Start a Project

Digital Provider Blog

Where healthcare and senior care meet digital and social technology

Social Media And HIPAA: What You Need To Know

By on October 19, 2009 • 2 Comments

Open Door One question I’m always asked about when it comes to health care or senior care and social media is, “What about HIPAA?” Online privacy and security are important issues, especially on the new social Web. But I have good news for the those folks in health care, senior care, home care, hospice, and dementia care who want to start using social media but fear HIPAA: It’s not as complicated as you think. In fact, it’s all about common sense. Below I provide a brief overview of the main issues, three examples of health care/senior living organizations effectively using social media without violating HIPAA, and some resources for developing your own social media and online communications policies.

HIPAA & Social Media

The Health Insurance Portability and Accountability Act (HIPAA) requires that a patient’s identity and personal health information be protected (also called Protected Health Information, or PHI). Health care providers who violate HIPAA can face stiff penalties, including fines up to $250,000 and/or imprisonment for up to 10 years for knowingly misusing individually identifiable health information. As a result, many care-related organizations shy away from deploying social media, blogs, and online communities due to fear of HIPAA violations. This is unfortunate as these organizations are missing out on the many opportunities and benefits that social technologies offer.

Senior living companies, homecare agencies, skilled nursing facilities, hospitals and the like, should feel free to engage in social media – as long as mechanisms to secure PHI are employed. Information posted to blogs, Twitter accounts, Facebook pages, or online communities by health care companies should be prepared for public consumption and each organization engaging in social media should have policies and guidelines related to social media and online communications in place prior to deploying these technologies. Here are three examples of health care and senior care organizations using social media, as well as some social media policies and online communications guidelines for your reference:

Innovis Health

Innovis Health is a non-profit hospital and health care organization based out of Fargo North Dakota. Innovis has a blog (shown below) plus Twitter, Facebook (show below), YouTube, and Flikr accounts. On the blog, Innovis publishes hospital news and general health news. This content is then syndicated out to their Twitter and Facebook accounts. The blog also features a Twitter feed – showing Innovis Twitter activity in real-time. The Innovis YouTube channel features hospital commercials and local news coverage. Their Flikr account displays photos of their various facilities, their staff, and marketing images from different marketing campaigns. This complement of social media tools allows Innovis to broadcast their message, engage a following, and drive traffic back to their website.

There’s very little patient-specific information on any of their social media properties, however, the blog does feature two stories about babies that were born at the hospital during a March 2009 flood, including parent names and, in one case, a photo of the new parents with their infant. The assumption here is that the parents gave Innovis specific written permission to publish these stories (a must if you plan to publish PHI or patient identity).

Innovis Health Blog


Innovis Health Facebook Page


Children’s Hospital L.A.

Children’s Hospital L.A. actually encourages patients and families to tell their stories on the hospital website. The way they work within HIPPA rules is by employing a 3-step process where the person submitting the story must:

  1. Review a “Use and Access” Statement
  2. Review the hospital HIPAA policy
  3. Fill out a secure online form where the story, images, and any links are uploaded to and reviewed by hospital staff for approval prior to being posted to the site for public viewing
Children’s Hosptial L.A. “Share Your Story” Page


Children’s hospital L.A. “Use & Access” Statement

This is a shrewd business move on the hospital’s part because it allows them to publish vetted positive stories from actual patients – which clearly has marketing benefits – without violating HIPAA.

Terrace Communities

Terrace Communities is a group of seven assisted living residences located in Maine, Vermont, New Hampshire, and Florida. Terrace uses a member-only, public facing branded online community to connect residents, staff, and family members from all seven facilities. Members have unique profile pages and can participate in discussions, post to the group blog, add to the calendar, and upload photos to the galleries. Below you can see the community homepage with a photo of a Terrace resident and her son prominently displayed.

Terrace Communities

Notice that, like Children’s Hospital L.A., Terrace Communities encourages their members to interact and post content to the community website. Also, as you can see from the screenshot below, Terrace regularly posts photos of and stories about residents, family members, and staff to their community site. One difference here is that residents of Terrace communities are NOT considered or referred to as “patients.” Therefore, while privacy and information security are issues for Terrace, HIPAA is not a major concern. Terrace does have each resident and family sign a generic photo release form allowing them to publish photos on their website and in marketing materials.

Terrace Communities (Cont.)


Blogs, social media, and online communities can be powerful tools for organizations to broadcast news and information, as well as engage prospects and customers. The vast majority of what health care and senior care organizations publish using social technologies has nothing to do with PHI. As long as organizations take proper measures to ensure that Protected Health Information is kept private and secure there’s nothing to fear. If you are going to publish patient photos or stories, get a written release. Of course, it’s always possible that a rogue employee who doesn’t follow the rules can violate HIPAA, but that can happen offline even more easily than online – and should not be a reason to avoid getting into social media. Additionally, proper social media management allows companies to monitor posted content and quickly remove anything inappropriate. The following resources can help you get started developing your own social media policies.


Related Posts


Brian Geyser, APRN-BC, MSN is a clinician, consultant, educator, blogger, online community manager and the founder of Carenetworks, LLC. He blogs regularly here at and would love to connect with you on Twitter, Linkedin, and/or Facebook.

Posted In


  1. […] your organization deals with HIPAA laws, click here and here for two¬†good articles on creating a HIPAA-compliant social media […]

  2. Nicky says:

    What about if a current patients posts on the Doctors FB Fan page? Can you interact with them without violating HIPAA?