Stay HIPAA compliant on social media or risk fines

social media icons on a phone

Understand the rules of HIPAA compliance and social media to avoid violations and fines

Does your practice use social media? A social media post containing protected health information (PHI) can compromise HIPAA compliance. Staying HIPAA compliant on social media is crucial to avoid the risk of fines. And it’s not as straightforward as you might think.

For example, in the most recent HIPAA violation due to social media misuse, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with B. Brandon Au, DDS, Inc. of New Vision Dental in California over the impermissible disclosure of PHI in response to online reviews and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

The violation involves the provider’s inappropriate use of social media to respond to patient reviews and the disclosure of protected health information. This practice is illegal under HIPAA.

Hefty fines imposed for social media HIPAA violations

New Vision Dental paid $23,000 to OCR and agreed to implement a corrective action plan (CAP) to resolve this investigation. 

Healthcare social media is not like personal social media accounts

It is not uncommon to share photos and stories from your workday on Facebook and Twitter, but staying HIPAA compliant on social media is unfamiliar to most professionals. Most industries treat these posts as routine and harmless—no different from sharing vacation photos or past memories.

In today’s world, however, our increased interconnectivity can lead to serious problems for healthcare and behavioral health professionals. If the personal health information of patients or clients is posted on social media, it becomes a HIPAA violation and can result in serious fines.

The OCR cracks down on social media HIPAA violations

“This latest enforcement action demonstrates the importance of following the law even using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO,” said OCR Director Melanie Fontes Rainer. 

Rainer continued, “OCR is sending a clear message to regulated entities that they must safeguard patients’ protected health information appropriately. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”

Read more: What is protected health information (PHI)?

New Vision Dental’s HIPAA compliance and social media issues

New Vision Dental was accused of impermissibly disclosing PHI, including patient names, treatment and insurance information, in a complaint to OCR in November 2017. The complaint was based on online reviews of the practice by patients. As a result of OCR’s investigation, they found possible breaches of HIPAA’s Privacy Rule, including improper uses and disclosures of protected health information. In addition, a Notice of Privacy Practices and privacy policies should have been provided and implemented by the organization.

What can you post on social media as a healthcare professional?

When posting on social media as a healthcare professional, make sure your posts don’t contain information that can be tied to specific patients or medical records. An individual’s PHI is demographic information that can be used to identify them. Information such as name, date of birth, address, social security number, medical information and financial data are examples. Overall, you’ll want to avoid using any of the 18 unique identifiers of PHI. To safeguard patients’ privacy, HIPAA regulations prohibit the use of PHI in social media campaigns.

Read more: Social media & HIPAA compliance: The ultimate guide

6 things healthcare professionals can post on social media

  1. Tips for healthy living that patients might find helpful.
  2. Patient-friendly upcoming events.
  3. Research or findings relevant to your area of expertise.
  4. Your organization’s honors or awards.
  5. An overview of your staff’s profiles or biographies.
  6. You may advertise your services as long as they do not include any patient-protected health information (such as names, photos or other information that can be personally identified).

HHS offers detailed information and a guide if you are concerned and need more clarification about what you can and cannot post as a healthcare provider on social media.

Are you considering sending email with PHI?

The best way for nurses and doctors to securely communicate PHI is by email through a third-party email security provider that ensures the encrypted delivery of 100% of the emails you send. That’s where Paubox Email Suite’s HIPAA compliant email service comes in. 

Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt, and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to enabling healthcare email encryption for compliance with HIPAA email rules, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block malicious cyberattacks from reaching the inbox in the first place. 

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect feature quickly intercepts display name spoofing attempts.

About the author

Anne-Marie Sullivan

Read more by Anne-Marie Sullivan

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport