What is HIPAA Social Media Compliance?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

HIPAA was passed in 1996, before the phrase “social media” entered the dictionary. The HIPAA rules do not regulate use of “social media” - not by name. The HIPAA Privacy Rule regulates use or disclosure of PHI through any medium - oral, written or electronic. Social media is a type of electronic medium, and portions of the Privacy Rule prohibit use or disclosure of PHI to or on social media. 

What are the HIPAA Restrictions on Social Media Use and Disclosure?
Under the HIPAA Privacy Rule, covered entities and business associates may not use or disclose protected health information (PHI), except as that rule specifically permits or requires.  What does this mean for social media? It means that a provider may not post information about a patient, pictures of the patient, or testimonials made by the patient, on social media, unless the patient has first provided written authorization to the provider to do so. This written authorization must be obtained on a form that meets the requirements for a valid HIPAA authorization.

May an Employee Take a Picture or Video of a Patient and Post the Picture or Video on Social Media?
An employee of a practice may not take a picture or video of a patient and post that picture or video on social media (e.g., Facebook, Twitter, Instagram), unless the patient both consents to the taking of the picture for this purpose, and provides written authorization to disclose the picture to social media. 

Providers may ask patients to complete a HIPAA social media authorization form. On the form, patients may indicate information such as which social media channels the patient authorizes disclosure to, the purpose of the disclosure, and the scope of the disclosure. Once a practice obtains the written authorization from the patient, the practice must abide by its terms. If, for example, the patient authorizes that only the patient appears in the photo (as opposed to the patient appearing in the photo along with his or her physicians), this restriction must be honored.

How May a Practice Respond to Social Media Reviews?
A patient is free to leave reviews on a practice’s website that solitics such reviews. A patient may also leave reviews on websites that solicit reviews of services in general, such as Yelp and Google Reviews.   The patient’s transmission of his or her own PHI to such sites in the course of leaving a review, does not violate HIPAA rules against use or disclosure of PHI. This is so because patients are not regulated by HIPAA; practies are.

How apractice responds to reviews may land the practice in hot water with the Department of Health and Human Services’ Office for Civil Rights (OCR).

A practice may not respond to negative reviews by revealing patient PHI, unless a patient has provided prior written authorization enabling the patient to do so. “Revealing” has a broad meaning:

Say that a patient leaves a review on a social media site that states, “I visited Dr.  Smith on August 25, 2022. The service was horrible!”  The practice may not respond on social media by writing, “[Name of Patient], you are mistaken! Our service is first-class.”  Nor may the practice respond by seeking the reason behind the complaint. In other words, the practice may not write, “[Name of Patient], why were you dissatisfied with our service?”  In each instance, the practice has revealed PHI. If the practice has not obtained prior written authorization to do so, the disclosure is improper.

“Revealing” PHI can consist of a mere acknowledgment that “Patient X” was in fact a patient. Take a seemingly benign example. A patient leaves a review of a doctor on Yelp: “I visited Dr X. on 8/25/22. The service was excellent.”  The doctor sees the review and responds, “Thank you!” The doctor’s messages can be read to imply that the doctor is acknowledging that the patient saw the doctor on 8/25/22 for services. Such an acknowledgment is revealing PHI, in this case by confirming its presence.

Some doctors choose to respond to all comments left on social media, positive, negative, or neutral, with the exact same message – something like “Thank you for your message. Please contact our office if you wish to speak with us.” The rationale for leaving the exact same message to everyone, these doctors might say, is that “We are sending the same reply to everyone, including people who we may not have even treated. This means we are not revealing any particular person's PHI.”

That argument is not without a certain appeal, and leaving a “uniform” message, all other things equal, is probably less likely to get the doctor in trouble than responding to a negative message with a negative message of the doctor’s own that, say, describes that the patient was rude during a service encounter.

Perhaps the safest way a practice can ensure it does not run afoul of the rule against revealing or confirming PHI without prior written authorization allowing for such disclosure, is a statement that reads something like this:

“PRACTICE NAME does not comment on specific reviews and posts that speak to care received at our practice nor do we confirm or refute that the poster is/was a patient of our practice. If there is a concern or compliment regarding care received at our practice, we can be reached directly through our practice manager (insert name and title) who can be reached at (insert contact information) or securely through our patient portal, accessible here: (insert hyperlink to patient sign in).”

To ensure employees know not to use social media to transmit PHI, social media compliance training should be offered as part of a new employee’s training. As new social media platforms become available, providers should offer refresher social media compliance training, reminding employees that PHI cannot be disclosed on social media unless a patient provides prior written authorization for the disclosure.