You’d be hard-pressed to find healthcare marketers that don’t understand the value of social media for healthcare, according to Jill Florence, Director of Enterprise Sales at Sprout Social.
As Florence explains, “Social is a non-negotiable part of driving brand awareness and building connections with patients, physicians and community members. But it can be a challenge for the marketing teams on the digital front lines to overcome the concerns of security and privacy teams—especially at the intersection of HIPAA and social media.”
Many organizations report HIPAA compliance measures inhibit their strategy, as some of the most engaging healthcare content they create features innovative studies, patient testimonials and medical breakthroughs, which require lengthy approval processes and careful execution. In this guide, we’re breaking down what you need to know to remain HIPAA compliant on social media, and sharing examples of healthcare brands who shine on social—despite regulatory limitations.
Please note: The information provided in this article does not, and is not intended to, constitute formal legal advice. Please review our full disclaimer before reading any further.
HIPAA’s impact on your social media content
HIPAA privacy laws protect sensitive patient information from being disclosed publicly, including on social media. The HIPAA Privacy Rule expressly protects patient health information as it relates to how the data is shared, including in marketing and advertising efforts.
Sensitive protected health information (PHI) includes data about a patient’s past, present or future medical conditions, provision of healthcare to the individual and past, present or future healthcare payments. Given social media platforms gather user information, track behavior and have license to use your visual assets, it’s easy to see why these regulations exist.
In the age of sharing patient before and after photos, testimonials and other sensitive information, healthcare providers should exercise extreme caution when crafting social media content. HIPAA regulations also mandate healthcare companies carefully manage customer interactions on social media—which includes preventing patients from sharing PHI, and deleting it if they do. Failing to comply with HIPAA regulations is costly—both financially and to your brand’s reputation.
However, as Katherine Van Allen, Senior Solutions Engineer at Sprout, points out, the benefits of social outweigh the risks. “Social media should be part of healthcare organizations’ strategy. The people you need to reach are on social—whether it’s prospective patients or employees. Without a social presence, you aren’t a part of vital conversations happening about your system. From discourse about a team member or location, clerical mistakes and legal actions, or rapidly spreading misinformation about a disease or treatment plan. Tuning into social media listening will help you pinpoint key areas of opportunity.”
How to create brand guidelines to support HIPAA and social media
Though you should always consult your legal counsel and compliance team regarding HIPAA compliance on social media, here are general best practices to follow as you create your brand guidelines.
Craft policies and train your team
Start by consulting with your legal and compliance teams, and make them a key partner in validating the legality of your strategy, campaigns and content. Work with them to develop a social media compliance protocol, which should include instructions for corresponding with people via social media.
Familiarize your team with this protocol by co-creating HIPAA compliance training programs that feature social media education. In your training, highlight proper usage of customer data on social media and common HIPAA violations.
Follow de-identification best practices
When crafting new social media content, remove all PHI from your posts. PHI includes health information used alongside the following identifiers:
- Names (first, middle and last)
- Geographical indicators smaller than a state
- All elements of a date (except year)
- Phone and fax numbers
- Email addresses
- Social security numbers
- Medical record, health plan beneficiary and account numbers
- Certificate or license numbers
- Vehicle identifiers
- Device attributes
- URLs and IP addresses associated with patients
- Biometric identifiers
- Photographs of full faces and other unique physical identifiers
- Any other numbers or codes that could identify an individual
For more context, while a patient’s name paired with their vital signs is considered PHI, their vital signs alone are not.
Monitor for HIPAA violations
Even if you take every precaution to limit the use of PHI in your content, patients can still put your compliance at risk by sharing personal information themselves. Prevent this by adding disclaimers to your direct message interactions and brand profiles. Ask patients to refrain from sharing any PHI and inform them where they should route inquiries.
If a patient should mention or DM you and compromise PHI, delete the message immediately, and route them to a more appropriate channel. Florence advises, “Even if you add a disclaimer to your profile or DMs, some patients will still seek out medical advice. To combat this, some organizations use chatbots and triaging tools to automatically alert them of potential PHI, and respond to or delete sensitive content.”
By using a tool like Sprout Social’s Saved Replies, you can use pre-written replies to quickly respond to customers and redirect the conversation to a secure channel. You can also use Sprout’s chatbot builder to automatically reroute social users to an email address or other secure channel for healthcare-related conversations.
With Sprout’s Smart Inbox, you can use tagging and filtering to flag messages that contain PHI, and build workflows that delete those messages.
Build a process for patient approvals
There might be some cases where patients (or their families) are interested in sharing their stories with your audience, like this adorable Halloween TikTok from Cleveland Clinic’s NICU.
Halloween with our babies in the NICU has been no tricks but all treats! This year’s costumes include a monkey, tiger, owl, Buzz Lightyear, Woody and a pirate. Their special hats are a handmade gift. Halloween has never been sweeter!??
? Halloween – Lux-Inspira
Have a streamlined and clearly documented process in place for gaining written consent and HIPAA authorization to disclose PHI from a patient before sharing those stories, photographs and/or videos.
Stay up to date on legislative changes
Make it a regular practice to stay up to date on legislative changes at the federal and state levels. Regularly review resources like the U.S. Department of Health and Human Services (HHS) website. You can also follow the HHS and National Law Review on social for real-time updates, including case rulings regarding HIPAA data breaches.
Looking for more resources? We put together a HIPAA compliance on social cheat sheet that can help you remain compliant, while executing an effective and creative social strategy.
Common HIPAA violations and social media’s role
While HIPAA compliance on social is complex, the monetary, reputational and, most importantly, patient well-being risks are too steep to get it wrong. Here are the most common HIPAA violations you should avoid.
Hiding patient details in plain sight
Even if you don’t explicitly include faces, names, dates or other obvious identifiers, some situational details can reveal a patient’s personal information. Both Florence and Van Allen advise close review of photography and videos before posting. Ensure there is no protected information in the background of your media.
Van Allen warns, “Something that seems as innocuous as a photo of a staff room can be a violation. Someone could zoom in on a patient’s chart sitting on the table, and be able to identify their name or other PHI.”
Validating health information
“A lot of patients message healthcare brands thinking their message will reach their doctors—which means they include sensitive PHI in their outreach,” Florence says. As we mentioned in the previous section, it’s critical to delete any PHI, even when the patient provides it unprompted.
But one critical nuance many organizations miss is that you should also refrain from validating PHI. For example, if a patient comments on your post and reveals they have an illness, you should not acknowledge that illness in your response. It could be a HIPAA violation. Here are a few example scenarios:
Example patient message: @Hospital, I have recently been diagnosed with diabetes, and I was wondering which of your doctors specializes in diabetes care?
Not HIPAA compliant: @Patient, we know navigating a new diabetes diagnosis can be challenging, and we’re here to help. Call Dr. Smith’s office directly to schedule a consultation.
HIPAA compliant: @Patient, we have deleted your comment to protect your privacy. Please call or reach out to our team via email for help.
Limiting training to corporate channels and paid personnel
By limiting training to corporate channels and paid personnel, healthcare organizations create knowledge gaps that can cause major fall-out. For example, an excited intern could post a selfie with a patient. Or a residency student could accidentally reveal PHI in a funny TikTok.
Healthcare organizations should remember that HIPAA applies to everyone under the control of a covered entity—including volunteers, students and unpaid personnel. It also encapsulates social profiles beyond the corporate account, including the personal accounts of staff members.
What HIPAA means for your social media vendors
HIPAA compliance and security should be top of mind when selecting software vendors and tools. During your platform evaluations, expect your security and privacy teams to be vigilant about the ways data is used when it’s integrated into larger tech stacks.
Find a management solution with permission levels and message approval functionality to ensure only responsible parties can post. Ensure that cybersecurity measures are in place to protect PHI on electronic devices such as encryption or firewalls.
Take it a step further and find a social media management solution that is willing to sign a business associate agreement (BAA)—a legally binding contract that specifies each party’s responsibilities when it comes to PHI and HIPAA compliance. As Florence details, “You should work with a partner like Sprout Social that can sign a BAA, and take on the risks and responsibilities with you.”
Healthcare brands to learn from
These four healthcare organizations demonstrate that having an active social media presence is still possible and important, even in regulated industries.
Mayo Clinic, the top-ranked hospital in the nation, uses social media to build their employer brand. Like when they reshared a post from a Transplant Chair who celebrated a successful month. Notice how the post doesn’t reveal any sensitive patient information, but instead focuses on the accomplishments and high caliber of the transplant team.
Mayo Clinic also shares profiles of their volunteers, physicians and other personnel to further humanize their company, like this heartwarming video about a Holocaust survivor-turned-volunteer.
The hospital system supplements these posts with general health and lifestyle tips to inspire their followers, and promote well-being, like in this carousel about the benefits of daily movement.
Cleveland Clinic, a leading academic medical center, stays on the pulse of trending healthcare conversations and uses their expertise to keep their community informed of new public health reports.
Like in this Reel where they investigate the benefits of the latest social media health craze, cold plunging or cold showering. The post breaks down how to reap the rewards of the trend, while staying safe and healthy.
The medical center also shares top-of-mind public health reports produced by their organization. They typically briefly summarize the key findings of the report, while including the link so people can read more, like they did in this post.
Boston Children’s Hospital
Boston Children’s Hospital is home to the largest hospital-based pediatric research program in the world. The organization uses their social channels to highlight groundbreaking research (and the researchers behind it) like they did in this post about a top clinical geneticist advancing children’s health outcomes.
They also feature the patients who benefit from their state-of-the-art treatments by interviewing their families, like in this feature on Facebook about the power of genetic testing for children with epilepsy.
Anthem Blue Cross Blue Shield
Anthem Blue Cross Blue Shield is a trusted health insurance plan provider. On social, they share meaningful statistics about the value they offer their members, including this post about the return on investment employers gain from investing in workplace addiction recovery and support.
They also share awards and accreditations that demonstrate their commitment to member care and excellence, like this post about their recognition by NCQA.
As a popular insurance plan provider, they receive a lot of inquiries about member policy details on social. Their care team illustrates how to route conversations from public forums to more appropriate, secure private channels, like in this reply where they ask a member to email their help center.
Navigate HIPAA and social media with confidence
HIPAA compliance on social media is a multi-step, ongoing process that involves closely aligning with your legal and security teams, and developing interdepartmental education. By following key best practices that protect patient data and your organization’s brand health, you will be equipped to navigate complex HIPAA protocols and develop your social presence with confidence.
Next steps: Now that you’ve read this article, put a meeting with your legal and security teams on the calendar to start planning your org-wide education efforts, and brush up on healthcare social media benchmarks to better understand social’s role in your community engagement toolkit.
The information provided in this article does not, and is not intended to, constitute formal legal advice; all information, content, points and materials are for general informational purposes. Information on this website may not constitute the most up-to-date legal or other information. Incorporation of any guidelines provided in this article does not guarantee that your legal risk is reduced. Readers of this article should contact their legal team or attorney to obtain advice with respect to any particular legal matter and should refrain from acting on the basis of information on this article without first seeking independent legal advice. Use of, and access to, this article or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user or browser and any contributors or contributing law firms. The views expressed by any contributors to this article are their own and do not reflect the views of Sprout Social. All liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.