5 Steps for Creating an Effective Social Media Policy

Protect PHI and Educate Staff on HIPAA Risk in Using Social Media

Creating a social media policy for medical office staff establishes guidelines to protect patient privacy and prevents the violation of HIPAA Privacy Rules. The use of social media for the purpose of online communication is recognized as an effective way to promote community relations, recruitment activities, and marketing events. Of course, medical office staff must fully understand the appropriate use of social media and avoid violating HIPAA rules.


Define Social Media

Accessing social media
Jetta Productions/Getty Images

Social media, as defined by Dictionary.com, refers to any app, website, or other online means of communication that is used by large groups of people to share information and to develop social and professional contacts. Your staff may not immediately realize that the apps and sites they use are social media. Popular social media or networking sites include but are not limited to:


Establish Guidelines for Social Media Use by Healthcare Employees

social media use
Hero Images/Getty Images

The social media policy of your facility should establish guidelines for the use of social media, both personal and professional. As employees who work for an organization that is identified as a covered entity, they must follow HIPAA Privacy Rules and ensure the privacy and security of protected health information at all times.


  • Be professional, especially if you have identified yourself as an employee
  • Include a statement stating your views are your own and not your employers
  • Remove tags on pictures that a patient posts to keep the picture off of your page or profile


  • Participate in any online communication with patients of the medical office
  • Post pictures of patients under any circumstance even if it is unidentifiable
  • Discuss any details of your job or activities that occurred during the work day

Express the Penalties for Violating HIPAA With Social Media

Be careful not to violate HIPAA
Jose Luis Pelaez Inc/Getty Images

Violating HIPAA can mean a maximum penalty of $1.5 million dollars and can be imposed on the violating institution and the individual employees involved. Violation of the Social Media Policy is a violation of the HIPAA policy and should result in some form of corrective action for the employee(s) involved. Follow the same corrective action as in your current Confidentiality Policy, and clearly state that the penalty can also include termination.


Additional Training Materials

Social media
Jose Luis Pelaez Inc/Getty Images

The US Department of Health and Human Services (HHS) provides training materials on their website that can be used by providers to educate their staff which can be updated as needed to incorporate modifications made to the HIPAA Privacy Rule. 

HealthIT.gov: Guide to Privacy and Security of Electronic Health Information includes HIPAA rule basics.

Covered Entity, Business Associate, and Organizational Options: Explains and defines the type of entities that are covered by the Privacy Rule. The term business associate is defined, as are the requirements of the Privacy Rule when they carry out health care activities and functions on behalf of covered entities. Describes Privacy Rule provisions that address how entity organization may affect privacy functions.

Protected Health Information, Uses, and Disclosures, and Minimum Necessary: Describes the health information that is protected by the Privacy Rule. The presentation extensively describes the required and permitted uses and disclosures of PHI by a covered entity or its business associate, including situations where PHI may be used or disclosed without the individual’s authorization and when such authorization is required. The Rule’s minimum necessary provisions and its requirements are explained.


Some Examples of Social Media HIPAA Violations

Social media HIPAA violations
Ron Levine/Getty Images

MDNews.com reported:

In a case pending before the National Labor Relations Board, a nurse who had treated a fatally wounded police officer and the alleged gunman was terminated after posting on her private Facebook account that she came “face to face” with a “cop killer” and hoped he “rotted in hell.” The ostensible reason for termination was violations of HIPAA and the hospital’s rules on patient privacy.

WISN.com reported:

Two nurses were fired for taking pictures of a patient's x-ray with a cell phone and posting the pictures on Facebook. The patient was admitted to the emergency room with an object lodged in his rectum. Police said the nurse explained she and a co-worker snapped photos when they learned it was a sex device. Police said discussion about the incident was posted on her Facebook page, but they haven't found anyone who actually saw the pictures.

Was this page helpful?