Updated October 1, 2025*

Marketing and social media can be a minefield for healthcare providers. But HIPAA violations in marketing can be avoided.

The most common HIPAA violation is the unauthorized disclosure of protected health information (PHI). This occurs in every facet of healthcare, whether in the office, working from home, in social situations, or online. It can happen through insider snooping, outsider hacking, negligence, or by accident.

It can occur simply because you were unaware of the rule.

Healthcare Marketing and HIPAA

Healthcare marketing presents special challenges because personal information about patients is off-limits without an explicit, written, valid HIPAA authorization from the patient in advance. The HIPAA Privacy Rule is unambiguous on this. Consent in advance is required, and patients can not “waive” their privacy rights by disclosing their own information.

Websites also pose various HIPAA risks, some of which are highly visible, while others are less apparent. The situation is complicated because liability for healthcare breaches stems from various enforcement sources, including the Office for Civil Rights (OCR) at HHS, the Federal Trade Commission (FTC), state attorneys general, and civil lawsuits for breach of privacy, negligence, or consumer protection.

The solution is less complicated than the problem. Although HIPAA enforcement is vigorous in 2025, you can learn how to avoid key HIPAA violations and negligence claims by following some steps.

Healthcare marketing plans must include safeguards to prevent the sharing of patient information and train the staff on how to avoid it. Marketing staff should work closely with IT staff and counsel to ensure comprehensive coverage.

Common HIPAA Violations in Marketing

🚩 The Notice of Privacy Practices is not prominently displayed on the website homepage

🚩 Testimonials without a valid authorization

🚩 Sharing protected health information on social media

🚩 Responding to patient reviews

🚩 Website pixel tracking

Websites and Social Media Pages

There are three simple safeguards to strengthen HIPAA compliance on websites and social media pages.

Safeguard #1 – The Notice of Privacy Practices

Prominently post a direct link on the website’s home page with a clear description that indicates the link leads to the HIPAA Notice of Privacy Practices (NPP). The link should be direct and not require multiple steps or a search.

The link should not be described as “privacy policy,” “HIPAA,” “patient forms,” or any other descriptor. Use the full correct name. The NPP should be current and comprehensive, including all required content.

Safeguard #2 – Obtain an authorization

*NOTE: OCR announced on September 30, 2025 that it settled a HIPAA investigation over Cadia Healthcare Facilities’ failure to obtain valid HIPAA authorizations from 150 patients who posted testimonials on Cadia’s website. OCR determined that Cadia impermissibly disclosed PHI, failed to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals. Cadia agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $182,000 to OCR.

Before using a patient testimonial, recommendation, or photo, obtain a valid HIPAA authorization from the patient in advance. Review the definition of PHI. It does not need to include any medical information, and may simply be one identifier, such as a name or a photo.

Ensure the authorization includes all the required elements, as described in the link above. A “photo release,” “model consent,”   or “talent release” is not adequate if it does not contain the specific language required by the HIPAA Privacy Rule.

A common myth about HIPAA is that patients waive their privacy rights by posting on your page. Under HIPAA, if a patient posts a comment, review, or testimonial on your page, they have NOT waived their privacy rights, nor have they consented or authorized you to identify them. Patients are not required to follow HIPAA, but their providers and health plans must. All covered entities and business associates have an obligation to protect patient privacy, even if the patient discloses information first.

Safeguard #3 – Avoid pixel trackers, or opt out

Ensure your website does not use pixel tracking that gathers patient data through a tech company, such as Meta, Google, Microsoft, TradeDesk, or another.

Although pixel trackers are everywhere on the internet, tracking nearly every user who logs on to a website, they are particularly problematic in the healthcare sector. Website and portal users’ (often patients) personal information is accessed by the tech company, which then uses it to advertise to the user, and/or sells it to other third parties for marketing. Both disclosures, made to the tech company and to other third parties, violate HIPAA when they are made without prior written consent.

The FTC and OCR have stated that pixel trackers pose a risk of violating HIPAA, and both agencies have secured settlements for potential privacy violations. Multiple federal class lawsuits have been filed against healthcare providers and the tech companies that sell the pixel trackers. See BJC HealthCare Settles Web Tracker Lawsuit for $9.25 Million, Mount Sinai Settles Web Tracker Lawsuit for $5.26 Million, and Jury Found Meta Violated Privacy of Flo Health Users.

Two other recent web tracker class action settlements in healthcare, both in Ohio:

• Adena Health System agreed to pay $17.8 million, announced last week
• The Christ Hospital agreed to pay $7 million, announced in August

Google and Meta Will Not Take Responsibility for HIPAA

According to Google, the healthcare organization is responsible for ensuring no PHI is sent to them.

“Google makes no representations that Google Analytics satisfies HIPAA requirements and does not offer Business Associate Agreements in connection with this service.”

Meta’s position is similar: it will not enter a Business Associate Agreement and requires the healthcare organization to prevent the transmission of PHI back to Meta.

Fortunately, there are companies that can assist with blocking the transmission of PHI from a website to an outside company. Examples include PilotDigital, FreshPaint and Ours Privacy.

Consult with your lawyer and IT staff to determine what can be disabled or removed to maintain patient data privacy and confidentiality.

Facebook is a Website, and the Same Rules Apply

If a healthcare provider has a Facebook page, it belongs to the provider, not to Facebook ( a Meta company). The provider is responsible for all of the content. Treat it like the organization’s website and follow the same rules.

Facebook changed “reviews” to “recommendations” a while back. If you’re using recommendations, turn off this feature. This will turn off recommendations and remove them from your page, along with any associated ratings.

Use Facebook instead to publicize services and post educational content or blogs.

Independent Review Sites Like Yelp

Patients may post an uninvited review on a site like Yelp, Google, RateMDs, and WebMD. If the review is positive, it can be tempting to respond and thank them. If it’s negative, a provider may want to respond to offer an explanation. But protecting patient privacy and complying with HIPAA requires that a provider not respond.

As noted above, patients cannot waive their privacy rights by posting publicly. They have not consented to a provider’s disclosure unless they signed a valid HIPAA authorization in advance.

Best practices dictate either no response or to say something like, “It is our policy to provide the best care to patients,” without acknowledging that the individual is a patient. It may feel awkward or unnatural, but patient privacy is paramount, and providers must refrain from conversation.

Social Media and HIPAA

Providers who use other social media platforms, such as Instagram (owned by Meta), YouTube (owned by Google), TikTok, LinkedIn, Reddit, or Quora, should exercise caution to avoid disclosing protected health information without a valid HIPAA authorization.

If you don’t have an authorization, refrain from taking videos or photos of patients to post on your page, even if they have verbally consented. Don’t invite patients to post reviews and testimonials.

Social media is a powerful tool to connect with the public. As long as the provider’s posts focus internally on services provided, educational information, and news announcements, and do not contain patient information, HIPAA risks can be avoided.