What does your office staff post on Facebook and Twitter?

Tod Ferran, CISSP, QSA
By: Tod Ferran
The wave of social media is almost impossible to stop, especially at work. The problem is, employees who irresponsibly use social media can lead to some serious HIPAA violations. Watch this 60-second video to learn HIPAA compliant social media practices.


Subscribe on YouTube to see more vids like this.

To meet HIPAA requirements, keep the following in mind:


Never post patient data. I’m not just talking about tweeting patient names and Social Security numbers. I mean, don’t post anything related to the patient!

Did you hear about the nurse who was fired for an angry Facebook post? At Oakwood Hospital in Dearborn, Michigan, a nurse bad-mouthed a man accused of killing a police officer being treated at her hospital via a strongly worded Facebook status update. Although she didn’t use his name or inform which hospital he was treated at, it wouldn’t take a genius to piece together the clues she left. As a general rule, if you wouldn’t say it in public, don’t post it online. And if you’re like my sister-in-law, even some of the things you say in public shouldn’t be posted. :)


Create a social media policy. Social media is all about sharing, and HIPAA is all about keeping information private. Coexistence is possible, as long as a strict set of rules are followed. Your HIPAA social media policy should discuss social media rules for both work devices and personal ones.

Implement your policy. Implementing a policy means more than just dropping a document-filled binder on your employee’s desk. It means conducting regular employee policy training meetings and being available to answer questions about proper social media usage.

You might also be interested in: How to Send HIPAA Compliant Emails

Have a HIPAA security question? Leave us a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.