HIPAA Social Media Policy Template

A one-page HIPAA social media policy template clinic administrators can adapt and distribute to staff. Covers PHI prohibitions, patient photo consent, responding to patient comments, account access controls, and enforcement.

Short answer

A practical social media policy template clinic administrators can adapt, distribute, and include in their workforce training program — covering what staff may and may not post, PHI prohibitions, patient photo consent, and enforcement.

What is inside

PHI prohibition language: no patient names, photos, conditions, or identifiers — even in positive contexts
Patient photo and before/after content rules: written authorization required before any image is posted
Instructions for responding to patient comments: acknowledge offline, never discuss PHI publicly
Account access controls: how to limit posting privileges to designated staff
Enforcement and sanctions section: ties violations to your existing workforce discipline policy
Ready-to-adapt format — fill in your clinic name and review with your Privacy Officer before distributing

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 27, 2026

Best next step: Open the matching product path

Sources

Download the PDF

HIPAA Social Media Policy Template for Medical Clinics — ready to adapt for your practice

Enter your email and we will send the PDF.

Questions

Does HIPAA specifically regulate social media?

HIPAA does not name social media platforms, but the Privacy Rule at 45 CFR §164.502 prohibits any impermissible use or disclosure of PHI — including on social media. A photo of a patient in a waiting room, a comment referencing a patient's condition, or a video that captures a patient in the background are all potential disclosures. The medium does not change the obligation.

Can staff post general health education content?

Yes, provided the content contains no patient identifiers and no content derived from actual patient encounters. Staff sharing general public health information, clinic hours, or office culture posts do not implicate HIPAA as long as no PHI appears.

What if a patient posts about their own care on our clinic's page?

A patient can disclose their own PHI — that is not a HIPAA violation on the clinic's part. The risk is in how staff respond. Any response that confirms, adds to, or elaborates on a patient's health information is a potential impermissible disclosure. Train staff to acknowledge the comment and move the conversation to a private channel.

Is a written authorization required for before/after photos?

Yes. Under 45 CFR §164.508, a covered entity must obtain a valid written authorization before using or disclosing PHI for marketing or other non-treatment purposes. Before/after photos are PHI. A general consent-to-treatment form does not cover social media use.