Doctors, physicians, dentists, chiropractors and other covered entities should tread cautiously when posting messages on social media. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 lays out guidelines regarding patient privacy, which can conflict with social media postings. This doesn't necessarily mean that you should delete your practice's Facebook and Twitter accounts altogether, but you should be aware of the content you are posting and whether or not it violates HIPAA's Privacy Rule.

Social media has revolutionized the way companies do business. For instance, Facebook alone has an impressive user base of 1.3 billion active members, making it the world's largest social media network. Business owners can improve their visibility and attract new customers by maintaining an active Facebook page, posting messages and comments to their target audience. While effective at attracting new customers, this can also lead to privacy questions when the content being published contains information about healthcare patients.

HIPAA's Privacy Rule protects healthcare patients' privacy by prohibiting doctors and other covered entities from disclosing their information without written consent. If a patient visits the doctor, for instance, that doctor is prohibited from transferring Protected Health Information (PHI) about the patient to other individuals or organizations, assuming the patient hasn't given their consent.

While it may seem harmless enough, posting information about a patient's condition on social media could be in direct violation of HIPAA's Privacy Rule. If the information being posted is classified as PHI, it cannot be posted on social media. Doing so essentially presents the information to the public, whom does not have the patient's consent to access or read it. Even if the social media account is set to private, each and every person who has access to it must be given the patient's consent. And even then there's the issue of whether or not the information is secure.

Doctors and covered entities can, however, publish information on social media that doesn't contain Protected Health Information. This is usually done by removing PHI identifiers, such as names, addresses, birthdates, telephone numbers, email addresses, social security numbers, medical record numbers, license numbers, health plan beneficiary numbers, biometric identifiers, medical device serial numbers, etc.

The bottom line is that you need to make sure any information posted on social media does not contain Protected Health Information. If you aren't sure of whether a specific post contains PHI, it's best to err on the side of caution and avoid publishing it altogether.

Subscribe to our mailing list

* indicates required