Skip to content. | Skip to navigation

Personal tools

Home > Health System Policies > Governance > Requirements Relating to Social Media

policy HSG-013 : Requirements Relating to Social Media

Policy sets requirements for protecting PHI and other confidential information when social media in any form is used, and specifically prohibits Team Members from sharing or in any manner disclosing confidential information via social media.

File Attachment Downloads

view  |  PDF document icon HSG-013 Requirements Relating to Social Media 11012018.pdf — PDF document, 123 KB (126080 bytes)


  1. effective date:

    November 1, 2018
  2. content:

    Applies To:   The Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office/UVA Health Foundation (“Health System Development Office”), and the University of Virginia Physicians Group (“UPG”).                                                                         

    Reason for Policy:   The Health System protects the confidentiality of patient information as well as proprietary research, financial and other business related information.  Information posted to social media sites is publicly accessible and is not secure—even if privacy settings are enabled.  The purpose of this policy is to set forth Team Members’ obligations to protect Confidential Information when using Social Media in any form.                                               

    Social Media venues are shared by patients and colleagues.  The nature of the Internet is such that, once materials are posted or shared, they become public and permanent.  Just about anyone, with a little effort, can further share and view these postings.  Confidential Information, if shared via Social Media, is publicly compromised.  Unintended consequences resulting from the exercise of poor judgment when posting, communicating or exchanging Confidential Information online can breach privacy, damage patients’ trust in their providers, and damage the professional and personal futures of all those involved.       

    Team members who wish to develop Social Media websites to promote clinical practice, research, and academic endeavors on behalf of the University of Virginia Health System should contact Strategic Relations and Marketing.  See also https://www.uvahealthbrand.com/social-media-standards-starting-an-account for approval procedures and standards.                                                       

    Definition of Terms:      

    Health System - for purposes of this and all other Health System policies, the term “Health System” shall refer to the following entities: the Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office, and UPG (hereinafter referred to collectively as “Entities” or each individually as an “Entity”).

    Confidential Information

    • any information in the custody of a Health System Entity regardless of its form (oral, paper, electronic) or storage media, that constitutes medical records or other Protected Health Information (PHI); and 
    • proprietary research, financial and other business-related information, including but not limited to documents concerning strategic planning, human resources records, payroll records, and legal advice.     

    Social Media interactive sites allowing an individual to create and edit information via the internet.  Social Media includes blogs, podcasts, social networking sites (e.g., Facebook), as well as photo and video hosting websites.  This definition excludes internal Health System interactive sites that meet IT security standards and whose use satisfies other applicable policy requirements regarding HIPAA and Confidential Information.  

    Team Members - All persons providing clinical, educational, research, administrative, or other services within or for the benefit of the Health System, regardless of Employer.

    Policy Statement:            The University of Virginia Health System strictly protects Confidential Information.  The same regulations, policies, and behavioral expectations that restrict Team Members’ dissemination of Confidential Information also apply to Team Members’ conduct online; specifically, Team Members are prohibited from sharing or in any manner disclosing Confidential Information via Social Media in violation of this policy. 

    Procedures:                      

    Team Member Responsibilities:

    1. Team Members who observe actual or suspected violations involving UPG patient billing staff or a UPG-owned clinic must promptly (i.e., within twenty four hours) report such violations to the UPG Compliance Officer. In all other instances, Team Members who observe actual or suspected violations of this Policy must promptly (i.e., within twenty four hours) report such violations to their managers/designees (see managers’ responsibilities in Section 2 below).
    2. Manager Responsibilities:   
      1. Managers shall report any actual or suspected violations involving PHI to the Medical Center’s Corporate Compliance and Privacy Officer for investigation (see Medical Center Policy No. 0021 “Confidentiality of Patient Information” and Transitional Care Hospital Policy No. 0021 “Confidentiality of Patient Information”) unless the violations involve UPG patient billing staff or UPG-owned clinics, in which case the violations must be reported to the UPG Compliance Officer.
      2. Managers shall report violations involving other Confidential Information to senior management as the manager deems necessary and appropriate.
    3. Role of Corporate Compliance and Privacy Officer and UPG Compliance Officer: The Medical Center Corporate Compliance and Privacy Officer shall direct the investigation of all violations involving PHI, unless the violations involve UPG patient billing staff or UPG-owned clinics, in which case they must be investigated by the UPG Compliance Officer.  The Medical Center Corporate Compliance Officer will also assist UPG, as necessary, with investigations of violations involving UPG patient billing staff or UPG-owned clinics.
    4. Enforcement:  
      1. Corrective action for violations of this Policy will be taken consistent with relevant HR policies, and such other policies, procedures and processes of the University, including the Health System and its Entities, as may be applicable. 
      2. Violations involving PHI and resulting corrective actions shall be reported to the applicable licensing board or other agencies as appropriate. 

    Related Information:     Related policies include, but are not limited to, the following:

  3. signature(s):

    Richard P. Shannon, MD, Executive Vice President for Health Affairs