1. Industry
Send to a Friend via Email

Your suggestion is on its way!

An email with a link to:


was emailed to:

Thanks for sharing About.com with others!

Discuss in my forum

5 Steps for Creating an Effective Social Media Policy


The use of social media for the purpose of online communications is recognized as an effective way to promote community relations, recruitment activities and marketing events. Of course, medical office staff must fully understand the appropriate use of social media. Creating a social media policy for medical office staff establishes guidelines to protect patient privacy and prevents the violation of HIPAA Privacy Rules.

1. Define Social Media

Social Media, as defined by dictionary.com, refers to any website or other online means of communication that are used by large groups of people to share information and to develop social and professional contacts. Popular social media or networking sites include but are not limited to :

2. Establish Guidelines

The social media policy should establish guidelines for the use of social media sites for personal or professional use. As employees that work for organizations that are identified as a covered entity, they must follow HIPAA Privacy Rules by ensuring the privacy and security of protected health information at all times.


…be professional especially if you have identified yourself as an employee
…include a statement stating your views are your own and not your employers
…remove tags on pictures that a patient posts to keep the picture off of your page


…participate in any online communication with patients of the medical office
…post pictures of patients under any circumstance even if it is unidentifiable
…discuss any details of your job or activities that occurred during the work day

3. Express the Penalties

Violating HIPAA would mean a maximum penalty of $1.5 million dollars and can be imposed on the violating institution and the individual employees involved. Violations of the Social Media Policy is a violation of the HIPAA policy and should result in some form of corrective action for the employee(s) involved. Follow the same corrective action as stated in your current Confidentiality Policy and clearly state that the penalty can also include termination.

4. Additional Training Materials

The US Department of Health and Human Services (HHS) provides training materials on their website that can be used by providers to educate their staff which can be updated as needed to incorporate modifications made to the HIPAA Privacy Rule. These 6 powerpoints can be incorporated into your employee HIPAA training:

  1. Introduction: Describes the statutory and regulatory background and purpose of HIPAA and a general summary of the principles and key provisions of the Privacy Rule.
  2. Covered Entity, Business Associate, and Organizational Options: Explains and defines the type of entities that are covered by the Privacy Rule. The term business associate is defined, as are the requirements of the Privacy Rule when they carry out health care activities and functions on behalf of covered entities. Describes Privacy Rule provisions that address how entity organization may affect privacy functions.
  3. Protected Health Information, Uses and Disclosures, and Minimum Necessary: Describes the health information that is protected by the Privacy Rule. The presentation extensively describes the required and permitted uses and disclosures of PHI by a covered entity or its business associate, including situations where PHI may be used or disclosed without the individual’s authorization and when such authorization is required. The Rule’s minimum necessary provisions and its requirements are explained.
  4. Research: Summarizes the Privacy Rule’s provisions and requirements related to research. Describes when a covered entity may use and disclose PHI for research purposes and what research is affected. The presentation illustrates the relationship of the Privacy Rule’s research provisions to other research rules, such as the Common Rule.
  5. Administrative Requirements: Describes the Privacy Rule’s administrative requirements for covered entities, such as policies and procedures, data safeguards, documentation and record retention, prohibition on retaliation, complaints to the covered entity, workforce training and sanctions.
  6. Compliance and Enforcement
Source: www.hhs.gov

5. Some Examples

MDNews.com reported:

In a case pending before the National Labor Relations Board, a nurse who had treated a fatally wounded police officer and the alleged gunman was terminated after posting on her private Facebook account that she came “face to face” with a “cop killer” and hoped he “rotted in hell.” The ostensible reason for termination was violations of HIPAA and the hospital’s rules on patient privacy.

WISN.com reported:

Two nurses were fired for taking pictures of a patient's xray with a cell phone and posting the pictures on Facebook. The patient was admitted to the emergency room with an object lodged in his rectum. Police said the nurse explained she and a co-worker snapped photos when they learned it was a sex device. Police said discussion about the incident was posted on her Facebook page, but they haven't found anyone who actually saw the pictures.

Read more: http://www.wisn.com/news/18796315/detail.html#ixzz1pQ1lagb2
  1. About.com
  2. Industry
  3. Medical Office
  4. Privacy Practices
  5. Privacy and Security
  6. Medical Office - HIPAA - Social Media

©2014 About.com. All rights reserved.