marketing insights

Social Media Compliance for Healthcare: What You Can (and Can't) Post

A guide to maintaining HIPAA compliance and avoiding legal pitfalls while building an active social media presence for your medical practice.

Healthcare professional reviewing social media policy on tablet

Your practice needs a social media presence. Patients expect it. It builds community, humanizes your brand, and supports your marketing efforts.

But healthcare social media comes with landmines. One wrong post can mean HIPAA violations, patient complaints, or worse. The fear of making mistakes keeps many practices from posting at all—which is its own kind of failure.

Here’s how to build an active, engaging social media presence without crossing compliance lines.

The Stakes: Why Compliance Matters

Let’s be clear about what’s at risk:

HIPAA violations can be expensive. Penalties range from $100 to $50,000 per violation, with annual maximums up to $1.5 million. A social media mistake that exposes patient information can trigger these penalties.

Reputation damage is real. Beyond fines, a privacy violation on social media is public. Screenshots live forever. The PR damage can exceed the financial penalties.

Patient trust is fragile. Patients who see their provider mishandle others’ privacy will question whether their own information is safe.

But absence has costs too. Practices that avoid social media entirely miss opportunities to connect with patients, build community, and stay visible.

The goal isn’t to avoid social media—it’s to use it confidently within appropriate boundaries.

HIPAA and Social Media: The Basics

HIPAA protects Protected Health Information (PHI). On social media, that means:

What Counts as PHI?

Any information that could identify a patient AND relates to their health condition, treatment, or payment for healthcare.

The 18 identifiers include:

  • Names
  • Geographic data (address, zip code)
  • Dates (birth date, admission date, discharge date)
  • Phone numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Photos of patients
  • Any other unique identifying number or code

The “AND relates to health” part matters. A photo of someone in your waiting room connects them to healthcare. Even without naming them, you’ve potentially created PHI.

The Core Rule

Never share patient information without explicit written authorization.

This isn’t just about obviously medical posts. It includes:

  • Photos showing patients (even in backgrounds)
  • Confirming someone is your patient
  • Sharing details that could identify someone
  • Responding to comments in ways that reveal patient status

Learn more about HIPAA compliance

What You CAN Post (Safe Content Types)

Plenty of content is completely safe. Build your social media strategy around these categories:

Educational Health Content

General health information that doesn’t reference specific patients.

Examples:

  • “5 tips for managing seasonal allergies”
  • “What to expect during a routine eye exam”
  • “Understanding your blood pressure numbers”
  • “When to see a doctor about back pain”

Why it’s safe: No patient information involved. Just educational content.

Pro tip: This content positions you as an authority and often performs well algorithmically.

Practice Updates and News

Information about your practice that doesn’t involve patient details.

Examples:

  • New provider announcements
  • Office hour changes
  • New services or equipment
  • Holiday closures
  • Awards and recognitions

Why it’s safe: It’s about your business, not patients.

Team and Culture Content

Humanize your practice by showcasing your team.

Examples:

  • Staff birthday celebrations
  • Team member spotlights
  • Behind-the-scenes office life
  • Community involvement
  • Staff achievements

Why it’s safe: Focuses on staff (with their consent), not patients.

Note: Get employee permission before posting their photos. While not a HIPAA issue, it’s a respect and employment law issue.

General Event Promotion

Promote events and activities.

Examples:

  • Health fair participation
  • Community sponsorships
  • Educational seminars
  • Open house events

Why it’s safe: Public events, no patient information.

Industry News and Commentary

Share relevant healthcare news with your perspective.

Examples:

  • New treatment options in your specialty
  • Healthcare policy updates
  • Research findings
  • Seasonal health trends

Why it’s safe: General information, no patient details.

Office Environment Photos

Showcase your space (when empty of patients).

Examples:

  • Newly renovated waiting room
  • New equipment
  • Office decorations
  • Exterior building shots

Why it’s safe: No patients visible.

Pro tip: Take these photos before/after hours when no patients are present.

Learn more about healthcare social media marketing

What You CANNOT Post (Red Lines)

These are non-negotiable boundaries:

Even if the patient verbally says “sure, post it!”—that’s not enough.

Required: Signed HIPAA authorization specifically for social media use.

The authorization must specify:

  • What will be shared
  • Where it will be shared
  • Purpose of sharing
  • Expiration date
  • Right to revoke

Even with consent, consider:

  • Is this in the patient’s best interest?
  • Could this be misinterpreted?
  • Will the patient still be comfortable in 5 years?

Any Information That Identifies a Patient

This includes:

  • Names
  • Photos (face or identifying features)
  • Location information
  • Dates of service
  • Descriptions that could identify (“our patient who just had twins”)

Even if you think it’s anonymous, it might not be. “Our patient from Springfield who just completed treatment for…” could identify someone in a small community.

Confirmation of Patient Status

Never confirm someone is your patient, even if they’ve disclosed it themselves.

Scenario: Patient posts on your Facebook: “Dr. Smith was amazing during my surgery!”

Wrong response: “Thank you, Sarah! We’re so glad your surgery went well!”

Right response: “Thank you for the kind words! We always aim to provide excellent care.”

The difference? The first confirms she was a patient and had surgery. The second is generic.

Even with general photo consent, before/after photos may need additional authorization because they:

  • Document health conditions
  • Show treatment outcomes
  • Could be identified even without faces

Best practice: Separate consent specifically for before/after use, detailing exactly how images will be used.

Any Patient Information in Comments or Messages

If someone asks about their appointment in a Facebook comment, don’t respond with specifics publicly.

Move it offline: “Please call our office at [number] so we can assist you with scheduling.”

Screenshots of Reviews

Sharing reviews might seem harmless, but:

  • It confirms the reviewer was a patient
  • The review itself may contain PHI
  • Better to let reviews live on the original platform

Patient Photos and Testimonials: The Right Way

Patient content is powerful marketing—when done correctly.

Use a dedicated social media authorization form that includes:

  1. Specific description of what will be shared (photo, video, testimonial)
  2. Specific platforms where it will appear (Facebook, Instagram, website)
  3. Duration of authorization (or “indefinitely until revoked”)
  4. Statement that patient can revoke at any time
  5. Acknowledgment this is voluntary and won’t affect care
  6. Signature and date

Store consent forms with patient records. You may need to prove authorization later.

Best Practices for Patient Content

Be selective. Not every satisfied patient needs to be on social media. Choose content that truly benefits your marketing.

Check in before posting. Even with written consent, a quick “we’re planning to post your testimonial next week—still okay?” is courteous.

Give patients control. Let them review the post before it goes live if they request.

Respect revocation. If a patient changes their mind, remove the content promptly.

Consider longevity. Will this patient be comfortable with this post in 5 years? 10 years?

Responding to Comments and Messages

Social media is interactive. How you respond matters.

Public Comments

Never:

  • Confirm someone is a patient
  • Discuss any care details
  • Respond defensively to complaints

Always:

  • Keep responses generic
  • Move specific issues offline
  • Maintain professional tone

For positive comments: Generic response: “Thank you for the kind words! We appreciate you taking time to share.”

For negative comments: Generic response: “We’re sorry to hear about your experience. Please contact our office at [number] so we can address your concerns directly.”

For specific questions: Generic response: “For questions about your care, please call our office at [number]. We’re happy to help!”

Private Messages/DMs

Treat DMs like any other electronic communication:

  • Don’t share PHI in unencrypted messages
  • Move healthcare discussions to secure channels
  • Document as appropriate

Response template: “Thank you for reaching out! For privacy and to best assist you, please call our office at [number].”

Reviews

Responding to reviews on Google, Facebook, etc. follows the same rules:

  • Never confirm patient status
  • Never discuss care details
  • Keep responses professional and generic
  • Address issues offline

Staff Social Media Policies

Your personal compliance doesn’t matter if staff violate policies.

What a Social Media Policy Should Cover

Personal accounts:

  • No posting about work situations involving patients
  • No photos from the workplace that could include patient information
  • No discussing specific patient cases, even without names
  • No “venting” about work situations that could identify patients

Official account access:

  • Who is authorized to post
  • Approval process for content
  • Response protocols
  • Crisis communication procedures

Prohibited activities:

  • Sharing patient information in any form
  • Posting photos that could include patients
  • Discussing patient cases (even “anonymously”)
  • Friending or following patients (depends on practice preference)

Training Requirements

All staff should receive:

  • Initial social media policy training
  • Annual refresher training
  • Updates when policies change
  • Clear examples of do’s and don’ts

Document training with signed acknowledgments.

Monitoring and Enforcement

  • Regularly review official account activity
  • Have a process for addressing violations
  • Apply consequences consistently
  • Remember: staff education is the best prevention

When Things Go Wrong

Despite best efforts, mistakes happen.

Immediate Steps

  1. Remove the content immediately. Don’t wait to investigate—take it down first.

  2. Screenshot before removing. You may need documentation for breach assessment.

  3. Determine if it’s a breach. Not every mistake is a reportable breach, but you need to assess.

  4. Contact your compliance officer or privacy officer. If you have one, involve them immediately.

  5. Document everything. What was posted, when, who saw it, when removed, what actions taken.

Breach Assessment

HIPAA requires breach assessment. Consider:

  • What information was exposed?
  • How many people saw it?
  • Who accessed it?
  • What’s the risk of harm?

Many social media mistakes are low-risk, but some require notification.

If Notification Is Required

Breaches affecting 500+ individuals require:

  • Notification to affected individuals
  • Notification to HHS
  • Media notification in affected states

Smaller breaches:

  • Notification to affected individuals
  • Annual log reported to HHS

Consult legal counsel if you’re unsure whether notification is required.

Learn and Improve

After any incident:

  • Review what went wrong
  • Update policies if needed
  • Provide additional training
  • Consider whether process changes are needed

Building a Compliant Social Media Strategy

Develop a Content Calendar

Plan content in advance. Planned content is less likely to create problems than reactive posting.

Include:

  • Educational posts
  • Practice updates
  • Team spotlights
  • Seasonal content

Review calendar for compliance before posting.

Create Approval Workflows

For anything beyond routine posts:

  • Who approves patient content?
  • Who reviews before posting?
  • What requires leadership sign-off?

Use Scheduling Tools

Scheduling tools let you:

  • Plan content in advance
  • Review before posting
  • Maintain consistency
  • Allow for approval workflows

Monitor and Respond Systematically

  • Check accounts daily for comments/messages
  • Have templates ready for common responses
  • Escalate issues appropriately
  • Document response activities

Ready to Build Your Social Media Presence?

At MedTech Consulting, we help medical practices develop social media strategies that engage patients while maintaining compliance.

Contact us for a social media strategy consultation.

Related reading: Healthcare Social Media Marketing | HIPAA Compliance for Medical Practices | Healthcare Marketing Services

social media HIPAA compliance healthcare marketing medical practice patient privacy

Related Articles

Content Marketing for Healthcare: What Actually Works

Content Marketing for Healthcare: What Actually Works

How Much Should a Medical Practice Spend on Google Ads?

How Much Should a Medical Practice Spend on Google Ads?

Local SEO Checklist for Medical Practices: 15 Quick Wins

Local SEO Checklist for Medical Practices: 15 Quick Wins

Need help with your practice's technology?

We're here to help you navigate the tech landscape.

Get in Touch