Social Media

HIPAA requires hybrid component staff to safeguard patient information regardless of the medium in which it is presented. Therefore, HIPAA principles still apply to PHI shared via social media platforms. In order to comply fully with HIPAA, it is never appropriate to post patient information or pictures on social media for personal reasons. Do not:

  • Take photos of patient’s for personal use
  • Make comments about patients on your social media platform
  • Disuses patients with co-workers in a private group chat on social media

If you need to post patient information or photos for professional reasons on social media, please work with your clinic leadership to obtain the necessary consent from the patient.

Please report suspected violations involving social media to your supervisor or to the Joint Office for Compliance. Contact for the Joint Office for Compliance is below:

Phone: 319-384-8282



Social Media FAQs

No, it is a violation to post patient photos, images, or videos on social media without documented prior patient consent.

You may not share any of a patient's PHI on social media without consent. As addressed on the PHI tab, PHI encompasses more than just the patient's name. Simply omitting the patient's name is not enough to fully de-identify them and could result in a HIPAA breach. Additionally, UI does not condone staff's disparagement of patients via any medium.

No, even though the information is limited to a private user group, the social media site still had access to content. You may not share any of a patient's PHI on social media without consent. As the site's staff would have access to the content posted, even if posted privately, it would still be considered a HIPAA breach.