You’d be hard-pressed to find healthcare marketers that don’t understand the value of social media for healthcare, according to Jill Florence, Director of Enterprise Sales at Sprout Social.
As Florence explains, “Social is a non-negotiable part of driving brand awareness and building connections with patients, physicians and community members. But it can be a challenge for the marketing teams on the digital front lines to overcome the concerns of security and privacy teams—especially at the intersection of HIPAA and social media.”
Many organizations report HIPAA compliance measures inhibit their strategy, as some of the most engaging healthcare content they create features innovative studies, patient testimonials and medical breakthroughs, which require lengthy approval processes and careful execution. In this guide, we’re breaking down what you need to know to remain HIPAA compliant on social media, and sharing examples of healthcare brands who shine on social—despite regulatory limitations.
Please note: The information provided in this article does not, and is not intended to, constitute formal legal advice. Please review our full disclaimer before reading any further.
HIPAA’s impact on your social media content
HIPAA privacy laws protect sensitive patient information from being disclosed publicly, including on social media. The HIPAA Privacy Rule expressly protects patient health information as it relates to how the data is shared, including in marketing and advertising efforts.
Sensitive protected health information (PHI) includes data about a patient’s past, present or future medical conditions, provision of healthcare to the individual and past, present or future healthcare payments. Given social media platforms gather user information, track behavior and have license to use your visual assets, it’s easy to see why these regulations exist.
In the age of sharing patient before and after photos, testimonials and other sensitive information, healthcare providers should exercise extreme caution when crafting social media content. HIPAA regulations also mandate healthcare companies carefully manage customer interactions on social media—which includes preventing patients from sharing PHI, and deleting it if they do. Failing to comply with HIPAA regulations is costly—both financially and to your brand’s reputation.
However, as Katherine Van Allen, Senior Solutions Engineer at Sprout, points out, the benefits of social outweigh the risks. “Social media should be part of healthcare organizations’ strategy. The people you need to reach are on social—whether it’s prospective patients or employees. Without a social presence, you aren’t a part of vital conversations happening about your system. From discourse about a team member or location, clerical mistakes and legal actions, or rapidly spreading misinformation about a disease or treatment plan. Tuning into social media listening will help you pinpoint key areas of opportunity.”
How to create brand guidelines to support HIPAA and social media
Though you should always consult your legal counsel and compliance team regarding HIPAA compliance on social media, here are general best practices to follow as you create your brand guidelines.
Craft policies and train your team
Start by consulting with your legal and compliance teams, and make them a key partner in validating the legality of your strategy, campaigns and content. Work with them to develop a social media compliance protocol, which should include instructions for corresponding with people via social media.
Familiarize your team with this protocol by co-creating HIPAA compliance training programs that feature social media education. In your training, highlight proper usage of customer data on social media and common HIPAA violations.
Follow de-identification best practices
When crafting new social media content, remove all PHI from your posts. PHI includes health information used alongside the following identifiers:
Names (first, middle and last)Geographical indicators smaller than a stateAll elements of a date (except year)Phone and fax numbersEmail addressesSocial security numbersMedical record, health plan beneficiary and account numbersCertificate or license numbersVehicle identifiersDevice attributesURLs and IP addresses associated with patientsBiometric identifiersPhotographs of full faces and other unique physical identifiersAny other numbers or codes that could identify an individualFor more context, while a patient’s name paired with their vital signs is considered PHI, their vital signs alone are not.
Monitor for HIPAA violations
Even if you take every precaution to limit the use of PHI in your content, patients can still put your compliance at risk by sharing personal information themselves. Prevent this by adding disclaimers to your direct message interactions and brand profiles. Ask patients to refrain from sharing any PHI and inform them where they should route inquiries.
If a patient should mention or DM you and compromise PHI, delete the message immediately, and route them to a more appropriate channel. Florence advises, “Even if you add a disclaimer to your profile or DMs, some patients will still seek out medical advice. To combat this, some organizations use chatbots and triaging tools to automatically alert them of potential PHI, and respond to or delete sensitive content.”
By using a tool like Sprout Social’s Saved Replies, you can use pre-written replies to quickly respond to customers and redirect the conversation to a secure channel. You can also use Sprout’s chatbot builder to automatically reroute social users to an email address or other secure channel for healthcare-related conversations.
With Sprout’s Smart Inbox, you can use tagging and filtering to flag messages that contain PHI, and build workflows that delete those messages.
Build a process for patient approvals
There might be some cases where patients (or their families) are interested in sharing their stories with your audience, like this adorable Halloween TikTok from Cleveland Clinic’s NICU.
@clevelandclinicHalloween with our babies in the NICU has been no tricks but all treats! This year’s costumes include a monkey, tiger, owl, Buzz Lightyear, Woody and a pirate. Their special hats are a handmade gift. Halloween has never been sweeter!🎃😍
♬ Halloween ' Lux-Inspira
