HIPAA and Social Media: What Clinic Staff Can and Cannot Post

Social media creates HIPAA exposure that is easy to overlook and hard to undo. A post goes live in seconds. A screenshot persists indefinitely. And many of the behaviors that feel natural on social media — celebrating a patient’s recovery, sharing a compelling case, responding to a kind review — can cross into PHI disclosure without any intent to harm.

This guide covers the specific scenarios that create risk for small clinics, what the rules actually require, and how to build a social media policy that protects patients and staff.

Why social media is a HIPAA problem

The Privacy Rule at 45 CFR §164.502 prohibits covered entities from using or disclosing PHI except as specifically permitted. PHI includes any individually identifiable health information — information that relates to a person’s health, treatment, or payment and that can be used to identify the individual.

The identification requirement is broader than most staff realize. A patient does not need to be named. If a combination of factors — physical location, date, condition, demographic information, or circumstantial details — allows the patient to be identified by anyone with ordinary knowledge of the circumstances, the disclosure contains PHI.

The person most able to identify a patient from a vague post is often the patient themselves, or people close to them who know the patient was receiving care. That is the practical standard staff should internalize.

Specific scenarios that create violations

Before and after photos

Before and after photographs are among the most common HIPAA violations involving social media. Dermatology, plastic surgery, dentistry, ophthalmology, and other specialty practices frequently share before/after photos as marketing. These photographs contain PHI: they identify a patient and reveal information about their health condition and treatment.

Using before/after photos on social media requires a valid HIPAA authorization under 45 CFR §164.508. That authorization must:

• Describe the specific information to be used (photographs of the patient’s condition)
• Name the persons or entities authorized to use the information (the clinic and any platforms)
• State the purpose for which the information will be used (social media marketing, website)
• Identify the expiration date or event for the authorization
• Be signed by the patient or their personal representative

A general photo consent form, an intake form checkbox, or a paper signing at the front desk that does not specifically cover social media use does not satisfy this requirement. If your existing photo release predates your social media presence, have it reviewed and updated.

Patient shout-outs and congratulations

A staff member posts: “So proud of our patient who completed chemotherapy today! You are an inspiration.” The post does not use a name. It may not even be visible to the patient. But it discloses that someone was receiving chemotherapy at your clinic, and anyone who knows that person was a patient can piece the information together.

Congratulating, thanking, or celebrating patients on public social media channels — even in vague terms — requires authorization. The well-intentioned nature of the post does not change the analysis.

The only safe version of this scenario is content the patient creates and shares themselves, with no clinic involvement in disclosing their clinical status.

”Interesting case” posts

Staff — particularly clinicians — sometimes post about unusual or medically interesting cases. The post might describe a clinical presentation, a diagnostic challenge, or an uncommon treatment approach. No name. Sometimes no identifiable characteristics at the surface level.

But geographic specificity, rare conditions, timing, age group, and other details can collectively identify a patient. HHS guidance has addressed this: posting de-identified information requires meeting the de-identification standard at 45 CFR §164.514(b) — either expert determination or the Safe Harbor method (removing 18 specific identifiers). A clinical description that simply omits the name does not meet this standard.

Staff should not post case details — interesting or otherwise — on personal or clinic social media without explicit authorization or verified de-identification that meets the regulatory standard.

Social check-ins and location tags

Clinic social media accounts sometimes tag patients in posts or respond to patients who tag the clinic. If a patient tags your clinic in a social post, responding publicly — even just “thank you for visiting!” — confirms that the person was at your clinic and received care. That confirmation is PHI.

Staff should also understand that if a patient checks in at your clinic using a social media location feature, the clinic did not create that disclosure. The patient chose to disclose their own health information. A clinic response that expands on or confirms clinical details is the problem — not the patient’s own post.

Responding to patient reviews

Negative patient reviews on Google, Yelp, Healthgrades, or other platforms create pressure for clinic staff to respond. The impulse to defend the clinic, correct inaccuracies, or tell the clinic’s side of the story is understandable. But doing so almost always requires referencing clinical circumstances — which means disclosing PHI.

The OCR guidance is clear: covered entities must not disclose PHI in responding to public reviews. A clinic cannot confirm that the reviewer is a patient, cannot reference the visit or treatment, and cannot explain what “really happened” using clinical details.

Appropriate responses acknowledge the concern, express commitment to patient experience, and invite the person to contact the clinic privately. They do not confirm or deny the clinical relationship.

What requires written authorization

Before any of the following, a HIPAA-compliant written authorization must be in place:

• Publishing before/after photos on any platform
• Tagging a patient in any clinic social media post
• Naming or describing a patient (by name or recognizable detail) in clinic content
• Sharing patient testimonials that identify the patient
• Using a patient’s image in any clinic marketing material

The authorization form must be specific. It should name the platforms (Instagram, Facebook, clinic website), describe the content type (photographs, written testimonial, video), and state the expiration. Keep signed authorizations in the patient record.

What is prohibited regardless of authorization

Some social media content cannot be made compliant even with authorization because authorization must be given voluntarily and without coercion. Staff should be trained never to:

• Post content that could embarrass or harm a patient
• Share clinical images for entertainment purposes or to mock patient presentations
• Discuss patient cases in social media comment threads or direct messages
• Screenshot or share patient communications on social platforms

Building a clinic social media policy

A written policy creates the framework for consistent staff behavior. The policy should cover:

Scope: Which platforms and account types are covered (clinic accounts and personal accounts when staff are identifiable as clinic employees).

Prohibited content: An explicit list of what staff may not post — patient names, identifiable descriptions, clinical photographs without authorization, case discussions.

Required authorization: When authorization is required before posting patient-related content, and how to obtain it.

Review process: Who reviews and approves clinic social media posts before publication, and what the approval process looks like.

Patient review response protocol: The standard response approach for reviews — who may respond, what the standard language is, and the prohibition on disclosing PHI in responses.

Personal account guidance: Expectations for staff posting on personal accounts, including identification as clinic employees and prohibition on posting patient-identifiable information regardless of platform.

Reporting: How staff should report potential social media HIPAA incidents — a post that may have gone up in error, a request from a patient or family member to remove content.

Staff training for social media risk

The policy has no effect if staff have not been trained on it. Training should cover:

• Why the presence at the clinic is PHI, not just names and diagnoses
• Specific scenarios that have caused violations at other practices (breach portal entries involving social media are instructive)
• The authorization process — where to get the forms, who to ask when uncertain
• What to do if a post goes up that may be a violation — who to notify immediately

New hires should receive social media training as part of HIPAA onboarding. All staff should receive refresher training at least annually.

The operational bottom line

Social media HIPAA compliance is not about banning staff from all online activity. It is about making the boundaries explicit and training staff to apply them instinctively. The violations that reach OCR — and the reputational damage that follows — almost always trace to posts that staff considered harmless or genuinely well-intentioned.

A specific written policy, an authorization process for patient content, and training that covers realistic scenarios will handle the vast majority of social media risk for a small clinic.