How To Stay HIPAA-Compliant in a Digital World

Nurse_using_paper_shredder_on_confidential_recordsThe Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other healthcare providers. Protected Health Information (PHI) is any information which concerns health status, provision of health care, or payment for health care that can be linked to an individual.

Everybody in the healthcare field knows how hard it can be to create marketing content that adheres to HIPAA and doesn’t include any PHI or go against the PPACA. Using social media to share the patient experience and raise awareness for your organization while staying compliant can also be difficult. That said, here are some best practices that can help healthcare organizations provide meaningful content without breaking the rules.

Follow these guidelines for writing HIPAA-compliant content on social media and elswhere:

 1. Remove any and all patient identifiers.

The obvious things here are patient names or records, social security numbers, addresses, and photographs. However, this also applies to physical and mental health details, information about the receipt or payment for services, etc.

2. Keep it general.

When referencing particular cases, conditions or treatments, be as general as possible and do not describe any demographics or populations.

3. Use the ‘minimum necessary’ rule.

Less is more. The goal here is to make your point using a minimum amount of necessary information.

4. Seek patient consent in advance.

Small details such as location, time and narrative may actually expose a patient’s identity, so you want to eliminate any potential ambiguity about consent before you tell the story.

 Manage HIPAA-compliant patient feedback on social media:

 1. Take it offline.

Do not collaborate on medical advice or treatment over social media platforms. Take all individual conversation offline immediately.

2. Again, be general.

When responding to negative comments, be polite and do not include or request any PHI. An example response could be, “Thank you for bringing this to our attention. Could you please send us a private message so we can further assist you?”

3. Know when to remove posts.

Removing posts that could allow patient self-identification is OK.

HIPAA-compliant topics include:

  •  General health advice, ‘how-to’ guides, and wellness tips
  • Patient stories (with consent)
  • Promotion of wellness programs, services, and the latest achievements in patient care
  • General medical explanations
  • Statistics and general potential outcomes
  • Accepted courses of treatment
  • Resources for further information and education


Download “Search Advertising Benchmarks for Health Systems” to see how your paid search campaigns stack up to your peers.


Photo courtesy of Compliance and Safety via Wikimedia Commons.

About Fathom Team Member

Leave a Reply