HIPAA Compliant Social Media

Social media is important for doctors, therapists, clinics — all health professionals, really. Strong social media involvement helps you control your online presence and improve your patients’ experience. It can be an important part of patient education and an antidote to misinformation from other sources. But HIPAA compliant social media is an absolute must.

How can you make sure that you don’t cross the lines?

Privacy is key.

Never post about a patient or client in a way that can be recognizable. Never.

This doesn’t just mean you shouldn’t use your patients’ name. HIPAA lists 18 kinds of identifying information, including  all of these:

  • Names, of course
  • Email addresses
  • Geographic location more specific than a state
  • All personal numbers, including Social Security numbers, account numbers, phone numbers, license plate numbers, and IP addresses
  • Photos of faces or other easily recognizable photos

If your readers could possibly guess who you’re talking about, don’t say it on social media. This includes retweets and sharing of posts, as well. If your patient says, “I’m so happy with the results of my Botox injections!” you may be tempted to retweet, but you must resist that temptation.

That doesn’t mean that you can’t blog about case studies. Just make sure that you aggregate information — let your example patient be a combination of many patients you’ve worked with or a fictionalized example based on your years of experience.

Be careful with images.

“Emmy agreed to have her smiling picture taken to show other kids they don’t need to be scared of their vaccinations!” seems like an inspiring and harmless Facebook post, but it’s not HIPAA compliant social media. It goes specifically against the rule that you can’t post pictures of your patients’ faces, even though Emmy agreed.

Even if you’re not posting a picture of your patient’s face, you have to be careful about the pictures you choose. A shot of your psychiatric clinic’s holiday office party that happens to show a name on a patient file if it’s blown up to 3300 pixels is not HIPAA compliant.

hipaacompliant social media

When you need a picture to explain a medical condition, use stock photos — pictures bought from a service like Adobe or iStockphotos. The picture here, showing eczema, is a good illustration of the condition, and you can safely use it for that purpose.

Separate professional and personal.

There’s plenty of controversy about the boundaries between personal and professional in other fields. Attend a seminar on “personal branding” and you’ll hear how valuable your personal social media can be to you professionally. For medical professionals, though, it makes sense to separate the personal from the professional. You probably don’t want to give the impression that every tweet represents your medical practice or facility. You also don’t want to take any chances that information in private remarks about patients or cases could be put together with your company’s posts to add up to identifying information.


Think twice about posting at your patients’ or clients’ private accounts. You might think that your comment on a friend’s Facebook page is private, but it may actually be seen by lots of people.

You can see in the chart that some posts get far more reach than you would guess just by looking at the number of comments, or the number of friends or followers someone has.

The elevator test

That fact — that you just don’t know who is going to see your social media post — is the basis of the famous “elevator test.” Basically, if you wouldn’t say it in an elevator, you shouldn’t post it on social media.

Imagine saying, “That four-car pileup on 49 last night gave us some really interesting cases to mess around with,” in an elevator. You know you’d sound heartless to laypeople. You’d probably glance around if it slipped out and find some shocked looks. You’d wonder whether any of the people in the elevator were friends or relatives of the injured patients.

Now imagine posting that with a picture of the emergency room on Instagram with #instafun. You might lose your job.

This may be an extreme example, but it’s a useful mental test.


Following the suggestions above will ensure that your social media is HIPAA compliant. It will also remove any need to be nervous about social media. Too often, medical professionals miss out on the benefits of social media. You can end up feeling that the rules are too complex to work with, and that it’s safer to avoid social media.

That’s not the case. If you’d like to discuss your specific situation, please contact us. Our experience and training with this issue can help you sort out the best strategy for your social media.









Leave a Reply