At this point, who doesn’t use some form of social media?  I’m not very technologically savvy, but even I have social media accounts—they’re great for staying in touch with my family on the west coast. Of course, when it comes to how I use my personal account, I still must use discretion regarding what I post.

For example, I have a Labrador retriever. We brought her to the beach with us for vacation, and she loves to play fetch. She also likes to invite others to play with her; she’ll trot up to people walking the beach, drop the ball at their feet, and sit patiently—just waiting for them to pick it up. If they pick up the ball and throw it, they’re hooked. On our last day, our pup dropped her ball at the feet of a young girl who was walking on the beach with her dad and their dog. The girl started playing fetch with my dog, and they must’ve played for about 10 minutes. I thought that would make a great picture, and then my discretionary conscience kicked in: That’s not my child, and if I were in her father’s position, I wouldn’t want a stranger taking a picture of my child—especially in the age of the Internet. Needless to say, I left the beach without a picture, but I do have a nice memory.

This example is a personal one, which leads me to my first tip: Keep personal and business social media accounts separate. Now let’s consider your practice.

Do you socialize safely?

Social media can be an important and powerful business marketing tool (in the right hands). As I understand it, having social media can improve your practice’s visibility in online searches. Thus, as a business owner, you want to use social media; but you must consider how you’re going to use it and who in your company will actually do it.  There are many social media outlets, but let’s use Facebook as an example:

  • Who establishes your company’s account?
  • Who within your company is allowed to post for your page?
  • Who decides what content to post?
  • Who is going to respond to comments?
  • What is the protocol for responding to comments—both positive and negative?
  • How much time will you devote to maintaining the page?

Some practices use social media to tell patient success stories or to post pictures of their practice. This is a great way to promote what you do, but it’s important to understand how HIPAA might impact what you post on social media. As with my story about the child and my dog, you’ll probably need to exercise discretion—and possibly obtain permission.

HIPAA, as I like to say, is built on trust, and trust is an important ingredient in any relationship, including our business relationships. When a person seeks services from a healthcare provider, a large amount of personal information is exchanged. And the only way this system works is if we safeguard that information. Our patients trust we will do this, but fulfilling that obligation seems to be getting increasingly difficult with so many more security risks to contend with (as evidenced by the recent hacking of the Apple cloud system).

What’s your risk tolerance?

I’m hearing that question more and more—especially with the recent, vigorous enforcement of regulation. If, like me, you have a low risk tolerance, here are some simple tips to reduce your HIPAA hazards:

  • Perform and document a risk assessment. Document the answers to some of the questions posed above, especially if you plan to use patient information or photos.
  • Do not post information or photos of patients without their express written permission. It’s a requirement, but to patients, it could be seen as a common courtesy: “Gee, Marge, you’ve done really well here in therapy; would you mind giving us a written testimonial that we can post online?” If Marge says “yes,” have her sign a consent form. Follow the same procedure when sharing people’s photos. If they agree to having their photos taken, obtain signed consent forms.
  • Develop policies and procedures for your social media marketing program. I know it seems like irksome extra work, but remember that information posted online is forever—and that it’s potentially accessible to very technologically savvy people.
  • Train your staff on your social media program and the policies governing it.
  • Monitor the program to ensure appropriate, correct, and rule-abiding use.
  • Apply the “minimum necessary” rule. It would be great if all of your online postings contained no HIPAA identifiers, but if you can’t avoid that, then strive to make your point using the minimum necessary information.

As healthcare providers, we’re so comfortable working with patients that sometimes we just don’t think before we speak. I recently saw a social media post made by a professional that pertained to a patient the professional was treating, and the information was pretty specific. I sent a quick message to notify the person that the information qualified as PHI. What can I say? Some people are social media conversation starters; I’m a social media conversation ender.


Using these simple tips can go a long way in helping you demonstrate that you took reasonable steps to safeguard your patients’ private information, thus allowing you to maintain the trust your patients have placed in you.

Medicare Open Forum - Regular BannerMedicare Open Forum - Small Banner
  • HIPAA Rules for Marketing and Sales Image

    articleMay 20, 2014 | 5 min. read

    HIPAA Rules for Marketing and Sales

    Today’s blog post comes from compliance expert Tom Ambury of PT Compliance Group and WebPT writer Erica Cohen. Before you get too far into your plans to beef up your clinic’s sales and marketing efforts, remember that you’re a healthcare provider first, which means you’ve got some HIPAA hoops to jump through (ahem, rules to follow) that the small business owner down the street probably doesn’t have to worry about. Before we get into that, though, let’s …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

  • The Healthcare Provider's Guide to HIPAA-Compliant Marketing Image

    articleSep 14, 2017 | 6 min. read

    The Healthcare Provider's Guide to HIPAA-Compliant Marketing

    In 1966, US Congress passed the Health Information Portability and Accountability ACT (HIPAA). And as we explained here , this “dense piece of legislation...has serious implications for virtually all medical professionals, including physical therapists, occupational therapists, and speech-language pathologists.” Specifically, all HIPAA-covered entities—and that includes providers, payers, and business associates—“must follow certain rules governing the way patient protected health information (PHI) is collected, shared, and used.” And consequences for HIPAA breaches can be severe. While you may …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • ICD-10: Fact or Fiction Image

    articleApr 3, 2014 | 5 min. read

    ICD-10: Fact or Fiction

    As with any major change, the rumor mill churns at a mighty pace. With all the hearsay, telephone games, and disbursement of misinformation, it’s easy for the myths to swallow the truth. No worries, though; we’re here to sort the fact from the fiction. Fiction: Coders will spend an overwhelming amount of time dealing with external cause codes. Fact: From being struck by an orca to getting injured while crocheting, Chapter 20 of the ICD-10-CM Manual , …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.