HIPAA and Social Media: What Every Medical Practice Needs to Know Before Posting

HIPAA violations on social media have resulted in fines ranging from $10,000 for a Texas dental practice that disclosed patient information in a Yelp review response, to $2.15 million for a health system where a staff member's social media post was part of a broader compliance failure. In 2025, a healthcare group agreed to pay $182,000 to settle allegations it had posted patient success stories without proper authorization.

These aren't abstract risks. They're documented enforcement actions that demonstrate how a single post — even a well-intentioned one — can create six-figure liability. Here's what every medical practice needs to have in place before posting anything on social media.

What Counts as Protected Health Information

Protected Health Information (PHI) is broader than most people think. It includes any information that could identify a patient in connection with their health condition or treatment. That means: names, photos, dates of treatment, descriptions of conditions, and even details that seem anonymous but could identify someone in combination.

A post saying "Our patient today had an amazing smile transformation after 18 months of orthodontic treatment" might seem safe. But if only one patient completed that specific treatment in that timeframe, the patient is identifiable even without a name.

De-identification requires removing 18 specific identifiers defined by HIPAA, including names, dates (except year), geographic data smaller than a state, and any unique identifying numbers. If you can't confirm all identifiers are removed, don't post it.

Staff Social Media Policies

Your compliance is only as strong as your least-trained employee. In 2025, a nurse in Florida was fired and had her license suspended for livestreaming a medication distribution round on TikTok. In 2024, a nurse was disciplined for posting about a patient's death in a post she believed was sufficiently anonymized — the patient's family recognized the details and reported it.

Every medical practice needs a written social media policy that all staff sign during onboarding and review annually. The policy should cover: no photos or videos in clinical areas without authorization, no patient references on personal social media accounts, no responses to reviews that include patient information, and clear examples of what constitutes a violation.

Patient Authorization for Social Media

If you want to feature a patient's story, photo, or treatment outcome on social media, you need a HIPAA-compliant written authorization. This authorization must be specific — it should describe what information will be shared, where it will be posted, and inform the patient of their right to revoke the authorization at any time.

A general "consent to treatment" form does not cover social media use. A blanket photo consent doesn't either. The authorization must specifically mention social media and describe the nature of the content.

Keep signed authorizations on file. Track which patients have authorized social media use and which have not. When a patient revokes authorization, remove their content promptly.

What You Can Post Without Individual Authorization

Plenty of effective content requires no patient information at all. Team introductions, office tour photos, educational content about conditions and treatments (using general information, not specific cases), community involvement, health awareness posts, and behind-the-scenes office content are all HIPAA-safe.

Equipment demonstrations, facility upgrades, staff achievements, and seasonal health reminders are also excellent content that involves zero patient data. A dental practice can build an entire content calendar around education and team features without ever needing to reference a specific patient.

Setting This Up in ForaPost

Use AI Instructions as your first compliance layer. Add: "Never include patient names, photos, or identifiable details without documented HIPAA-compliant written authorization." Add: "Never respond to reviews or comments with any patient-specific information." Add to Words to Avoid: any terms your compliance officer flags.

Enable the Approval Queue — this is your mandatory compliance checkpoint. Every post gets reviewed before it goes live. This takes a few extra minutes per post but prevents the kind of violation that costs $10,000 to $2 million.

Set Media Settings to "Uploaded Only" and maintain a curated library of pre-approved images. Only upload photos that have been verified for patient consent or that contain no patient-identifiable information.

---