March 23, 2023

Volume XIII, Number 82


March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis

ICYMI: HIPAA and Social Media IRL

Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Just as consumers can post or search reviews for anything from vacuum cleaners to egg rolls, they can also vet healthcare on social media sites. Given the personal nature of healthcare, patients often share their appreciation or displeasure with providers. From the regulated entity perspective, however, they are at a disadvantage in responding to communications on social media sites due to HIPAA and state data privacy laws. 

For example, a patient may undergo a procedure with a particular provider and decide to share his/her experience or rating. While reviews are often glowing and readily welcomed by providers, when they are critical or even disparaging, providers may wish to directly respond to clear the air and set the record straight. TBH (“to be honest”), providers must proceed with caution to avoid a data breach or a public undermining of their own commitment to patient rights.

HIPAA prohibits covered entities and their business associates from disclosing PHI in many circumstances, and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently confirmed that it interprets PHI broadly to include identifiable health information provided through a HIPAA-regulated entity’s website or mobile app, “even if the individual does not have an existing relationship with [the] entity and even if . . . [such information includes an] IP address or geographic location, [but] does not include specific treatment or billing information.”[1]

OCR has also emphasized that it is monitoring the online activities of regulated entities and will intervene where appropriate. Specifically, in December 2022, OCR announced a settlement with a practice over the alleged inappropriate disclosure of PHI in responses to online reviews.[2] Specifically, OCR initiated an investigation after receiving a complaint that the practice inappropriately disclosed PHI, including patient names, treatment, and insurance information, while responding to patient reviews on a public platform.[3] OCR also determined that the practice failed to incorporate the appropriate components within its Notice of Privacy Practices and also failed to implement sufficient policies and procedures governing use and disclosure of PHI.[4] In addition to a number of corrective actions, the practice agreed to provide breach notices to all affected individuals.[5]

In assessing whether to respond to a post, HIPAA-regulated entities should consider whether they are disclosing more than the minimum amount of PHI necessary, whether the information identifies a patient, as well as whether the information is particularly sensitive or was already disclosed by the patient in his/her post, among others. Unfortunately, OCR has not yet adopted a clear, bright line standard for what types of interactions are permissible, and as a result, any interaction carries risk.

As OCR is taking a serious look at HIPAA and its application to social media platforms, it is more important than ever that HIPAA-regulated entities assess their compliance obligations. Even where a regulated entity feels that a response is warranted, HIPAA may not allow that disclosure – in that event, a regulated entity should consult with their Privacy Officer or counsel to consider alternative means of communication that better align with HIPAA’s requirements. If you have any questions about HIPAA or its impact on you or your business’s online activities, please contact a member of the Sheppard Mullin Healthcare Team.


[1] Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, HHS (Dec. 1. 2022), Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates |

[2] HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information, HHS (Dec. 14. 2022), HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information |

[3] New Vision Dental resolution Agreement and Corrective Action Plan, HHS (Dec. 14. 2022), New Vision Dental Resolution Agreement and Correction Action Plan |

[4] Id.

[5] Id.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 39

About this Author

Michael D. Sutton Corporate Attorney Dallas Texas SheppardMullin

Michael Sutton focuses his practice on providing comprehensive legal services to a broad array of healthcare providers. His experience spans representation of physicians, physician-owned entities, long-term care facilities, and hospitals to create effective and innovative legal solutions to regulatory and transactional matters. In addition, Michael has litigated a variety of healthcare-related disputes in both federal and state courts and has handled an expansive range of civil litigation matters.

Michael earned his J.D. from...

Sara Helene Shanti Corporate Lawyer Sheppard Mullin Law Firm

Sara Helene Shanti is a partner in the Corporate Practice Group in the firm's Chicago office.

Areas of Practice

Shanti represents healthcare providers and technology companies in matters related to data privacy, healthcare regulatory compliance and mergers and acquisitions. She counsels clients on various data privacy and healthcare technology matters, including artificial intelligence, data security incidents, mobile applications, and telemedicine. Shanti’s experience includes advising clients on transferring data across multinational borders, implementing...

Special Counsela

Amy Dilcher is special counsel in the Corporate Practice Group in Sheppard Mullin's Washington D.C. office.

Amy’s practice focuses on transactional and regulatory matters, helping healthcare organizations achieve their strategic business initiatives while navigating complex regulatory issues and mitigating risks associated with healthcare regulations in the areas of strategic affiliations, mergers and acquisitions, hospital and physician transactions, managed care matters, and other contractual arrangements. She also advises on a wide range of...