As most medical practices realize, the success or failure of their of marketing will be decided online. For medical spas, chiropractors, and other local practices, social media plays a critical role. We have grown some of our client's practices by 4X...solely using Facebook and Instagram.

Recently, we got some questions thrown our way about HIPAA compliance when posting on social media, and thought we might be able to share the results of our research, and give you some actionable tips to make sure your medical practice is 100% HIPAA compliant on social media.

Does HIPAA apply to social media?

Yes, HIPAA applies to all versions of media, including social media. Even though HIPAA was enacted in 1996...8 years before Facebook came along, the intent of the law remains the same: to protect the privacy and security of patient health information. Social media such as Facebook and Instagram boost open and often "public" communication between you and your patients...but with this advantage comes great responsibility.

This guide should save you time by giving you the quick and dirty HIPAA guidelines that will allow you to leverage social media to grow your practice, while staying HIPAA compliant at the same time. 

Who This Is For?

Maybe you're a medical spa owner, chiropractor, or orthopedic clinic manager that has outsourced your social media marketing...

  • Or...maybe you're running Facebook Ads yourself to grow your practice...
  • Or...perhaps your staff is interacting with your patients on Facebook and Instagram.
  • In ANY of these cases, you (or your staff) could be unknowingly violating HIPAA and not even know it!

What is a HIPAA Violation?

A HIPAA violation is a failure to comply with the law...and all of its provisions.  You can view an overview of all the HIPAA laws on HHS.gov here. They also have a nice FAQ section that we've combed through to answer our questions. Be sure to bookmark it.

There are more than 100 pages of provisions (believe us, we painfully went through it :)). At the end of the day there are hundreds upon hundreds of ways you could potentially violate HIPAA in your digital marketing and social media efforts, but here's a list of some of the most common ones:


-Impermissible disclosures of patient protected health information (PHI)
-Unauthorized access of PHI
-Improperly disposing of PHI
-Failure to manage risks to the confidentiality, integrity, and availability of PHI (essentially, negligence regarding the protection of PHI)
-Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
-Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI (this is a big one here...have you done this yet?)
-The disclosure more PHI than is necessary for a particular task to be performed
-Unauthorized release of PHI to individuals not authorized to receive the information (this happens on social media ALL THE TIME)
-Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach

Legal Ramifications of HIPAA violations:

Just because you "didn't know", does not relieve you of legal ramifications, including fines and jail time. HIPAAjournal.com did a nice article going into the specific categories of HIPAA violation penalties:

"The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation"

Here's the corresponding chart showing potential fine amounts (credit: HIPAAjournal.com)

Bottom line...if you feel your medical practice doesn't have sound HIPAA training and practices for social media and online marketing...it's time to put something in place.

(Don't worry...you're not the only one!)

What to do now? Can I get a HIPAA Marketing Checklist?

I get it...this is the LAST thing that any practicing medical professional wants to think about...or waste time on (instead of growing her business). 

So let me offer a shortcut for you:

We researched the Top 3 HIPAA Violations Medical Practices Make Everyday on Social Media, and put together an easy and fast checklist to stay HIPAA compliant.


Want it? Click the link below to check it out: