Social Media & HIPAA: FAQs

You may post protected health information (PHI) on social media only if you have written authorization from the patient. Any authorization obtained is valid only for CUIMC purposes. Workforce members may not use a CUIMC HIPAA Media Authorization for personal or non-CUIMC uses, including personal websites or personal social media accounts.

Social media allows photos and videos to be captured and shared instantly. This makes it easy to accidentally post PHI, such as patient information visible on a computer screen, badge, chart, or background. Posting this type of content without prior written patient authorization may result in a HIPAA violation.

Posting any individually identifiable health information without written patient authorization may be a HIPAA violation. When authorization is obtained, among other requirements, it must clearly explain:

• What information will be shared
• The purpose of the disclosure
• The patient’s right to revoke authorization
• Any time limits on the disclosure

Yes. If the patient can be identified from the image—directly or indirectly—it is a violation of the HIPAA Privacy Rule. Workforce members must follow CUIMC’s Social Media Policy, which may impose additional restrictions.

Yes. HIPAA rules apply to disclosures of PHI on all social media accounts, including personal accounts. Posting PHI on a personal account without patient authorization violates HIPAA and CUIMC policy. Workforce members may not use a CUIMC HIPAA Media Authorization for personal or non-CUIMC uses.

All workforce members must receive training on HIPAA and social media policies. Even individuals without access to electronic PHI can still disclose patient information verbally or online, which is why awareness training is required for everyone.

Posting patient information without authorization publicly discloses PHI. Even if a patient’s name is not included, details in the post may still allow others to identify the patient.

Organizations can monitor social media by searching for facility-related keywords or hashtags (such as NYP, Columbia, or CUIMC) and reviewing posts that reference their organization or services.

A HIPAA social media policy clearly defines when, how, and if patient information may be shared online. Consistent with HIPAA, CUIMC’s policy is to prohibit sharing identifiable patient information unless written authorization is obtained and to enforce consequences for violations.

Penalties depend on the circumstances and who is responsible. Consequences may include:

• Verbal or written warnings
• Mandatory retraining
• Termination of employment
• Reputational damage
• Civil fines imposed by regulators, like the U.S. Department of Health and Human Services Office for Civil Rights

No. Although most social media sites offer account privacy controls, they generally do not comply with HIPAA requirements and site operators do not sign Business Associate Agreements in connection with social media services. 

Yes. Numerous enforcement actions have occurred, including:

• Employees being disciplined or terminated for posting PHI
• Financial penalties against organizations for responding to online reviews with patient details
• Fines issued for posting patient photos, names, and medical information without authorization

Healthcare professionals should not post or respond to patient-related content on social media, websites, business listings or other digital channels. A patient’s public post does not give permission to comment. Posts cannot be fully retracted, and even authorized posts may lead to complaints if viewed by others.

Although certain information on social media states may be public, searching for a patient on such platforms may be considered an impermissible use of PHI and lead to a HIPAA violation.  

HIPAA governs covered entities and their workforce members. Individuals who are not subject to HIPAA may still be regulated by organizational policies or other privacy laws, which can vary by state.

HIPAA does not specifically mention social media. However, its privacy and security requirements apply to all forms of communication involving PHI. CUIMC policies outline how to comply with HIPAA when using social media.