Social Media Has Huge Potential to Cause HIPAA Violations

by | Nov 2, 2013


Social media networks such as Facebook, Twitter, Instagram and YouTube have the potential to lead to HIPAA breaches as they allow people to stay connected and share information with their friends, families, acquaintances, and in some cases, total strangers.

Any date published social networks is considered to be in the public domain and it potentially becomes accessible by anyone with who is connected to the Internet. Published information can be shared with a massive audience quickly and very little control exists over data once it has been posted. It can be part of a permanent online record.

The potential for an even seemingly harmless post or status update to inflict considerable harm and damage has been emphasized by a recent lawsuit filed by a Chicago ER patient, who claims her PHGI was exposed when an ER doctor uploaded a photo of her drunk in the ER room to his Facebook account.


This may have been a one-off incident, but social media platforms have considerable potential to expose PHI and these risks should be found in the risk analyses healthcare organizations are required to complete under HIPAA regulations.

A HIPAA-compliant social media policy must be put in place and the staff should be advised about what can and cannot be posted on social media accounts under federal Privacy and Security Rules.

Developing a comprehensive social media policy can require a lot of resources, although it is possible to implement the social media policy of a company such as the Mayo Clinic and use that as base and adapt it to sort your organizations requirements.

The simplest way to implement the policy is to provide the workforce with very clear and precise guidelines on the use of social media channels, both at work and privately. HIPAA compliance does not finish when you’re gone home as far as social media channels are concerned.

Supply a list of easy to read bullet points which concisely state social media policies and tell the staff not to engage with patients online unless they are sure it is via a HIPAA compliant medium. Whenever possible staff should ask for a face to face meeting or make a telephone call.

It is not permitted to post any photos of patients online or disclose personal information online without first recieving consent, and it should be communicated that posts may form a permanent online record.

Social media is an easy and convenient way to interact with patients, develop brand image and build up an online profile; however the dangers to privacy and security are considerable and it is therefore essential that policies are developed and regularly monitored and updated as necessary.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy