Social media is as important for healthcare marketing as it is for any other industry. Healthcare organizations need to connect with their audience, and to do that, they have to be where their audience is. Marketing teams and individual healthcare providers are using social media to share important updates, news and personalizing photos and stories, and that’s good. It’s also risky because of a little thing called HIPAA.

Anyone working in healthcare has heard that word a lot, connected to the general idea of keeping patient information private. But there are some specific details you might not know about that could trip you up as you share photos and stories online. Here, we highlight a few pitfalls to look out for.


Before we get started, here are a couple of acronyms you might use all the time without knowing what they stand for:

HIPAA: The Health Insurance Portability and Accountability Act. It’s a lengthy and complex law, but the upshot for you is that you can’t reveal any past, present or potential health information that can be connected to the patient. One twist is that, since the act was passed in 1996, it doesn’t include any specific regulations for social media. That means you need to be especially careful, because enforcement of the law is largely open to interpretation.

PHI: Protected health information. This is… protected information related to a patient’s health. If it includes any identifiers, mentioning it online could result in a privacy breach. HIPAA helpfully provides a list of 18 identifiers that are off limits, and while some seem pretty obvious, others might surprise you. It’s good to give it a glance.

One important thing to remember is that your healthcare organization almost certainly has a HIPAA compliance officer on site or on contract. If there is any possibility that something you post might reveal PHI, check with your compliance officer first.

Potential PHI Pitfalls

Story time

No one doesn’t like a happy ending, and healthcare offers some of the happiest — high-risk pregnancies that result in adorable triplets, lengthy illnesses that end in miraculous recoveries or even just funny goings-on in the clinic that gave everyone a chuckle. Such stories are great Facebook fodder — and a minefield of PHI. The more details you include, the more compelling your post is, and the more likely you are to provide information that could connect that touching story to the patient who may or may not want it told.

Remember that list of identifiers? You might feel confident that you’ve protected patient privacy because you didn’t include a name or a photo. But that list also includes any location smaller than a state or any date other than a year. And on top of that, information from your own profile could combine with seemingly innocuous patient information to reveal their identity — your location, the facility where you work, the date of your post. If any weirdly dedicated Internet sleuth could use the information to identify the patient, you’re on the hook for failing to protect patient privacy. So as compelling and Facebook-ready as that story might be, you might have to just sigh and keep the story in your heart. If you have any questions, feel free to ask your compliance officer.


Think you’ve avoided any possible HIPAA violation by not including your patient in the photo? Take another look, paying careful attention to the background. Does that selfie also capture the status board in the patient’s room or the nurses’ station? When you took a picture of your lunch for the ‘gram, is it sitting on top of a patient file with the name visible? (Do you even need to post your lunch on social media? I mean, really?) Does that happy photo of a successful care team also include a patient in the distance you hadn’t noticed when you were getting everyone together? Those are all potential violations.

Even if you’ve gotten a written release from the patient to use their image on social media, never post anything without doing a thorough scan of the background to look for any unintentional photobombs. Any questions can be directed to… you know.

Friending patients

Don’t do it. You might want to. You might have had a great experience treating an individual. Their treatment might have been lengthy, and you had time to get to know each other, and now you feel like friends.

You might be friends, but you’re care provider and patient first. Online and in the real world, there are issues of ethics and professionalism. In terms of HIPAA, the more you interact with this patient on social media, the more likely it is that PHI is going to slip out during the course of conversation.

You probably don’t even need to bother asking Compliance about this one. Just don’t do it.

Stay safe

Facebook, Twitter, Instagram and, increasingly, TikTok are a great way to inform your audience and just let them know who you are as an organization. Storytelling is a great way to make connections. HIPAA doesn’t mean you have to stop doing it, and PHI doesn’t need to be a dark cloud looming over your head every time you write a Twitter post. Just be informed, be careful and be respectful. And look over any group photo to see if anyone has bad hair or is making a weird face — just because you look good, that doesn’t make it Instagram-worthy.

Author 9Rooftops Health

More posts by 9Rooftops Health

Leave a Reply