Social Media and HIPAA

Social media used by workforce members is subject to the restrictions set forth in this policy. These restrictions are intended to protect the privacy of patient information and to ensure compliance with applicable legal and regulatory requirements, including the HIPAA Privacy Rule.

Reason(s) for the Policy

To provide guidelines to be followed by all Columbia University Healthcare Component (CUHC) workforce members related to their personal and professional use of social media.

Primary Guidance To Which This Policy Responds

The Health Insurance Portability and Accountability Act (HIPAA)

Who is Governed by This Policy

All CUHC workforce members.

Who Should Know This Policy

All CUHC workforce members.

The confidentiality of patient information is governed by federal and state laws.

In the event that any provision of this policy is in conflict with applicable law or regulation, the applicable law or regulation that affords the patient with the greatest privacy will govern.

Patient Privacy

  • Posting patient information, commentary, or photographs on professional or personal social media sites requires written authorization from the patient using the CUMC HIPAA Media Authorization form. The Office of Communications should be contacted at  [email protected] to obtain a copy of the form. A copy of the form is provided to the patient and the original authorization is placed in the medical record.
  • Photo, tape or video recording in patient treatment areas is permitted only after obtaining permission from the Practice Manager, Program Director or CUMC Communications.
  • Patients in treatment areas/practice locations are prohibited from photo, tape or video recording without prior permission from the provider, program or practice. Patient authorization may also be necessary if any photos, tape, or video recording contain other patients’ images or information.
  • Faculty, staff and students are prohibited from taking personal photos, video or audio recordings in patient care areas to avoid inadvertently capturing patients or patient information.
  • Photos, images or a narrative thought to be de-identified by a workforce member may be recognizable by the individual or others and would not meet the definition of de-identified per the HIPAA Privacy Rule and thus permission should be obtained from the Privacy Office prior to posting any photos, images or narratives involving patients or patient information even if they are thought to be de-identified.
  • Faculty and staff may photo, video or audio record patients for treatment purposes with authorization from the patient and must use an electronic device meeting CUMC Information Security requirements.
  • Notify the Privacy Office promptly of any suspected unauthorized disclosure of patient information via social media or any suspected unauthorized photographing, filming or recording.


Interacting with Patients on Social Media

Faculty, staff, and students should not connect with patients or patient family members using social media. It is recommended that workforce members use the same judgment regarding any other type of social interaction with patients.


Communications and Public Affairs

Departments, programs and centers that maintain a social media presence must adhere to CUIMC social media guidelines. For additional information contact CUIMC’s Office of Communications and Public Affairs at [email protected].


CUHC workforce members must:

  • Review and comply with the policy
  • Report any unauthorized use of social media or violations of this policy to the Privacy Office

Social Media - Internet-based applications which support and promote the exchange of user developed content. Social media can take many different forms including:

  • Blogs and micro-blogs such as Twitter
  • Social networks, such as Facebook
  • Professional networks, such as LinkedIn
  • Video sharing, such as YouTube and blogs (video weblogs)
  • Audio sharing, such as podcasts
  • Photo sharing, such as Flickr and Photobucket
  • Social bookmarking, such as Digg and Reddit
  • Public comment sections on webpages (such as those for online news sites)
  • User created web pages such as Wikis and Wikipedia
  • Any other internet-based social media application similar in purpose or function to those applications described above

Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.

Workforce includes faculty, staff, students and other individuals whose conduct, the performance of work for CUHC is under the direct control of CUHC.