HIPAA was enacted in 1996 to increase the use of electronic transactions. Ironically, its Privacy Rule, which took effect in 2003, now paralyzes many healthcare marketers from using social media. They fear breaking the rules or violating patient rights.

But, even without guidelines from the U.S. Department of Health & Human Services (HHS), you can add social media to your marketing mix and remain HIPAA-compliant.

The secret: Knowing the myths-and knowing what you can do.

MYTH 1: You can’t create a blog or forum where someone might divulge his or her personal health information.

Because HIPAA doesn’t apply to patients making their own disclosures, providers have no obligation to prevent patients from offering up voluntary, unsolicited disclosures of protected healthcare information (PHI).  This includes provider-affiliated and unaffiliated social networks.

MYTH 2: You can’t host an open dialog-on your own website or on an independent website-with patients who could divulge PHI.  

As long as you’re not revealing PHI about patients, you’re not violating HIPAA. To be ultra-cautious, simply require patients to acknowledge in advance that you’re not responsible for any PHI they choose to divulge.

MYTH 3: You can’t include a case study about a patient on your website or on an independent site.

HIPAA only applies to “identifiable” health information. You can disclose information without patient authorization when it has been “de-identified.” That simply means removing information such as name, social security number, geographic area, photographs and the like.