22 Jun 2017 RB Marketing Series

HIPAA & Social Media: The One Thing Your Strategy Is Missing

Ryan Eisenacher
Ryan Eisenacher
[Former] Content Marketing Manager

Three years and some change ago, Recovery Brands hired me to oversee the company’s social media marketing efforts. As the first hire of this department, my first task was simple: create a social media strategy…from scratch.

Well, somewhat simple.

Recovery Brands owns and operates a portfolio of social media channels, and even though we aren’t a treatment facility, we still have to adhere to the sensitive nature of the industry as a whole. And I’m not just referring to the difficult subject matter that is addiction. I’m talking about the proper handling of sensitive information online — a little thing us healthcare marketers refer to as HIPAA.

Many healthcare organizations are still unclear on how to properly integrate social media into their marketing campaigns due to a fear of HIPAA laws and regulations. But almost all of them know that a violation can result in job loss, hefty fines, loss of licensure, and even legal sanctions and criminal charges.

So the question becomes: how can healthcare organizations remain HIPAA-compliant while navigating the social sphere?

It’s all in the policy, my friends. Your social media policy, that is.

And it goes a little something like this…

1. Limit liability by establishing sound practices and procedures

What kind of information can we share? What are we not allowed to share? What types of images are OK to post? What’s the proper protocol when responding to negative feedback? When should something be deleted? Should something be deleted? Will we be using any privacy settings? How should irresponsible social media use be handled?

When I first crafted our policy, I asked myself all of these questions — and then some! There is no such thing as being too diligent or thorough. By developing solid rules and strategies, you’ll be able to eliminate the guesswork of what is and isn’t appropriate when engaging online.

2. Identify authorized admins to post on behalf of the company

At RB, unless your name is Mary, Grace, Nicole or Ryan, there is a 101% chance you do not have access to any of our social media accounts. And I prefer it that way. Our social media policy clearly defines each of our roles and responsibilities — what accounts we manage, how many times a week we post/tweet, what Twitter chats we participate in, and more. Each one of us can recite our social media policy in our sleep — hence the reason I sleep soundly every night.

Moral of the story? Limit social media access to five people or less. There will be less chaos in your day-to-day if you know what each person in your department is doing at any given time.

3. Require compliance training for employees
It might seem obvious that your social media admins need to have a firm understanding of HIPAA laws and regulations before they’re allowed to post or share on behalf of the company — but what about your other employees? Chances are, they have personal accounts of their own, and what they do outside of work could have potentially devastating consequences on your business.

Some of the most common examples of social media HIPAA violations include:

  • Sharing of photographs – or any form of PHI – without written consent from a patient
  • Acknowledging a physician-patient relationship (this is often the most innocent mistake!)
  • Posting verbal “gossip” about a patient, even if the name is not disclosed

Don’t risk it. Take the time train all of your employees on internal and external social media best practices and company policies.

4. Consistently monitor all social media platforms
Successful social media marketing requires daily maintenance. Even with a dedicated team of four, monitoring our (many) feeds all day, every day is a lot of work. But it’s absolutely necessary.

You never know what someone may post or tweet. Always be alert and on the lookout for possible HIPAA violations. If you don’t have the resources to review your accounts continuously throughout the day, make sure you check in at least once. If you can swing twice a day – even better.

At the end of the day, a well-written policy will be simple, yet specific. And, how you craft your policy — and how lenient or strict you are in enforcing it — is up to you and/or your management team. Choose wisely.


Does your organization have a social media policy in place? If so, what key elements did you include in it? Tell us in the comments below.

Never miss a moment! Subscribe