote what you do, but it’s important to understand how HIPAA might impact what you post on social media. As with my story about the child and my dog, you’ll probably need to exercise discretion—and possibly obtain permission.

HIPAA, as I like to say, is built on trust, and trust is an important ingredient in any relationship, including our business relationships. When a person seeks services from a healthcare provider, a large amount of personal information is exchanged. And the only way this system works is if we safeguard that information. Our patients trust we will do this, but fulfilling that obligation seems to be getting increasingly difficult with so many more security risks to contend with (as evidenced by the recent hacking of the Apple cloud system).

What’s your risk tolerance?

I’m hearing that question more and more—especially with the recent, vigorous enforcement of regulation. If, like me, you have a low risk tolerance, here are some simple tips to reduce your HIPAA hazards:

  • Perform and document a risk assessment. Document the answers to some of the questions posed above, especially if you plan to use patient information or photos.
  • Do not post information or photos of patients without their express written permission. It’s a requirement, but to patients, it could be seen as a common courtesy: “Gee, Marge, you’ve done really well here in therapy; would you mind giving us a written testimonial that we can post online?” If Marge says “yes,” have her sign a consent form. Follow the same procedure when sharing people’s photos. If they agree to having their photos taken, obtain signed consent forms.
  • Develop policies and procedures for your social media marketing program. I know it seems like irksome extra work, but remember that information posted online is forever—and that it’s potentially accessible to very technologically savvy people.
  • Train your staff on your social media program and the policies governing it.
  • Monitor the program to ensure appropriate, correct, and rule-abiding use.
  • Apply the “minimum necessary” rule. It would be great if all of your online postings contained no HIPAA identifiers, but if you can’t avoid that, then strive to make your point using the minimum necessary information.

As healthcare providers, we’re so comfortable working with patients that sometimes we just don’t think before we speak. I recently saw a social media post made by a professional that pertained to a patient the professional was treating, and the information was pretty specific. I sent a quick message to notify the person that the information qualified as PHI. What can I say? Some people are social media conversation starters; I’m a social media conversation ender.


Using these simple tips can go a long way in helping you demonstrate that you took reasonable steps to safeguard your patients’ private information, thus allowing you to maintain the trust your patients have placed in you.

The PT’s Guide to Billing - Regular BannerThe PT’s Guide to Billing - Small Banner
  • HIPAA Rules for Marketing and Sales Image

    articleMay 20, 2014 | 5 min. read

    HIPAA Rules for Marketing and Sales

    Today’s blog post comes from compliance expert Tom Ambury of PT Compliance Group and WebPT writer Erica Cohen. Before you get too far into your plans to beef up your clinic’s sales and marketing efforts, remember that you’re a healthcare provider first, which means you’ve got some HIPAA hoops to jump through (ahem, rules to follow) that the small business owner down the street probably doesn’t have to worry about. Before we get into that, though, let’s …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • 6 Biggest Takeaways from PPS 2015 Image

    articleNov 16, 2015 | 10 min. read

    6 Biggest Takeaways from PPS 2015

    Last week, I joined hundreds of amazing physical therapy professionals, students, and vendors (including yours truly, WebPT) at this year's PPS Annual Conference in Orlando, Florida. Despite the uncomfortable combination of tropical heat and humidity outside—and near-freezing conference rooms inside—everyone was in high spirits. Though I never made it to Disney World, I still felt like I was in the most magical place on Earth, thanks to the inspiring and informative presentations I saw and the thought-provoking …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Legal Compliance: One More Reason to Collect Patient Deductibles and Copays Image

    articleJul 24, 2017 | 6 min. read

    Legal Compliance: One More Reason to Collect Patient Deductibles and Copays

    Collecting coinsurance, copays, and deductibles upfront is an important piece of the effort to accurately value the services we provide. And yet, we still hear about practices that routinely waive their patients’ deductibles and copays. Today, I’ll discuss another reason not to routinely waive deductibles and copays. In the past, I’ve written about collecting deductibles and copays when a patient presents with a federally funded insurance like Medicare . In cases involving the Department of Justice, the …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.