HIPAA & Social Media Marketing

  • 1.  HIPAA & Social Media Marketing

    Posted 10-05-2020 10:43 AM
    I would like your input on the following scenario please?

    A hospital-employed provider uses a third party to oversee their own social media marketing and to solicit patient reviews. The provider gives the third party the names of happy patients and then the third party reaches out to the patients on social media and asks them to leave a positive Google review of the provider.

    Is the provider allowed to give the patient's name and contact information to the third party to contact the patient if they do not have a BAA?   If they do have a BAA?  If so, should the BAA be signed by the provider or the hospital?

    Is there anything else that should be considered?

    Thank you!

    Compliance/Ethics & Privacy Director
    19th Annual CEI Virtual Conference

  • 2.  RE: HIPAA & Social Media Marketing

    Posted 10-05-2020 11:26 AM

    My stab at this-

    This is not a TPO exception by any way I look at it.

    The patients should have been asked to consent to and sign a media release before giving out their informations.  A standard HIPAA release would not do.


    Jennifer McWain CHC, PT, MHS | Compliance Officer & Clinical Excellence Specialist

    Mary Free Bed Rehabilitation Hospital

    235 Wealthy St. SE Grand Rapids, MI 49503

    office: 616-840-8173

    cell: 616-334-0488

    fax: 616-840-9763

    You may also report compliance concerns through the Anonymous Compliance Hotline: 616-840-8706

    This email may contain confidential and privileged material work product or information exempt from disclosure under applicable law for the sole use of the intended recipient.  Any review or distribution by others is strictly prohibited. 



    This message has been scanned for malware by Websense. www.websense.com

    19th Annual CEI Virtual Conference