Staying HIPAA Compliant

Two Tips to Avoid Privacy Rule Violations on Social Media

When our patients advocate our services, and we are able to share their story and show their happy, smiling faces via social media, it is marketing gold. However, as a healthcare provider, we are a covered entity, and we must follow the HIPAA rules to avoid penalty. Though usually unintentional, HIPAA violations are easy to make on social media.

Those violations, if reported, could cost you hundreds or thousands of dollars, not to mention the business of the patient and, perhaps, future patients.

So, how can you capitalize on these powerful marketing posts while remaining compliant with HIPAA regulations? The answer is simple: Get the proper authorization. Here’s how.


Many practices that explain their intention to use a patient’s case on social media get the patient’s consent verbally. With that, they create the social media post. Some would argue that that is enough.

However, to ensure you are 100% in compliance, it is best to obtain a written authorization from the patient. Authorization, when done in accordance with government guidelines, has many components. Pay careful attention to the use for marketing, according to The Summary of the HIPAA Privacy Rule on “An authorization for marketing that involves the covered entity’s receipt of direct or indirect remuneration from a third party must reveal that fact.”(The uses and disclosures for which an authorization is required are listed in the Federal Regulations in section 45 C.F.R. § 164.508.)




There may be times when a patient does not want to give authorization, yet, a tremendous marketing opportunity exits. In this situation, there is one thing that most practices can do to avoid a HIPAA violation while using social media: de-identification.

To ensure HIPAA privacy rule compliance, remove all information that can be used to identify the individual whose health information you are utilizing. A patient’s protected health information (PHI) ceases to be PHI once it has been de-identified. Therefore, that information is no longer subject to the restrictions and requirements of federal and state privacy laws, helping to ensure you are in HIPAA compliance. The most feasible way a practice can achieve this is to delete the 18 specified identifiers, including names, dates, addresses, etc. See the full list at under the “Safe Harbor” guidance.

Additionally, any outside information that can be used to identify the person must be deleted. For example, say you deleted all 18 specified identifiers but then commented, “The lead singer of our favorite band was in today! I learned he always wears those sunglasses because he has glaucoma!”The included outside information could allow one to deduce that your patient is U2’s Bono, and that he suffers from glaucoma. Unless HIPAA compliant authorization was given, this would be a violation, as you failed to protect his PHI. A good rule of thumb: If you can use the outside information to perform an online search and it leads you to a specific person, including it in your post violates a HIPAA privacy rule.


One may argue that in order for a social media post to become a violation with a subsequent potential penalty issued, it first needs to be filed as a complaint, investigated and ruled upon, a process that seems unlikely to many practitioners. However, the HIPAA cops are real. So, before you post, follow these two tips to ensure maximum protection against a violation.

This article was originally posted in the July 2015 issue of Optometric Management and written by Justin Bazan, O.D.