Social Media Risk Management: A Healthcare Provider’s Guide to Appropriate Use

Hess_Emily_2013By Emily Hess
From Compliance Todaya publication for HCCA members

Facebook, Twitter, YouTube, and blogging can provide minute-by-minute updates about each person’s or entity’s day. By using social media, healthcare providers or corporations can almost instantly promote their services to friends and potential clientele. Although social media serves an important role in marketing and socializing, it also presents high risk when used inappropriately. Risks associated with Health Insurance Portability and Accountability Act (HIPAA) violations, malpractice suits, unlicensed practice of medicine, and destruction of your professional image can be reduced or avoided through appropriate social media use.

[bctt tweet=”@theHCCA #Risk management is necessary for appropriate social media use.” via=”no”]


It has become common practice for a person to discuss the events of their day via social media, but for a healthcare provider, doing so may be illegal. If a healthcare provider discloses details that would allow a viewer to identify a patient via social media, this poses a HIPAA violation.  Many providers believe that only the disclosure of “significant” patient identifiers poses a risk of a HIPAA violation, such as posting a patient’s name, address, or date of birth.  However, even a seemingly vague description of a patient interaction may present a potential HIPAA violation, if there is a reasonable basis to believe that the information disclosed could allow for the identification of the patient.  For example, if a provider posted that they treated a patient with certain injuries (e.g., exotic animal bites, uncommon weapon injuries), rare illnesses, or unusual diseases, then this post in combination with basic social media profile information about the healthcare provider’s place of employment and date of posting may allow for the identification of a patient. You cannot guarantee that your “friends” or “followers” don’t share some connection to your patients, which is why the safest practice for providers is to not post comments or pictures pertaining to patients and their care.

Malpractice and unlicensed practice of medicine

In an effort to save money through self-diagnosis, friends may post or tweet complaints about health ailments and ask for ideas on how to be cured. Although you may think you are helping a friend by providing advice on how to proceed, a simple response from a healthcare provider, such as “Try taking Excedrin, because it sounds like you have a migraine” may be interpreted as practicing medicine. Providing healthcare advice without examining a patient is risky. You may have thought you were innocently commenting on a friend’s tweet or post like any other social media participant, but because you are a healthcare provider, greater weight is given to your healthcare-related comments. If your advice goes wrong, the “friend” you were trying to help may sue you for malpractice. If that “friend” you advised lives in another state, and you do not have a license to practice medicine there, you may be accused of engaging in the unlicensed practice of medicine.

Destruction of professional image

Viruses and hackers are able to appropriate your account and use it for their own gain or entertainment. You may think your Facebook or Twitter account is sitting unused, when in reality a hacker or virus is using your account in an unprofessional manner, such as posting advertisements for male enhancement drugs or sending “I love you” messages to all of your friends/followers, including your patients and co-workers.  Be sure to manage each of your social media accounts by regularly checking them for appropriate use, and keep your personal social media outlets separate from your business social media outlets.

So remember:

  • Do not provide information regarding patients through any social media outlet. This will eliminate your risk of violating HIPAA through social media use. You just never know if the patient you cared for earlier today liked you so much that they started following your tweets.
  • Do not respond to healthcare questions posed on social media. The small favor you think you are doing for a friend may come back to bite you in the form of a malpractice suit or an unlicensed-practice-of-medicine allegation.
  • Keep your personal social media accounts separate from your business social media accounts. This will also substantially reduce the risk that your patients and co-workers will have the opportunity to see that picture of you in college posted by your old roommate.
  • Regularly check your social media accounts. Viruses, hackers, and imposters pose a risk that you are unknowingly emitting an unfavorable image of yourself.
  • Retain strong privacy settings. This will help maintain the separation of your personal and business social media outlets.

Social media poses additional risks to healthcare providers.  By appropriately managing these risks, healthcare providers can enjoy the benefits of social media and avoid the pitfalls.

Emily Hess ( is Staff Attorney and Assistant Compliance Officer for Premier Physician Services, Inc. in Dayton, OH.