Editor’s Note: In a recent webinar, Manatt Health explored the latest social media advances in the context of the Health Insurance Portability and Accountability Act (HIPAA) and other consumer protection and privacy statutes. (See the next article for full details on the program.) In a two-part series, Manatt Health summarizes the important information shared during the session. In Part 1, below, we review emerging technology trends, the critical role of legal and compliance teams and next steps. Click here to view the webinar free, on demand—and here to download a free copy of the presentation.



Because patient engagement is top of mind across the continuum of healthcare, many healthcare organizations turn to social media as a powerful tool in their efforts to attract, engage and retain patients and plan members. At the same time, social media presents specific privacy and data security challenges for healthcare organizations. Fortunately, emerging trends suggest that social media sites are beginning to accommodate consumer (and advertiser) preferences for privacy. As a result, it makes sense for healthcare organizations to reevaluate the role social media can play in their growth and population health strategies, as well as in their efforts to reach traditionally underserved populations.

Emerging Technology Trends

Three emerging technology trends are likely to influence expectations for the way consumers wish to be engaged on social media.

  • Added Security in Mobile Devices and App Platforms. Many mobile devices now include security features, such as end-to-end encryption, biometric locking features, and two-step authentication. Some mobile app platforms—notably, Apple’s HealthKit, CareKit and ResearchKit—take advantage of the expanding computing power of smart devices. Untethering app functionality from cloud-based computing power reduces the transmission of personal data over networks and takes advantage of a device’s native security features, which should reduce exposure of personal health data to mass security breaches.
  • Social Use Media for Direct, Consumer-Initiated Communication. While social media enables a degree of “over-sharing,” many consumers still wish to keep some conversations private. Through Facebook’s Messenger app, consumers can now send a text directly to healthcare organizations. Healthcare organizations support this mode of direct, consumer-initiated engagement to varying degrees, in part because the content of messages exchanged in Messenger can still be mined by Facebook and associated with a user profile. Interestingly, in April 2016, Facebook announced end-to-end encryption of messages delivered using WhatsApp, the mobile app for text, voice and video communication that it acquired in 2014. If and when WhatsApp is integrated as a secure alternative to Messenger, social media sites like Facebook could become a dominant channel for instant and secure communication between consumers and healthcare organizations.
  • Increasingly Personalized Online Engagement. A number of technology leaders, including Amazon, Apple, Facebook and Google, have added “chatbot” features to their platforms. Chatbots are automated, intelligent applications that make the user of a virtual assistant or text messaging app feel like she is talking or texting with an actual person. Chatbots will make it easier for healthcare organizations to use social media and integrated messaging apps to deliver personalized content at scale, without interrupting the user experience.

There are hundreds of potential use cases to illustrate how these emerging technology trends will change the paradigm for healthcare organizations’ social media engagement strategies. Following is one example:

Public Service Announcements for General Outreach


“Your HIV medicine is working for you. But the side effects are not. www.xxxx.xxx.”

Call to Action

Contact a health clinic to make an appointment.

Typical Digital Advertising Model

Promote message on social media as sponsored content. Include a link to a proprietary website. No personal information collected per Terms of Service. Contains FAQs and phone number to call.

Pros. Minimizes personal data that can be collected. Measures weblink “click-throughs.”


  • Interrupts the user experience.
  • Feels like a broadcast message, not a conversation.
  • Click-throughs may be suppressed given terms of use policies for some social media sites.
  • Click-throughs may not correlate to appointment uptick, especially if the public service announcement is part of a multimedia campaign.

Emerging Use of ChatBots and Secure Text and Voice

Promote message on social media as sponsored content. Instead of including an off-site link, include a link to secure automated chat, with a prompt “how can I help you?”

  • Swipe left below chat box to view/click on FAQs in sponsored content boxes.

Chat session is automated and contextualized.

Provide option to open chat with live person.


  • Less intrusive form of advertising (native).
  • More personalized, consumer-driven engagement.
  • More data connecting campaign to booked appointments.
  • Increased number of “micro” interactions to increase relevance of content to individual and strengthen brand perception.

Con. Requires disclosure of security, which will depend on the social media site and texting app’s terms of service.


The Role of Legal and Compliance Teams in Setting Up Social Media Programs for Healthcare Organizations

Assuming that healthcare organizations accept the need to invest in a social media presence, their legal and compliance teams will play an integral role throughout the development and ongoing operation of their social media programs. From the outset, the legal and compliance teams serve as subject matter experts of the regulation and industry practices of digital advertising and privacy. Key legal concepts to consider include:

1. Privacy for Healthcare- and Non-Healthcare-Related Components of a HIPAA Entity

Under HIPAA, protected health information (PHI) is broadly defined to include any “individually identifiable health information,” if it is collected from an individual; is created or received by a HIPAA-covered entity; and is related to an individual’s past, present or future physical or mental health, the provision of healthcare or payment for healthcare services. Unless a covered entity designates itself as a “hybrid entity,” any individually identifiable health information acquired through social media could be characterized as PHI and be subject to all the protections under HIPAA.

However, if the HIPAA-covered entity designates itself as a “hybrid entity” and adheres to prescribed safeguards, policies and procedures to keep healthcare components of its activities separate from non-healthcare components and social media-related activities and data separate from healthcare-related functions, the individually identifiable health information acquired through social media can avoid being treated as PHI. Consequently, the legal and compliance teams play an important role in maintaining a covered entity’s status as a hybrid entity and preventing individually identifiable health information acquired through social media from becoming PHI.

2. Privacy Under State Laws

HIPAA sets a minimum floor of federal protection of PHI but does not preempt more restrictive state laws. Consequently, legal and compliance teams need to advise their clients of stricter state laws and their implications for an organization’s social media practices. For example, a social media program in California would need to accommodate restrictions under California’s Confidentiality of Medical Information Act, which applies to social media sites, in addition to healthcare providers, health plans and pharmaceutical companies.

Where to Go from Here

Typically, legal teams are asked to develop two social media policies—one for employees and another for an organization’s public website. However, they can provide even more value for their organizations by advancing a process for developing a comprehensive social media program. Broadly, such a program could include the following steps:

  • Assemble the Team. Form an internal working group focused on social media engagement.
    • Have “fast-following” practitioners, business leaders and patient/member “champions” lead.
    • Include digital marketing, legal, compliance, IT and finance as subject matter experts.
  • Understand What Consumers Need, and When They Need It. Develop a common vision of what consumers want at the moment they are “activated” in their own health or the health of a close family member or friend.
  • Reach Consensus on the Social Media Vision. Develop a vision that advances the organization’s broader strategic vision and reflects its core values.
  • Set Up Guardrails. Develop comprehensive Social Media Standards and Practice Guidelines. These Standards and Guidelines integrate the legal guardrails and an organization’s core values. They serve as a governance document that incorporates an organization’s legal requirements, as well as educates and empowers internal stakeholders. The Guidelines should define a governance infrastructure, as well as establish criteria for evaluating evolving campaign strategies and new social tools.

    The Guidelines also need to accommodate consensus and joint governance among diverse stakeholders. They should facilitate decision making as social media practices evolve and align an organization’s social media activities with its broader strategic vision. In addition, they might serve as a starting point for bringing cohesion to an organization’s use of other connected health and consumer engagement initiatives.
  • Get Started. Draw from the organization’s transformation road map to identify projects that benefit from enhanced consumer engagement.