At this point, who doesn’t use some form of social media?  I’m not very technologically savvy, but even I have social media accounts—they’re great for staying in touch with my family on the west coast. Of course, when it comes to how I use my personal account, I still must use discretion regarding what I post.

For example, I have a Labrador retriever. We brought her to the beach with us for vacation, and she loves to play fetch. She also likes to invite others to play with her; she’ll trot up to people walking the beach, drop the ball at their feet, and sit patiently—just waiting for them to pick it up. If they pick up the ball and throw it, they’re hooked. On our last day, our pup dropped her ball at the feet of a young girl who was walking on the beach with her dad and their dog. The girl started playing fetch with my dog, and they must’ve played for about 10 minutes. I thought that would make a great picture, and then my discretionary conscience kicked in: That’s not my child, and if I were in her father’s position, I wouldn’t want a stranger taking a picture of my child—especially in the age of the Internet. Needless to say, I left the beach without a picture, but I do have a nice memory.

This example is a personal one, which leads me to my first tip: Keep personal and business social media accounts separate. Now let’s consider your practice.

Do you socialize safely?

Social media can be an important and powerful business marketing tool (in the right hands). As I understand it, having social media can improve your practice’s visibility in online searches. Thus, as a business owner, you want to use social media; but you must consider how you’re going to use it and who in your company will actually do it.  There are many social media outlets, but let’s use Facebook as an example:

  • Who establishes your company’s account?
  • Who within your company is allowed to post for your page?
  • Who decides what content to post?
  • Who is going to respond to comments?
  • What is the protocol for responding to comments—both positive and negative?
  • How much time will you devote to maintaining the page?

Some practices use social media to tell patient success stories or to post pictures of their practice. This is a great way to promote what you do, but it’s important to understand how HIPAA might impact what you post on social media. As with my story about the child and my dog, you’ll probably need to exercise discretion—and possibly obtain permission.

HIPAA, as I like to say, is built on trust, and trust is an important ingredient in any relationship, including our business relationships. When a person seeks services from a healthcare provider, a large amount of personal information is exchanged. And the only way this system works is if we safeguard that information. Our patients trust we will do this, but fulfilling that obligation seems to be getting increasingly difficult with so many more security risks to contend with (as evidenced by the recent hacking of the Apple cloud system).

What’s your risk tolerance?

I’m hearing that question more and more—especially with the recent, vigorous enforcement of regulation. If, like me, you have a low risk tolerance, here are some simple tips to reduce your HIPAA hazards:

  • Perform and document a risk assessment. Document the answers to some of the questions posed above, especially if you plan to use patient information or photos.
  • Do not post information or photos of patients without their express written permission. It’s a requirement, but to patients, it could be seen as a common courtesy: “Gee, Marge, you’ve done really well here in therapy; would you mind giving us a written testimonial that we can post online?” If Marge says “yes,” have her sign a consent form. Follow the same procedure when sharing people’s photos. If they agree to having their photos taken, obtain signed consent forms.
  • Develop policies and procedures for your social media marketing program. I know it seems like irksome extra work, but remember that information posted online is forever—and that it’s potentially accessible to very technologically savvy people.
  • Train your staff on your social media program and the policies governing it.
  • Monitor the program to ensure appropriate, correct, and rule-abiding use.
  • Apply the “minimum necessary” rule. It would be great if all of your online postings contained no HIPAA identifiers, but if you can’t avoid that, then strive to make your point using the minimum necessary information.

As healthcare providers, we’re so comfortable working with patients that sometimes we just don’t think before we speak. I recently saw a social media post made by a professional that pertained to a patient the professional was treating, and the information was pretty specific. I sent a quick message to notify the person that the information qualified as PHI. What can I say? Some people are social media conversation starters; I’m a social media conversation ender.


Using these simple tips can go a long way in helping you demonstrate that you took reasonable steps to safeguard your patients’ private information, thus allowing you to maintain the trust your patients have placed in you.