HOW TO: Win HIPAA Social Media Compliance at Work

I always thought HIPAA social media guidelines would have all kinds of unique provisions and social media training requirements that companies outside the health care sector wouldn’t need. I was wrong.

If you don’t work in health care, HIPAA stands for the Health Insurance Portability and Accountability Act. It was enacted in 1996 under US president Bill Clinton.

It’s all about making sure patient information stays private, unless of course, patients share it themselves.  Social media, needless to say, has made keeping things private tougher than ever.  But given that health care providers are beholden to Federal Regulators, you’d think their social media policies would need special language.  Wouldn’t you?

But according to Mayo Clinic General Counsel Daniel Goldman, that’s just not the case. “If you look at our social media policy, I don’t know that it’s dramatically different from folks in other industries,” says Dan, in an interview recorded today on HIPAA and Social Media who also says the  Mayo Clinic offers it’s employees and others in the health care sector a portfolio of social media training courses to increase their digital IQs.

But when it comes to developing a corporate social media policy, being HIPAA compliant does not require a unique approach.  “I do think the emphasis on privacy is probably a bit stronger as it should be for any health care provider,” he says. But that’s not as much about legal compliance as brand equity. “If people don’t have confidence you’re going to protect very sensitive information, it’s not only a legal issue, it’s a brand issue. And for most of us that’s even more important. Our brand is a multi-billion dollar asset and tarnishing it by having people believe we’d play fast and lose with privacy is an even greater risk than the regulatory penalties we’d have to pay.”

The emphasis on privacy and providing social media training with examples of how someone might make an inadvertent HIPAA social media violation is critical as well.  Tweets and status updates are automatically date and time stamped, so if someone working for a healthcare provider shared something general about treating a patient and omitted their name, it is possible that that time stamp, combined with other public information, could become a patient privacy violation.

But having a HIPAA-complaint social media policy is not enough. The social media training and guidance you give people to understand HIPAA regulations is equally important.

“The best policy in the world is useless if it sits on the shelf or on your intranet and either people don’t look at it or people don’t really understand the nuances so I would encourage employers in any industry, but especially in health care, to really provide education. Add it into new employee orientation. Add it into your yearly or regular compliance training. Just about everybody entering the workplace these days has grown up with social media. So there really is that urge to share everything that’s interesting that happens in your life on social media, so it really is about getting people to take the extra 3 seconds before they hit post on their mobile phone or computer,” says Dan. “Education is equally as important as your policy.”

Dan characterizes those organizations that have responded to the risks of HIPAA social media violations by blocking access to social media entirely on their networks as somewhat naive, since most people have smart phones they can use to social network and are not reliant on their work computer for access to Facebook or Twitter. “You’re much better served by being realistic about it and working with your employees to train them to be responsible social media users as opposed to just saying no,” he says.

Social media training is more sustainable to achieving widespread compliance than reliance solely on policy or governance.  As general counsel for the Mayo Clinic, which employees more than 58 thousands people and treats more than 1.1 million patients each year, he should know.  My conversation with Daniel M. Goldberg, esquire is also available On the Record…Online.


  • Well written post and very informative. Mayo certainly have the experience and good to see them sharing it.