by Ray Foxworth, D.C., FICC •
President & Founder, ChiroHealthUSA •
As chiropractors increasingly turn to social media to promote their practices and engage with patients, it’s critical to understand how HIPAA (Health Insurance Portability and Accountability Act) affects your social media activity. While social media offers an excellent platform to promote services and share health tips, it also introduces risks of violating patient privacy. Understanding HIPAA rules and creating a clear social media policy can help you navigate these challenges effectively.
The most critical HIPAA rule for social media is simple: never disclose Protected Health Information (PHI) without authorization. PHI includes any information that can identify a patient, such as their name, address, medical condition, treatment details, or even photos. Violating HIPAA by sharing PHI on social media—intentionally or accidentally—can lead to severe consequences, including fines and loss of trust.
Although HIPAA was enacted before the rise of platforms such as Facebook, Instagram, and TikTok, its Privacy Rule still applies. HIPAA prohibits covered entities, including chiropractors and their staff members, from using or disclosing PHI without written patient authorization. You cannot share patient stories, testimonials, or images that reveal identifying information unless you have clear, documented permission.
Understanding Patient Authorization for Social Media
If you plan to share any patient-related content, written authorization is essential. The patient must be informed about what specific information will be shared, the purpose of the disclosure, and the potential for their information to be further shared or reposted. The patient also has the right to revoke their authorization, but remember that once something is posted online, it’s nearly impossible to retract completely. Therefore, obtaining thorough consent is crucial to protecting your practice and patients.
Key elements of a valid patient authorization, as outlined by HIPAA, include:
- A description of the information to be used or disclosed
- The purpose of the disclosure
- The patient’s right to revoke authorization
- An expiration date for the authorization
- Ensure your patients understand that their information may be shared widely or even captured via screenshots once posted.
Social Media Increases Risk for HIPAA Violations
Social media makes it easy to violate HIPAA inadvertently. Something as simple as posting a photo in your office, where a patient’s chart is visible, or responding to a patient’s comment about their care can cross the line. Even if no names are mentioned, any hint of identifiable information could be a violation.
For example, sharing a photo of a patient’s injury without additional context might seem harmless. However, it could be a breach if there’s any way to identify the patient from the image or if it implies a treatment relationship. This risk is heightened on platforms where sharing and reposting content is standard, making it difficult to control once posted.
Guidelines for Chiropractors to Stay HIPAA Compliant
- Never Post PHI Without Authorization: This includes names, photos, or personal details about a patient’s condition or treatment. Always get written permission before posting anything involving a patient.
- Create and Follow a HIPAA-Compliant Social Media Policy: A clear policy should outline how your practice uses social media and the protocols in place to protect patient privacy. Enforce tough penalties for non-compliance to minimize risks.
- Educate Your Team: All staff members, even those without direct access to patient information, should be trained on HIPAA’s social media rules. Ensure everyone understands PHI and the dangers of posting without authorization.
- Separate Personal and Professional Accounts: Ensure that any business-related social media activity happens through professional accounts, not personal ones. This helps create a boundary that can prevent accidental disclosures.
- Monitor Social Media Activity: Regularly review your practice’s social media pages and posts to ensure compliance. Conduct checks for potential HIPAA violations, such as improper sharing of patient information.
Consequences of HIPAA Violations
HIPAA violations on social media can result in hefty fines, legal action, and damage to your practice’s reputation. For example, in one case, a dental practice was fined $10,000 for disclosing a patient’s information in response to a negative review. In another, a nurse was sentenced to jail for posting a video of a patient online.
Social media offers valuable opportunities for chiropractors to engage with their communities and promote wellness, but it also comes with significant responsibilities under HIPAA. By creating clear policies, training staff, and obtaining proper authorizations, you can use social media while ensuring patient privacy and compliance. If you and your team have not completed your annual compliance training, including HIPAA, check out this online training from ChiroArmor.
▶︎ 
Why is the Discount Challenge prize amount $15,024? Because that is the average “per-occurrence” fine for Medicare inducements. That’s not $15,024 per patient, that’s not per provider, that’s PER VISIT. Stinks, doesn’t it? To us, the prize amount is worth the investment if we can help our profession better understand proper discounting.