At this point, who doesn’t use some form of social media?  I’m not very technologically savvy, but even I have social media accounts—they’re great for staying in touch with my family on the west coast. Of course, when it comes to how I use my personal account, I still must use discretion regarding what I post.

For example, I have a Labrador retriever. We brought her to the beach with us for vacation, and she loves to play fetch. She also likes to invite others to play with her; she’ll trot up to people walking the beach, drop the ball at their feet, and sit patiently—just waiting for them to pick it up. If they pick up the ball and throw it, they’re hooked. On our last day, our pup dropped her ball at the feet of a young girl who was walking on the beach with her dad and their dog. The girl started playing fetch with my dog, and they must’ve played for about 10 minutes. I thought that would make a great picture, and then my discretionary conscience kicked in: That’s not my child, and if I were in her father’s position, I wouldn’t want a stranger taking a picture of my child—especially in the age of the Internet. Needless to say, I left the beach without a picture, but I do have a nice memory.

This example is a personal one, which leads me to my first tip: Keep personal and business social media accounts separate. Now let’s consider your practice.

Do you socialize safely?

Social media can be an important and powerful business marketing tool (in the right hands). As I understand it, having social media can improve your practice’s visibility in online searches. Thus, as a business owner, you want to use social media; but you must consider how you’re going to use it and who in your company will actually do it.  There are many social media outlets, but let’s use Facebook as an example:

  • Who establishes your company’s account?
  • Who within your company is allowed to post for your page?
  • Who decides what content to post?
  • Who is going to respond to comments?
  • What is the protocol for responding to comments—both positive and negative?
  • How much time will you devote to maintaining the page?

Some practices use social media to tell patient success stories or to post pictures of their practice. This is a great way to promote what you do, but it’s important to understand how HIPAA might impact what you post on social media. As with my story about the child and my dog, you’ll probably need to exercise discretion—and possibly obtain permission.

HIPAA, as I like to say, is built on trust, and trust is an important ingredient in any relationship, including our business relationships. When a person seeks services from a healthcare provider, a large amount of personal information is exchanged. And the only way this system works is if we safeguard that information. Our patients trust we will do this, but fulfilling that obligation seems to be getting increasingly difficult with so many more security risks to contend with (as evidenced by the recent hacking of the Apple cloud system).

What’s your risk tolerance?

I’m hearing that question more and more—especially with the recent, vigorous enforcement of regulation. If, like me, you have a low risk tolerance, here are some simple tips to reduce your HIPAA hazards:

  • Perform and document a risk assessment. Document the answers to some of the questions posed above, especially if you plan to use patient information or photos.
  • Do not post information or photos of patients without their express written permission. It’s a requirement, but to patients, it could be seen as a common courtesy: “Gee, Marge, you’ve done really well here in therapy; would you mind giving us a written testimonial that we can post online?” If Marge says “yes,” have her sign a consent form. Follow the same procedure when sharing people’s photos. If they agree to having their photos taken, obtain signed consent forms.
  • Develop policies and procedures for your social media marketing program. I know it seems like irksome extra work, but remember that information posted online is forever—and that it’s potentially accessible to very technologically savvy people.
  • Train your staff on your social media program and the policies governing it.
  • Monitor the program to ensure appropriate, correct, and rule-abiding use.
  • Apply the “minimum necessary” rule. It would be great if all of your online postings contained no HIPAA identifiers, but if you can’t avoid that, then strive to make your point using the minimum necessary information.

As healthcare providers, we’re so comfortable working with patients that sometimes we just don’t think before we speak. I recently saw a social media post made by a professional that pertained to a patient the professional was treating, and the information was pretty specific. I sent a quick message to notify the person that the information qualified as PHI. What can I say? Some people are social media conversation starters; I’m a social media conversation ender.


Using these simple tips can go a long way in helping you demonstrate that you took reasonable steps to safeguard your patients’ private information, thus allowing you to maintain the trust your patients have placed in you.

Triumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Regular BannerTriumph in the Triple-Aim Game: The Healthcare Executive’s Guide to Readmission Reduction, Patient Safety Promotion, and ACO Success - Small Banner
  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • HIPAA Rules for Marketing and Sales Image

    articleMay 20, 2014 | 5 min. read

    HIPAA Rules for Marketing and Sales

    Today’s blog post comes from compliance expert Tom Ambury of PT Compliance Group and WebPT writer Erica Cohen. Before you get too far into your plans to beef up your clinic’s sales and marketing efforts, remember that you’re a healthcare provider first, which means you’ve got some HIPAA hoops to jump through (ahem, rules to follow) that the small business owner down the street probably doesn’t have to worry about. Before we get into that, though, let’s …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • Legal Compliance: One More Reason to Collect Patient Deductibles and Copays Image

    articleJul 24, 2017 | 6 min. read

    Legal Compliance: One More Reason to Collect Patient Deductibles and Copays

    Collecting coinsurance, copays, and deductibles upfront is an important piece of the effort to accurately value the services we provide. And yet, we still hear about practices that routinely waive their patients’ deductibles and copays. Today, I’ll discuss another reason not to routinely waive deductibles and copays. In the past, I’ve written about collecting deductibles and copays when a patient presents with a federally funded insurance like Medicare . In cases involving the Department of Justice, the …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

  • webinarAug 13, 2013

    Rehab Therapy Industry News

    In July, we hosted a webinar focused on rehab therapy industry news. This session covered an array of newsworthy and timely topics, including: Functional limitation reporting and other Medicare regulations Changes to HIPAA regulations Direct access Branding PT to general consumers ICD-10

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.