Essential Steps to be HIPAA Compliant on Social Media

A recent case involving New Vision Dental (NVD) serves as a stark reminder of the importance of HIPAA compliance in the digital age. NVD faced a hefty fine of $23,000 for violating HIPAA regulations by responding to patient reviews on ‘Yelp’ in a way that disclosed protected health information (PHI). This incident highlights the potential pitfalls healthcare providers can face when navigating social media.

The healthcare industry received another wake-up call in July 2023 with the Office of Health and Human Services (HHS) issuing a warning about the privacy risks associated with online tracking technologies. These technologies, often integrated into websites or mobile apps, may be improperly disclosing customers’ private health information to third parties. In general, tracking technologies developed by third parties convey information directly back to the developers of these trackers, and continue to monitor users and collect information about them even after the users leave the originating website and continue their searches.

This new HHS directive is like a plaque cast upon the health care industry’s marketing landscape, and there is no antidote, as there was for COVID. Your corporation will need to inoculate and isolate your marketing platforms so that they are not caught up in an HHS action or a lawyer’s desire to capitalize on a healthcare organization’s poor understanding of tracking technologies and how it applies to HIPAA’s PHI regulations. These lawyers are accustomed to simply making money by suing businesses over ADA rules, and they will soon shift their focus to HIPAA and how to turn it into a profit engine for them. We witnessed how the ADA laws expanded over time, and we can expect the same to happen with HIPAA and PHI information. These types of cases will bring down small to midsize businesses with verdicts that exceed their ability to pay!

If you want to read more here is link a to the 2023 HHS communication.

While this directive originally applied to hospitals and telehealth organizations, you would be mistaken to believe it does not affect everyone in the healthcare industry. Laws and agency directives can evolve over time, as case law has demonstrated. The worst part is that you may think you’re doing everything right now, but in 5-10 years, your organization will find itself on the losing end of a court case. Welcome to our judicial system! So, what can you do?

The critical responsibility of safeguarding patients’ health information is imposed upon healthcare providers by the Health Insurance Portability and Accountability Act (HIPAA). This responsibility permeates the digital world, especially on the all-pervasive social media platforms, and does not stop at traditional dental, medical, and hospital offices. Given the prevalence of online information sharing, it can be difficult to navigate these channels while still being in compliance with the HIPAA Privacy Rules. The last thing a practice owner needs to see is a letter like the one below from the U.S. Department of Health and Human Services Office for Social Rights.

A violation letter sample from the U.S. Department of Health and Human Services Office for Social Rights.

A patient’s name, address, social security number, and other identifying information (PHI) should never be shared on social media without the patient’s written consent, as stated in the HIPAA Privacy Rule. PHI refers to a wide range of identifiers, including medical records, diagnoses, treatment and IP addresses. Because of the serious consequences that can occur from even the most innocent actions—such as responding to a patient’s social media review or posting an innocent-looking photo that captures patient information—health organizations must be extremely careful to avoid the accidental disclosure of protected health information (PHI).


Healthcare organizations must set up detailed social media protocols and make sure their employees get the training they need to avoid the serious consequences of noncompliance, such as fines that can reach $1.5 million. All social marketing activities must adhere to HIPAA regulations, and the posting of any comments or images pertaining to one’s medical conditions that could disclose protected health information (PHI) must be strictly prohibited. This also extends to the sharing of IP addresses between social media platforms and tracking technologies that will disclose a patient’s medical condition even if a human never sees this data.

Under HIPAA, healthcare providers, including dental and medical marketing experts, are free to use social media to build their brands and communicate with patients, as long as they do not disclose any protected health information (PHI). In order to remain compliant with HIPAA and social media regulations, healthcare marketers must consistently assess their methods, record and update their social media strategies on an annual basis, and make sure that everyone on their team is familiar with these policies.

Three steps make up a realistic plan for social media marketing that complies with HIPAA regulations.

  • Step 1. Figure out what kind of information can be shared between platforms without breaking HIPAA.
  • Step 2. Insure marketers receive training on the finer points of social media engagement and HIPAA regulations for what can be seen as a violation.
  • Step 3. Companies in the dental industry’s marketing niche need to collaborate with a trusted partner that offers a comprehensive HIPAA solution, to guarantee complete legal compliance in all areas of operation.* I like the Compliancy Group.

*This protects the brand from potential legal issues and helps build trust with customers.

Best Practices for HIPAA-Compliant Social Media Engagement

To establish HIPAA-compliant social media engagement, healthcare providers and marketers must prioritize a thorough understanding of the regulations, as well as strict adherence to patient privacy-protective security measures and policies. The complexities of what information can be shared on social media without violating HIPAA require a nuanced approach, as do best practices for avoiding potential breaches when using these platforms for medical or dental marketing.

Don’t assume all Marketing Tools are HIPPA compliant.

Building a strong framework is critical for preventing violations. Training is the foundation of HIPAA compliance, ensuring that all digital marketing employees understand internal policies, best practices, and data security measures related to HIPAA and social media. Being vigilant is important, as the digital landscape evolves, it is critical to stay current on legislative changes at both the federal and state levels along with the growing case law.

There are no excuses for not staying up to date on the new interpretations of HIPAA. It is like driving a car and the cop pulls you over for speeding, and you say the speed limit is 55 then the cop tells you it changed last week and is now 40. You still get the ticket and must pay the fine.

By posting updates, practice news, health tips, and educational content, healthcare providers can improve their social media presence without jeopardizing patient privacy and comply with HIPAA regulations. Tools such as HIPAA-compliant email systems and platforms that act as a bridge between patient privacy and digital marketing must be part of the marketing tool bag. These new systems will enable HIPAA-secure communications between platforms while also delivering important marketing attributes to help marketers develop successful strategies.

In essence, the blueprint for social media engagement that complies with HIPAA is careful planning, thorough training, and vigilant monitoring with the right software packages. These principles are essential for effective healthcare operations in our interconnected world, as they protect healthcare organizations’ online reputations and foster patient loyalty and trust.

What we do

About us

Marc Heffner is the founding partner of DSO Marketing Xcelerator TM and is a Fractional CMO in the DSO vertical.  Through developing strong marketing teams and introducing new technology platforms needed to achieve ambitious goals, Marc creates growth opportunities for private equity firms working in the healthcare space and self-funded growing practices willing to invest in their future. 

  • 25+ Years of Experience
  • Over $1 Billion in Revenue
  • Fortune 500 Experience