Social media is changing the face of medicine. Patients are becoming increasingly more social, and healthcare professionals are using different online tools to reach and educate them. Early on, regulations and privacy concerns limited how patients and providers used social media, but adoption has grown exponentially in spite of these challenges.

According to marketing agency Fluency Media, 30% of adults are likely to share information about their health on social media with other patients, 47% with doctors, 43% with hospitals, 38% with health insurance companies and 32% with a drug company.

With so much potentially sensitive information hitting the web, there are several regulations and guidelines that both marketers and professionals need to understand. Let’s take a look at some of them, starting with the most important—HIPAA.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law stating that the patient has control of his or her protected health information (PHI). A patient’s PHI includes demographic data that relates to:

  • His or her past, present or future physical or mental health or condition
  • The provision of healthcare to the individual
  • The past, present or future payment for the provision of healthcare to the individual

While patients are free to publicize their medical condition or experience with a provider, none of this information can be released by the provider without consent of the patient—and even then, healthcare providers are strongly urged to educate patients about the associated risks.

There is, however, an exception to that rule: The patient’s PHI can be used for healthcare operations. For example, it can be shared internally from a hospital to a physician, from a physician to a hospital and to payment companies for insurance-related matters. The PHI cannot go outside of that circle without the consent of the patient.

In order to use or disclose patients’ PHI without obtaining consent, the information must be de-identified. HIPAA lists 18 categories of identifying information that must be removed from a record or patient story in order for it to be considered de-identified. They include:

  • Basic information: names, addresses, phone numbers and social security numbers
  • Dates: birth dates, admission dates, discharge dates and dates of death
  • Administrative details: medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers (license plates) and serial numbers, URLs and IP addresses
  • Other identifiable information: finger and voice prints, full-face photography and any other unique identifying number, characteristic or code

The latter is often the most difficult to comply with, now that significant amounts of personal information is available online. It’s not as simple as checking identifiers off the list, and information can still be considered identifiable if there’s a way to figure out who the patient is—even if all 18 have been removed.

Health plans, healthcare clearinghouses and any healthcare provider that transmits health information in electronic form—including claims, benefit eligibility inquiries and referral authorization requests—are required to comply with HIPAA guidelines.


Just like the US, healthcare organizations in select provinces in Canada must also adhere to specific legislation. Ontario’s Personal Health Information Protection Act (PHIPA) provides a similar set of rules for the collection, use and disclosure of PHI. The rules apply to all health information custodians (HICs) operating within Ontario and to any individuals or organizations that receive PHI from those HICs, including information technology service providers.

Similar to HIPAA, PHIPA protects any information related to the individual’s physical or mental health, including family health history. It also protects information related to the type and length of care received, the donation of body parts or substances, the individual’s substitute decision-maker and any other information about an individual that’s included in a record containing PHI.

While similar in context, the two regulations have some significant differences. HIPAA, for example, relies heavily on methods, while PHIPA focuses more on objectives. PHIPA also uses more general terms, such as “reasonable steps,” while HIPAA describes specific required safeguards for PHI.

HIPAA, PHIPA & Social Media

Why is it important for social media teams and marketers in North America to be aware of HIPAA and PHIPA? Because the same rules regarding patient privacy in healthcare apply to social media as well. Any information that could potentially lead to the patient’s identity being exposed cannot be shared. Even the fact that the doctor/patient relationship exists is considered PHI.

HIPAA violations are taken seriously.

In 2010, four staff members were fired and three disciplined—including two nurses—after snapping photos of a dying patient and posting them on Facebook.

In 2011, a Rhode Island physician was fired for posting patient data to her personal Facebook profile—even though the actual patient’s name had never been mentioned. It was argued that the information posted provided enough detail about the patient’s injuries for others to guess who the patient was.

It’s not just healthcare staff who are racking up the HIPAA violations. Sometimes patients are to blame. For instance, let’s say a patient takes a selfie inside an emergency room and inadvertently photographs another patient in the background. That photo is then uploaded to the hospital’s Facebook Page along with the selfie taker’s check-in. Since the other patient didn’t consent to being photographed and shared on Facebook, that post might be a HIPAA/PHIPA violation—even if the hospital didn’t upload the photo.

One way to avoid the situation is to implement a photography policy within the hospital that includes patients and visitors as well as staff. Although signs alone won’t stop someone from snapping a picture, should the hospital come under fire for it, it can take some of the heat off of itself by referring back to the no-photo policy.

Sunnybrook Hospital

Another option is to minimize risk by monitoring social media profiles and filtering posts from fans and followers. For example, Sunnybrook Hospital doesn’t allow fans to upload images to its Facebook Page and has created a commenting policy. The latter is especially important so that the hospital can delete offensive comments without pushback, while the former protects the hospital from having photos of non-consenting patients uploaded to its Page.

It also benefits by having a unique name, which makes monitoring for mentions on Twitter and Instagram easier. So how does the hospital get away with something like Tweeting during surgeries? It has a consent form and a thorough session with the patient and his or her physician to walk through the form.

“We do this to ensure that the patient is amenable to the experience,” said Sivan Young, Manager of Digital Communications at Sunnybrook Hospital. “We want to be sure that the patient isn’t doing it just because the doctor requested it. We’re clear that we do our best to protect their identity, but once it’s live, if someone external identifies them, that’s out of our control.”

According to Young, both surgery patients and their families were happy with the experience. Families of the patients followed along on Twitter, and some family members even participated in the Tweets. The decision of whether to identify themselves as family members of the patients was entirely their own.

While some of the other stories above resulted in serious repercussions, don’t let that deter you from adopting social media practices for your healthcare marketing. Learn from others’ mistakes, and limit liabilities by setting clear social media policies and procedures. Mitigate potential violations through training and educating your entire staff.

Healthcare Marketing

The HIPAA Privacy Rule gives individuals control over whether and how their PHI is used and disclosed for marketing purposes. Under this rule, “marketing” is defined as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” There are, however, exceptions to this rule. You can use PHI if:

  • You’re describing a health-related product or service that’s provided by your hospital.
  • The communication is used to manage a patient’s care or to recommend alternative treatment.

This means that you can target specific groups of patients and create mailing lists of patients based on the departments or physicians they’ve been treated by. You can also create a fundraising mail list based on a patient’s experience or outcome. Finally, you can send communication about products or services that are being used or recommended for use by a patient. This assumes you have prior written consent to do so.

This is just one of the ways that marketing is defined by HIPAA. We recommend reading through what is and isn’t considered marketing before creating your strategy to ensure all components comply. In addition to HIPAA, there are different laws, rules and government agencies that regulate healthcare marketing in the US:

  • The Food and Drug Administration (FDA) has rules in place for prescription drugs and other medical services, such as LASIK eye surgery.
  • The Federal Trade Commission (FTC) can review ads for over-the-counter drugs and other products making health claims.

When it comes to marketing pharmaceuticals in the US, FDA rules require that an ad tell the consumer at least one approved use for the drug, its generic name and the most important known risks and side effects. All healthcare marketing must be truthful and fair. This means that ads must include a fair representation of a competitor’s product and not mislead consumers by omitting information.

In Canada, pharmaceutical advertising is heavily regulated and direct-to-consumer advertising is allowed in a very limited capacity: name, price and quantity. The country’s limitations on pharmaceutical advertising require that ads mentioning the name of a product can’t in any way describe what it does. Also, ads that mention a medical problem can’t mention the name of the product for sale. At most, it can only direct viewers to a company-operated website or phone number.

To avoid running into any issues, develop a content strategy that focuses on the following:

  • Providing updates on new technologies, breakthroughs and research—ReferralMD does a great job of this.
  • Introducing members of your medical care team
  • Offering general information about common ailments or pre- and post-operative care
  • Communicating during times of crisis—as the CDC did during a recent Measles outbreak


Retargeting—also known as remarketing—is a popular form of online advertising and one that hospitals and other healthcare organizations need to use with caution. In the US, there’s no law prohibiting the use of targeted ads based on activity at health-related sites. There are, however, self-regulatory guidelines that healthcare organizations are urged to follow in order to comply with HIPAA and other privacy laws:

  1. An organization cannot run ad content that implies knowledge of sensitive health or medical information.
  2. An organization may not collect personally identifiable information, such as email addresses, credit card numbers or phone numbers.

For instance, an ad that prompts potential patients to contact your hospital’s cardiac department for more information about general treatment options is acceptable. On the other hand, an ad promoting your hospital that calls out specific diagnoses or conditions—such as congestive heart failure—isn’t allowed.

At Sunnybrook Hospital, retargeting isn’t a priority.

“Our content strategy is more about brand awareness,” Young said. “We’re not trying to drive people to our website for money. We’re trying to drive health education and patient engagement.”

In Canada, Google was criticized for allowing an advertiser to retarget ads based on “sensitive” information. Canada’s online behavioral guidelines “make clear that advertisers should avoid collecting sensitive personal information, such as individuals’ health information, for the purpose of delivering tailored ads.”

An investigation was prompted when a web user complained of seeing ads for devices that treat sleep apnea after he searched for those devices online. As a result, Google began monitoring retargeting campaigns more closely. AdWords now has several policies in place that restrict the promotion of healthcare-related content; you’ll want to become familiar with them.

Regardless of how your ad may be framed, to ensure compliance, it’s recommended that you check with your legal department before running any kind of retargeting campaign.


Sweepstakes, contests and giveaways are popular marketing tactics that healthcare organizations also need to be mindful of. In 2012, 41% of people said that social media would affect their choice of specific doctor, hospital or medical facility. That number has likely increased over the past few years, and it’s very important that less-than-ethical practices aren’t used to reach these individuals.

While privacy laws govern much of what marketers can and can’t share online, another US law—the Stark Law—regulates how healthcare providers can attract patients. Specifically, the physician referral law limits how physicians can get referrals and how medical practices can feature doctors in their advertising.

Although not specifically mentioned in Stark Law, an important consideration here is sweepstakes, contests and giveaways.

“You can’t give away medical perks, like a free doctor’s visit,” said Kory Swanson, Director of Marketing and Communications at University of Colorado Health. “It can’t look like you’re encouraging or coercing people to come to your facility.”

That doesn’t mean contests and giveaways are completely off the table; you’ll just need to think more creatively.

“We try to focus on storytelling for our contests,” Swanson said. “It’s very important to us to learn about our community and its impression of UCHealth.”


UCHealth held a March MAN-ness competition to promote men’s health. More than 600 people, including community members and physicians, participated in the offline events. By entering, participants were eligible to win minor league hockey tickets. Rather than persuade people to go to UCHealth, the contest focused on promoting health and engaging the community in a positive and educational way.

“It’s very important to us to learn about our community.”
—Kory Swanson, Director of Marketing and Communications, University of Colorado Health

Other Healthcare Compliance Guidelines

Beyond marketing, there are several other guidelines that healthcare providers (such as nurses, doctors and pharmacists) should follow. Here are just a few of them:

If you fall under one of these categories, it’s recommended that you read through the appropriate guidelines. Although they’re specific to each role, the major takeaways center around the same things: patient privacy, professionalism and transparency. Also, every hospital or healthcare organization should have its own social media policy in place.

For example, Massachusetts General Hospital has developed guidelines for people who want to interact with the hospital through social media. This is a great way to manage the public’s expectations around the type of information they can find on your social network profiles. It also protects the hospital in case comments or posts need to be removed.

At the same time, it’s important to have a similar policy in place for employees and students, whether they’re posting to their own site or commenting on others’. Here is a great example from the Mayo Clinic. The guidelines provided closely resemble those mentioned in some of the healthcare compliance documentation mentioned above.

As social media becomes a more acceptable form of communication between patients and healthcare providers, it will become increasingly important to prioritize privacy. Several programs aim to help medical professionals better understand social media and compliance, such as the Social Media Residency program offered by the Mayo Clinic Center for Social Media or the University of California at San Francisco’s social media internship for medical students.