Yundra
← All articlesPractical Guides

HIPAA and Social Media: What Therapists Can and Can't Post

9 min read

Social media is where your future clients are. Instagram reels, TikTok explainers, and thoughtful LinkedIn posts have become some of the most effective ways for solo therapists to build a practice. You don't need an ad budget — you need a phone and something useful to say.

But the moment you point that phone at your office, or reply to a comment, or share a "win" from your week, you step onto HIPAA terrain. And the rules here trip up even careful clinicians, because the most dangerous violations don't feel like violations at all.

This guide walks through what you can and can't post, why testimonials are a trap, how to respond to reviews safely, and how to film content without accidentally exposing a client.

The One Rule That Explains Everything

Here's the principle that drives almost every social media mistake therapists make: the fact that someone is your client is itself protected health information.

You don't have to post a name or a diagnosis to commit a breach. Confirming — or even strongly implying — that a specific person has received mental health treatment from you is a disclosure of PHI under HIPAA. Treatment information includes the existence of the treatment relationship.

So when you repost a client's story with a "so proud of this brave human," or you like and reply warmly to a stranger's comment saying "thanks for helping me through my divorce," you may have just confirmed a treatment relationship to anyone watching.

Once you internalize that, the rest of these rules make sense.

What You Absolutely Cannot Post

These are hard lines. Posting any of the following without specific, written HIPAA authorization is a violation:

  • Anything that identifies a client, directly or indirectly. Names, photos, initials, a town small enough that a description narrows it to one person.
  • Confirmation that someone is or was your client. Even a private message saying "great to see you, glad therapy helped" on a public-adjacent platform can leak.
  • Session details, even anonymized poorly. "Had a client today who survived a plane crash and lost their twin" is anonymous on paper and instantly identifiable in reality.
  • Screenshots of your schedule, EHR, intake forms, or messaging app. A blurred-but-readable calendar in the corner of a video counts.
  • Group therapy moments. Group settings multiply the risk because every member is both a patient and a witness to other patients.

The "smart friend" version: if a viewer could reasonably figure out who you're talking about, you've disclosed PHI. Anonymizing means truly unrecognizable, not just "I changed the name."

Why You Can't Post Testimonials

Testimonials feel like the obvious marketing move. A glowing quote from a happy client is gold for a coach or a contractor. For a therapist, it's a minefield.

When a client gives you a testimonial, you posting it confirms they were your client — that's the PHI disclosure again. Even with their enthusiastic permission, you're now in tricky territory, because true HIPAA authorization has strict requirements and the client may not fully grasp the permanence of a public mental health disclosure.

Beyond HIPAA, soliciting testimonials from current clients is independently barred by professional ethics codes. The APA Ethics Code prohibits psychologists from soliciting testimonials from current therapy clients or others vulnerable to undue influence. The NASW Code of Ethics and the ACA Code of Ethics carry similar restrictions for social workers and counselors.

So a single testimonial post can stack two problems at once: a HIPAA disclosure and an ethics-code violation that your licensing board cares about. The safe answer is simple — don't use client testimonials in your marketing at all.

How to Respond to Online Reviews Safely

This is where good intentions cause real harm. A client leaves you a five-star Google review. You're touched, and you reply: "Thank you so much — it was an honor working with you on your anxiety."

You just confirmed a treatment relationship and named a clinical issue, in public, forever. OCR has pursued multiple healthcare providers for exactly this pattern — clinicians who responded to online reviews and, in doing so, disclosed that the reviewer was a patient along with details of their care. Dental and small medical practices have faced settlements over review responses that confirmed patient status and discussed treatment.

The rule: never confirm that a reviewer is your client, and never reference any clinical detail, even if the reviewer revealed it themselves first. The reviewer is allowed to share their own information. You are not.

Here's how to respond safely with generic, non-confirming language:

  • Good: "Thank you for taking the time to share feedback. I take all comments seriously and am always working to provide excellent care. If you'd like to discuss anything directly, please reach out to my office."
  • Bad: "Thanks for being such a great client these past few months!"
  • Bad (negative review): "I'm sorry your sessions didn't meet your expectations." (This confirms they were a client and references their sessions.)

For a negative review, the same neutral template works. Resist the urge to defend yourself with specifics — every specific is a disclosure. A calm, generic response actually reads better to prospective clients anyway.

Filming in Your Office Without Leaking PHI

If you create video content, your office background is a hazard zone. Before you hit record, sweep the frame for:

  • Computer or tablet screens showing an open EHR, calendar, or email inbox.
  • Paper on your desk — intake forms, progress notes, sticky notes with names.
  • A whiteboard or wall calendar with client initials or appointment times.
  • A sign-in sheet at reception where prior names are visible.
  • Faces or voices of real clients in hallways, waiting rooms, or audible through walls.

A surprising number of breaches come from background details no one noticed until the video was live. Film against a blank wall, close every program on visible screens, and clear your desk. Watch the playback specifically hunting for readable text before posting.

If anyone other than you appears on camera — a colleague, an office mate, a person in the hallway — get their explicit consent, and never film in shared waiting areas during client hours.

Extra Caution Around Group Therapy

Group settings deserve their own warning. In a group, every participant is exposed to every other participant's status as a client. A photo or video from a group room, even one meant to be celebratory, can disclose the treatment status of everyone in frame.

Never photograph or film in a group session. Don't post about "tonight's group" in a way that, combined with your schedule or location, could let someone deduce who attends. The minimum-necessary mindset applies here more than anywhere.

Practical Do and Don't Guidelines

Build your presence around content that teaches, not content that reveals.

Do:

  • Share general psychoeducation — what is rumination, how grounding works, signs of burnout.
  • Talk about your approach, training, and what working with you is like in general terms.
  • Use fully fictional or heavily composited scenarios, clearly labeled as illustrative, never tied to a real person.
  • Post about your own professional development and reflections, kept clearly about you.
  • Run responses to reviews through the neutral template above.

Don't:

  • Post, repost, or react to anything that confirms a specific person is a client.
  • Solicit or publish testimonials.
  • Film with screens, paper, sign-in sheets, or faces in the background.
  • Share session "stories," even disguised, if a viewer could identify the person.
  • Reference clinical detail in any public reply.

It's Not Just HIPAA — It's Your License

One last reason to take this seriously. A social media slip can trigger two separate consequences: a HIPAA breach investigated by the HHS Office for Civil Rights, and a professional ethics complaint to your licensing board.

The APA, NASW, and ACA codes all impose confidentiality and testimonial rules that often go further than HIPAA. A board complaint can threaten your license directly, and it doesn't require a federal investigation to get there — a single screenshot from a colleague or a former client is enough to start one.

The good news is that none of this stops you from marketing well. Educational, generous, you-focused content performs better than client stories anyway, and it keeps you entirely on the right side of every rule.

Take the next step

Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.

Start your free assessment →

Find out where your practice stands.

Our free 25-minute assessment checks 40 areas of HIPAA compliance and shows you exactly where your gaps are. See your score instantly.

Free · See your score instantly