Chief Compliance and Ethics Officer Health Care

Posts to your Social Media site

  • 1.  Posts to your Social Media site

    Posted 05-15-2019 04:20 PM
    Posts to your Social Media site

    As a covered entity we all know there are dangers to having a social media site like Facebook or Instagram. One of the problems, specifically with Facebook, is that you own your Facebook page and are legally responsible for all of its content, even posts by others.

    So if that is true, then when someone posts their own PHI on your Facebook page, are you obligated to either get an Authorization for Release of PHI from that person or edit out the PHI prior to allowing the comment to be published?

    Facebook, and I would imagine the other social media sites, have security settings that allow the page owner to control comments by others. For example you can set it so that all visitor comments have to be moderated prior to publishing. Or you can just turn off visitor commenting. You can even set it so that your page can't be tagged or mentioned directly by others.

    It doesn't feel right that just because a visitor mentions PHI, that suddenly you have implicit permission from them to confirm or carry on the discussion, sharing it with everyone on the planet. And since the page is under your control, maybe you shouldn't even allow the comment with PHI to be published at all, at least not without an explicit signed HIPAA authorization.

    Any thoughts or comments (non PHI of course)?

    Carl Russell
    Compliance Analyst
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.
    2020 HCCA Compliance Institute

  • 2.  RE: Posts to your Social Media site

    Posted 05-15-2019 04:49 PM



    I read 45 CFR 164.510 the same way. A detailed authorization specific to the PHI disclosure would be needed in each unique instance. On the one hand, the patient is self-disclosing so the Privacy Rule no longer applies. However, the FaceBook contract stating "You own the content you create and share on Facebook..." and "These guidelines apply if you create or administer a Facebook Page, group, or event, or if you use Facebook to communicate or administer a promotion," introduces this privacy risk on the part of the covered entity even as it's the patient doing the posting (but you own the shared content on your page.) I'm not a lawyer, this is just my opinion.


    That aside, I'm struggling to see the value in having a FB page where patients can post anyway.


    2020 HCCA Compliance Institute

  • 3.  RE: Posts to your Social Media site

    Posted 08-13-2019 11:16 AM
    At what point do you see an authorization being required?  Any post to your business facebook page from a patient saying 'great job' or 'not so great?'  Or would you limit this to posts where the patient discusses diagnosis/treatment or other details specific to them.

    Janet Schumacher
    Compliance Audit Nurse
    Medical Clinic of Houston

    2020 HCCA Compliance Institute

  • 4.  RE: Posts to your Social Media site

    Posted 08-13-2019 11:23 AM

    I believe a FB page can be set up to not allow any posts to show without first being approved by the administrator of the page.  Might be helpful in making sure no PHI is posted.


    Michael Scudillo, OTR, CHC 
    Chief Compliance Officer/Privacy Officer

    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at> and delete the material from all computers.>

    2020 HCCA Compliance Institute