Social Media

Supporting HIPAA Compliance on Facebook: A Physician’s Guide

By Amber Turner On Feb 11, 2021 . 0 Comments

Social media, especially Facebook, can be a useful resource for practice advertising, professional networking, and patient engagement; however, many practices struggle with how to ensure HIPAA compliance in the social media age.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed far before the era of social media. Ergo, there are no laws or amendments that contain any explicit rules regarding social media usage. However, many of the existing laws and regulations have details that certainly apply to conduct within social media channels. 

For those that aren’t familiar with HIPAA, the legislation “assures that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well being.”

Healthcare practices take HIPAA seriously and it sometimes is the reason some doctors or healthcare professionals shy away from healthcare social media marketing.

Employees who aren’t properly trained on HIPAA and social media can potentially expose your organization to costly HIPAA violation fines.

However,  there are numerous benefits of marketing your practice on Facebook and infinite content you can share on Facebook while remaining safely HIPAA compliant.

We understand the risk your practice can take when the misuse of social media can lead to issues with HIPAA compliance, so read our helpful HIPAA Facebook guidelines to avoid any mistakes that can lead to HIPAA penalties.

We will also recommend content ideas you can use to succeed on the world’s largest social media platform while staying HIPAA compliant.

Understanding HIPAA Policies and Procedures for Facebook

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees.

Protected health information (PHI) “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

HIPAA regulation forbids the use of PHI in marketing or social media campaigns, so this should be avoided at all costs to protect your patients’ privacy.

These are the 18 HIPAA Identifiers that are considered personally identifiable information (PHI):

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

You can view an overview of all the HIPAA laws on HHS.gov here

Legal Ramifications of HIPAA violations:

What happens if you break HIPAA Rules will depend on the severity of the violation. The actions of employers, professional boards, federal regulators, and the Department of Justice will depend on several factors:

  1. The nature of the violation
  2. Whether there was knowledge that HIPAA Rules were being violated, or by exercising due diligence, it should have been clear that HIPAA Rules were being violated
  3. Whether the action was taken to correct the violation
  4. Whether there was malicious intent or HIPAA Rules were violated for personal gain
  5. The harm caused by the violation(s)
  6. The number of people impacted by the violation
  7. Whether there was a violation of the criminal provision of HIPAA

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. 

The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation”

Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. 

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation
Chart provided by HIPAA Journal showing HIPAA violation penalties for each tier (1-4), a given description of each tier HIPAA violation, and cost rage of each violation.
credit: HIPAAjournal.com

View an overview of large-scale HIPAA fines listed by year provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) here.

Example of a HIPAA violation on Facebook,

Much like other social media platforms, the most common HIPAA breach is sharing PHI. One example is when a nurse from Texas Children’s Hospital posted details about a young measles patient in a Facebook group. The hospital launched an investigation which resulted in her firing.

The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information.

However, as this incident shows, the patient does not need to be mentioned by name for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule.

Most HIPAA violations are accidental. Maybe PHI was in the background unknowingly. In some cases, employees don’t realize that what they’re posting is a HIPAA violation.

What NOT to share on Facebook

The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to NEVER disclose protected health information on social media. 

Avoid posting any patient information, stories, and conditions even if the name is left out. 

Also, never post photos of patients or their medical documents. That includes any photos where PHI might be visible in the background. 

One of the most effective ways to protect your practice against HIPAA violations is to have policies and procedures in place to address each of the HIPAA regulatory standards. 

These policies and procedures should be unique to the needs of your practice–which is why that dusty and often forgotten HIPAA policy binder in the corner of your office often isn’t enough.

Share this checklist below with the employee or marketing team managing your practice’s Facebook page.

Visual aid example made by Koda DIgital showing a recommended HIPAA compliance Facebook checklist for doctors and physicians to use or share with employees and/or marketing team to stay HIPAA complaint on Facebook.

Here are some additional precautions to take in terms of social media posting:

  • Don’t talk about specific patients in any way via social media. 
  • Don’t share any workplace-related frustrations online. 
  • Refrain from discussing patients even in a general way via Facebook direct messages and Facebook Groups (Private or Public).
  • Monitor the comment section and delete anything that could elicit a compromising response.

What you CAN share on Facebook

“Without a doubt, Facebook is a great way to help position yourself as an expert in your field and attract new patients.”

– Klara Morgan, Marketing Director @ Koda Digital

With the proper precautions being taken, there are still many ways to use Facebook to benefit your healthcare organization. 

In general, social media can be used to attract new clients to your medical practice or educate current patients on a topic or piece of news. With roughly 2.8 billion monthly active users as of the fourth quarter of 2020, Facebook is the biggest and in our opinion, the best social media platform to market your practice.

Below, we list some of the things you can post on social media:

  • Health tips that patients might find useful
  • Upcoming events patients might like to attend
  • New research or findings related to your field
  • Honors or awards your organization has been granted
  • Pictures and bios of your staff

For more great ideas and Facebook marketing support, check out other Koda Digital blogs written by our expert social media managers:

Using Facebook carelessly is NOT an option

Healthcare practices shouldn’t abandon social media marketing in fear of accruing HIPAA violation penalties from their social media posts. I

Instead, there are ways to successfully use healthcare social media marketing in a way that protects the privacy of your patients on social media. Find the best way for your practice to begin a healthcare social media strategy that fits your needs and helps your business.

By standardizing the way that marketing and social media efforts are maintained, you ensure that no sensitive health information will be improperly disclosed on the web. 

It is imperative to keep patient health information protected, with secure and effective digital marketing. 

When it comes to HIPAA compliance, it is better to be safe than sorry. That being said, there are lots of ways healthcare providers can stay on the cutting edge of marketing and leverage their digital footprint to attract new patients while remaining HIPAA compliant.

If you don’t have the time or the resources to handle effective online HIPAA-compliant management, you can always invest in training your employees or turn the work over to someone who does it for a living and has a proven track record with digital medical marketing.

At Koda Digital, helping our clients grow and keeping them HIPAA compliant is more than just our business; it’s our passion.

Instead of waiting for patients to come to you, let’s go to them. From patient reviews and social media to SEO and website, we handle the entire digital experience so you can focus on what you want to focus on. 

2021 is already here so don’t wait too long! Do reach out. 

Visual aid made by Koda Digital giving information of agency's location, website, and contact information with also a decorative Fort Worth, Tx imagery.
Social Media

7 Reasons Your Healthcare Practice Needs to Invest in a Digital Marketing Agency

Do you know that 77% of patients will perform a medical search for services

Social Media

Avoiding Common Mistakes on Your Medical Practice’s Facebook

If you haven’t tried using Facebook or other social media channels to promote your

Leave a Comment

Your email address will not be published. Required fields are marked *

Get your free & custom website audit

If you're ready to discover the strengths and weaknesses of your
digital marketing efforts, without all the confusing techno-babble,
then enter your healthcare website below.