Social Media and HIPAA Compliance: Why Even “Good” Posts Can Be Dangerous

0
2856

By Jordan Mayer, Compliance at Medcurity
For The Compliance & Ethics Blog

In an era when healthcare organizations strive to tell their stories, social media and web content offer powerful outreach tools. Yet, the consequences of mishandling patient information online are real—and the recent OCR settlement with Cadia Healthcare highlights just how exposed organizations can become.

This article explores the risks, key legal principles, and practical best practices for safely navigating social media and public-facing content in compliance with HIPAA in 2025.

The Cadia Healthcare Settlement

In brief: Cadia Healthcare Facilities posted “success stories” of patients—including names, photos, diagnoses, treatments, and outcomes—on public-facing websites and affiliated platforms. OCR found that the disclosures were made without valid, written HIPAA authorizations and affected approximately 150 patients.

The violations included:

  • Impermissible disclosure of PHI
  • Failure to maintain appropriate administrative, technical, and physical safeguards
  • Failure to issue required breach notifications to affected individuals

As part of the resolution, Cadia paid $182,000 and agreed to a corrective action plan lasting two years, including overhauled policies, workforce retraining (including marketing staff), and careful review of any future online content and promotional materials. Even well-intended marketing posts or patient testimonials can trigger serious compliance violations if they include PHI without proper authorization.

Legal Framework: What HIPAA Demands for Online and Social Media Use

1. Privacy Rule: Authorization & Minimum Necessary

Under HIPAA’s Privacy Rule, a covered entity or business associate must obtain a valid, HIPAA-compliant written authorization before using or disclosing a patient’s PHI in marketing, testimonials, or publicly visible content—not just in clinical or internal communications.

Even if a patient consents verbally or by implication, that does not satisfy HIPAA’s requirements. Any posted content must also adhere to the minimum necessary standard (i.e. reveal only what is essential).

2. Safeguards (Security Rule)

Although the Privacy Rule governs permitted disclosures, HIPAA’s Security Rule also plays a role: covered entities must adopt administrative, technical, and physical safeguards to protect the confidentiality and integrity of PHI, including content stored or transmitted for social media or online platforms.

A lack of review workflows, incomplete editing controls, or uncontrolled access to posting platforms can be viewed as failures in these safeguards.

3. Breach Notification Rule

If PHI is disclosed improperly (i.e. without authorization) and cannot be considered “unsecured,” organizations may be obligated to notify affected individuals, OCR, and potentially media, depending on the magnitude. The Cadia case included a finding of failure to issue breach notifications.

Common Risks & Pitfalls in Online/HIPAA Contexts

  • Testimonials or success stories posted without authorization: As in the Cadia case, this remains a high-risk area.
  • Unintended background PHI in photos or videos: Screens, charts, whiteboards—even partial weblinks—can expose protected details.
  • Comments or replies confirming care: Publicly acknowledging that a person is or was your patient can violate the “disclosure” rules.
  • Cross-posting across platforms without review: A post may be fine on one channel but violate standards on another (e.g. a thumbnail, embed, or SEO snippet).
  • Using personal accounts or informal channels: When staff use personal or loosely controlled accounts, compliance oversight weakens.

Best Practices: How to Use Social Media Responsibly Under HIPAA

Here is a practical roadmap for compliance professionals:

Obtain valid, HIPAA-compliant authorizations: Use a standardized, clearly written authorization in which the patient understands how their information will be used, where, and for how long. Store documentation securely and tie it to the specific content.

Involve compliance/ legal in marketing workflows: Any content involving patient stories or clinical outcomes should go through a review pipeline where legal/compliance reviews disclosure risk, PHI exposure, and editing safeguards.

De‑identify whenever possible: If you can tell the story without PHI (e.g. general description, pseudonym, aggregated data), that reduces risk.

Use controlled access and permissions: Limit posting rights to trained, validated staff. Use role-based controls on social media tools and content management systems.

Preview, audit, and test content: Create a staging review environment. Visually inspect images and drafts to catch stray PHI. Maintain an audit trail and version control.

Train workforce broadly: Beyond marketing staff, train all employees about the risks of posting PHI. Make clear guidelines for social interactions, comment responses, and indirect exposures.

Respond carefully to inquiries: If a patient comments publicly, don’t discuss care or PHI there. Redirect them to secure channels (phone, portal) and avoid acknowledgement of status.

Have an incident response plan: If an impermissible disclosure occurs, act quickly: remove content, assess impact, notify affected individuals, report to OCR if required, document all steps.

Monitor and audit regularly: Schedule periodic audits of social media and web content, including historical posts. Use monitoring tools that can flag content with PHI keywords or terms.

Align policies with updates and trends: HIPAA regulations and enforcement expectations evolve. Stay current with OCR guidance, settlements, and proposed rule changes.

Applying the Lessons

From a compliance perspective, here’s where Cadia—and any organization—can draw direct lessons:

  1. Never post patient success stories without explicit authorization. Even if the patient is supportive, HIPAA demands a formal, documented authorization.
  2. Review marketing content with compliance oversight. Their lack of adequate policies or review processes was a core failing.
  3. Audit and remove legacy or archived content. Some disclosures may remain hidden in archives or older web pages. A comprehensive content audit is essential.
  4. Train marketing staff in HIPAA as much as clinical staff. OCR required Cadia to extend HIPAA training to their marketing personnel.
  5. Put in place breach notifications and remediation. The failure to notify patients was part of OCR’s finding.

Social media and online content are powerful tools for healthcare engagement—but they demand respect for privacy, process, and legal boundaries. The Cadia settlement serves as a pointed reminder: even well-intended storytelling can lead to HIPAA violations if not handled with care and structure.

For compliance professionals, the path forward is clear: build structured workflows, require review and authorization, audit relentlessly, and keep training top of mind. In doing so, you protect not only your organization—but, most importantly, your patients.