The Social Media Landmine

If you’ve read our writings or attended one of my speaking engagements, then you know one of the recurring themes we recite is how your social media information is used as a weapon in phishing and vishing attacks against you. The fact is if you work in an industry where you have access to sensitive data, and you’re routinely posting your personal activities on social media, you’ve increased your risk of being targeted by cybercriminals. The same holds true for organizations. Posting the names of your employees, officers, doctors, etc. on social media or on your website increases your risk of attack. However, we recognize many organizations see social media as a powerful marketing opportunity. Let’s discuss the use of social media in a secure industry like healthcare.

First and foremost, before any type of marketing campaign, including one that engages social media, is embarked upon by a healthcare organization, one needs to review the specific HIPAA laws that address it. The most important of these to consider is patient consent. Frankly, most HIPAA issues can be mitigated with proper patient consent. 

We’ve seen organizations who bury their marketing intentions in their Notice of Patient Privacy. This is a bad idea for two reasons. One, people don’t read it, and two, the patient signature requirement may soon go away, decreasing the likelihood even further that the patient reads it. Finally, you put yourself in a weak legal position if this is all the consent you have to rely upon. We recommend a specific form your patient signs. This consent form should address all of the ways in which you intend to use the patient’s information – including what information is included and what social platforms you’re posting on. If you need help with this form, give us a call.

Our position on social media hasn’t changed. It’s a minefield you’re walking through. However, we recognize the bite from that apple is too tempting for many of you to resist. So if you’re going to do it, have a CLEAR (and written) policy, have a dedicated form for patient consent, and it’s not a bad idea to run this past your attorney as well.

The cyber-world continues to turn, so stay alert and vigilant. 

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.