HIPAA Social Media Guidelines

An organization’s HIPAA social media guidelines should not only eliminate misunderstandings about online disclosures of Protected Health Information but also help workforce members navigate social media and other online platforms safely to reduce the risk of HIPAA violations, reputational damage, and personal harm.

There are many benefits to be gained from using social media if an organization is a HIPAA covered entity or business associate. For example, healthcare providers can use social media to promote healthy lifestyles, raise awareness of emerging health issues, and engage communities with updates about new services or new clinicians.

Health plans can use social media to market health insurance products, advertise new plans and benefits, and build brand awareness, while business associates can promote B2B services and answer questions from interested parties. Social media can also be used to recruit new workforce members or advertise training programs.

However, social media can also be a potential minefield for HIPAA compliance if Protected Health Information (PHI) is disclosed in a social media post or on an online platform without an authorization. In some circumstances, even liking, sharing, or commenting on a patient’s post can violate HIPAA.

Inappropriate social media posts and online interactions can also result in reputational damage and personal harm to patients, healthcare staff, or the organizations they work for. For this reason, many organizations implement HIPAA social media guidelines to help workforce members navigate social media and other online platforms safely.

The Challenge of Complying with HIPAA in a Social World

Platforms such as Facebook, Instagram, TikTok, LinkedIn, Reddit, and online review sites have created new ways for people to communicate – and new ways for PHI to be exposed. As a result, HIPAA social media compliance has become one of the most challenging areas of privacy practice for healthcare organizations.

To exacerbate the challenge, there are many misunderstandings about HIPAA and social media. For example, some people assume HIPAA prohibits posting any patient information online, while others believe it is permitted to include patient information in a social media post “as long as you don’t mention their name”.

In reality, the HIPAA Privacy Rule permits patient‑authorized disclosures under specific conditions, but prohibits any posts, interactions, or comments that could identify a patient or identify a healthcare relationship with a patient. Even social media profiles linked to a well-meaning interaction can create HIPAA compliance risks.

To complicate matters further, the emotional realities of healthcare work – stress, frustration, compassion fatigue, and the desire to decompress after a difficult shift – can lead workforce members to vent online or seek validation in ways that unintentionally reveal PHI or harm the organization’s reputation.

To help healthcare organizations overcome the challenge of HIPAA social media compliance, this article provides advice about why guidelines are essential, what healthcare social media policies should contain, how to connect social media and HIPAA in workforce training, and how to monitor workforce compliance with social media policies.

The article also addresses the realities of modern online behavior – from venting frustrations to managing professional profiles – and offers practical strategies for building a culture of responsible digital communication.

Why HIPAA Social Media Guidelines are Essential

HIPAA social media guidelines are essential because even well‑trained workforce members can unintentionally disclose PHI on social media or other online platforms. For example, a medical assistant might join a local parenting group on Facebook and share a “de‑identified” anecdote that still contains enough detail for another parent to recognize the patient once the post is linked to the assistant’s profile

Guidelines remind workforce members that HIPAA’s privacy obligations still apply away from the workplace and that a post, comment, or interaction does not need to name a patient to violate HIPAA. If a reasonable person could identify an individual – or infer a treatment relationship – the disclosure is impermissible.

HIPAA social media guidelines can also reinforce the message that trust is central to healthcare. The guidelines should remind workforce members that they continue to represent the organization when posting from personal accounts and that a single inappropriate post can damage patient confidence and harm an organization’s credibility.

It is also important for the guidelines to acknowledge the emotional realities of healthcare work. Some members of the workforce may turn to social media to vent about challenging encounters or overwhelming workloads, and these posts often reveal more than intended. Effective guidelines should direct workforce members toward safer outlets for emotional expression, helping them protect both themselves and their patients.

By addressing both compliance requirements and human behavior, well‑designed guidelines and documented HIPAA social media policies help create a culture where members of the workforce can decompress safely while maintaining the confidentiality patients expect.

What Healthcare Social Media Policies Should Consist Of

Effective healthcare social media policies give workforce members clear guardrails for navigating online spaces while protecting patient privacy and organizational credibility. Strong policies begin with precise definitions: what counts as social media, what is considered PHI under HIPAA, and what types of details can make a post identifiable even without names.

Policies must clearly outline prohibited activities. These include posting any patient information without a valid HIPAA authorization, sharing photos or videos from clinical areas, discussing unusual cases, or describing encounters in ways that could reveal an individual’s identity. The policies should highlight that privacy settings offer no protection against prohibited activities. PHI shared in closed groups or via private messages and disappearing content can all be captured or shared.

Workforce members should also be warned against interacting with patient posts, responding to reviews with PHI, posting grievances about patients or coworkers, or sharing content that harms the organization’s reputation. Policies should also remind staff that violations may trigger the organization’s HIPAA sanctions policy, which outlines disciplinary consequences for improper uses or disclosures of PHI.

Alongside prohibitions, policies should set expectations for required behaviors. Staff should use sound judgment, maintain professionalism, avoid inflammatory or discriminatory language, and distinguish personal opinions from organizational views. They must also address how staff present themselves on platforms like LinkedIn. For example, staff should use accurate job titles, avoid overstating expertise, and ensure their profiles reflect professionalism.

Healthcare social media policies should include clear reporting pathways and supportive elements for workforce well‑being. They should explain how to ask questions before posting, how to report concerns, and how supervisors should respond. They should also offer safe alternatives to venting online, encourage use of internal support channels, and normalize the emotional challenges of healthcare while reinforcing that social media is not a safe outlet.

How to Connect Social Media and HIPAA in Workforce Training

Social media-related violations in healthcare often stem from a lack of knowledge or misunderstandings. Workforce members may not recognize how “innocent” details, background images, or casual comments can identify a patient, especially when their social media activity is driven by the desire for likes, validation, or online visibility.

To mitigate the risk of social media violations, an explanation of the organization’s social media policy should be included in HIPAA training. To ensure the topic stands out, organizations should deliver social media training as a separate, dedicated module rather than burying it within general HIPAA education.

A standalone module is easier to use for refresher training and can serve as a targeted corrective action when a member of the workforce violates the policy. This reinforces accountability while giving workforce members the tools they need to avoid repeated mistakes.

However, effective HIPAA training on the safe and compliant use of social media requires more than a readthrough of the organization’s policy. The training content should include realistic scenarios, examples of risky posts, and explanations of why certain disclosures violate HIPAA.

Workforce members need to understand how PHI appears in social media contexts, how privacy settings fail to eliminate risk, and why photos and background details are especially dangerous. Training should also cover how to handle patient interactions online, including why acknowledging someone as a patient can be a HIPAA violation.

Additionally, the HIPAA social media training module must clearly explain the consequences of HIPAA violations and of damaging the organization’s reputation. Violations may trigger the organization’s sanctions policy, professional penalties such as loss of license, or civil action under state and federal laws.

How to Monitor Compliance with HIPAA Social Media Rules

Monitoring how workforce members engage online enables organizations to detect potential violations early, identify patterns of risky behavior, and protect both patients and the organization from reputational or legal harm. Monitoring also provides valuable insights that can be used to strengthen policies, refine training, and address emerging risks before they escalate.

A balanced monitoring program can use several methods such as periodic manual reviews of publicly available posts, brand‑monitoring tools that flag mentions of the organization, alerts for trending content, and routine reviews of online comments. Whatever methods are used, the process must remain transparent, ethical, and proportionate. The goal is not to police personal lives but to safeguard patient privacy and organizational integrity.

Monitoring should also include attention to brand reputation. Tracking how the organization is mentioned online, how workforce members reference their workplace, and how public sentiment shifts over time can reveal gaps in training or communication. Trends in online reviews or recurring themes in public comments often highlight areas where workforce members need additional support or clarification.

Another important focus is identifying risky venting behavior. Frequent posts about difficult shifts, complaints about patients or coworkers, or comments that hint at identifiable encounters can signal emotional strain and potential HIPAA exposure. When these patterns appear, supervisors should respond with support rather than punishment – offering coaching, reinforcing safe alternatives for decompressing, and connecting with internal resources.

By monitoring thoughtfully and responding constructively, organizations can reduce risk, strengthen trust, and foster a culture where workforce members feel supported while maintaining the highest standards of privacy.

HIPAA Social Media Violations

It is difficult to quantify the scale of HIPAA social media violations because violations of this type usually affect fewer than 500 individuals and HHS’ Office for Civil Rights rarely publishes information about violations below that threshold.

It is also difficult to determine the underlying causes of many HIPAA social media violations because licensing boards typically only publish decisions involving serious misconduct. Consequently, the public record over/represents extreme cases and under/represents more common, unintentional violations handled internally.

Nonetheless, inappropriate disclosures of Protected Health Information on social media and other online platforms are a well-recognized issue in healthcare – so much so that the American Medical Association includes a dedicated section on “Professionalism in the Use of Social Media” in its Code of Medical Ethics.

Other major professional organizations have also issued guidance on social media use in healthcare. The American Nurses Association has published principles and warnings emphasizing patient privacy, professionalism, and adherence to employer policies, while the NCSBN’s “Nurse’s Guide to Social Media” is frequently referenced in disciplinary hearings.

Social media HIPAA violation examples can be found in the FAQs below.

Conclusion

HIPAA social media compliance is not simply a legal requirement. It reflects an organization’s values, professionalism, and commitment to patient trust. In a world where personal and professional identities blend online, healthcare organizations must provide clear policies, practical training, and supportive pathways that help workforce members navigate digital communication responsibly.

By understanding permitted disclosures, using patient authorizations correctly, protecting brand reputation, and addressing the human realities of venting and frustration, organizations can build a culture that respects privacy, supports workforce members, and maintains public trust. Social media is here to stay, and with thoughtful HIPAA social media guidelines, healthcare organizations can use it wisely, safely, and ethically.

HIPAA Social Media Rules – FAQs

What do you need to know about social media and HIPAA?

What you need to know about social media and HIPAA is that posting PHI on social media is permissible under HIPAA only if you have a written authorization from the subject of the PHI. However, once something is posted on social media, you have no control over what happens to it. If the subject of the PHI subsequently wants to revoke an authorization, you cannot comply with the request because you have no control over who has seen the post or what copies have been made.

What is one reason that social media increases the risk for HIPAA violations?

One reason that social media increases the risk for HIPAA violations is that social media channels make it easy for users to take a photo and upload it with the tap of a screen. This increases the risk for HIPAA violations because members of a covered entity’s workforce can unthinkingly take a photo of something or someone they have seen and post it on the Internet within seconds. If the photo reveals a PHI identifier and health information (for example, a celebrity being brought into ER) it is a violation of HIPAA unless the written authorization of the celebrity has been obtained in advance.

What is considered a HIPAA violation with social media?

One thing considered a HIPAA violation with social media is posting any individually identifiable health information without a written authorization. If an authorization is obtained, the form on which the disclosure is authorized has to inform the subject what the disclosure is for and explain that the subject has the right to revoke the authorization. The subject should also be given the option of stipulating a time period after which the disclosure must end.

As it is impossible to control what happens to a social media post once it has been published, it is unlikely a covered entity will be able to comply with a revocation or expiration request. This is a violation of HIPAA unless the authorization form includes the “reliance upon” clause excluding covered entities from revocation and expiration requests after the event.

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information, is that a breach of the HIPAA Privacy Rule?

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information it is a breach of the HIPAA Privacy Rule if the identity of the individual can be determined from image. However, if the patient has given their written authorization for the image to be used, and the image is shared under the conditions of the authorization, there is no violation of the HIPAA Privacy Rule.

Do the HIPAA social media rules apply to all accounts or just corporate accounts?

The HIPAA social media rules apply to all accounts – not just corporate accounts. It is important to be aware that images posted on private social media accounts without patient consent are in double violation of HIPAA, as the individual has not only posted ePHI impermissibly, but they have also obtained the image from a corporate source that lacked the protections of the HIPAA Security Rule.

Do all employees have to be trained on HIPAA social media rules, or just those with access to ePHI?

All employees should be trained on HIPAA social media rules as part of their security awareness training. All members of the workforce should be aware of the organization’s policies relating to social media whether they have access to ePHI or not. Even members of the workforce without access to ePHI can disclose information on social media such as a patient’s name and what they are being treated for, so it is important they know not to disclose information without authorization through any media.

What are the FTC Social Media Rules?

The FTC social media “rules” are the regulations relating to deceptive acts or practices in Section 5 of the Federal Trade Commission Act. The regulations apply to all forms of advertising and marketing, and define an act or practice as deceptive if:

• a representation, omission, or practice misleads or is likely to mislead the consumer;
• a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
• the misleading representation, omission, or practice is material.

This means any claim – whether made by an organization or on behalf of an organization, and regardless of whether Protected Health Information is disclosed to support the claim –   must not “seek to gain an advantage while avoiding competing on the merits”.

How can covered entities and business associates implement controls that flag potential HIPAA violations on social media?

Covered entities and business associates can implement various controls that flag potential HIPAA violations on social media. For example, the simplest way to monitor social media for HIPAA violations is to search for specific hashtags relating to a healthcare facility (i.e., #nyp, #mayoclinic, #UPMC, etc.). Although a manual control rather than a technology control, reviewing what is written about a healthcare facility on social media can help facilities improve their services – and their HIPAA policies – in many different ways.

Why is posting patient information on social media a HIPAA violation?

Posting patient information on social media is a HIPAA violation if you do not have the patient’s authorization because it discloses individually identifiable health information to the public that could be used to commit fraud or identity theft. Even if you do not name the patient when you post Protected Health Information on social media, the patient can still be identified from other information included in the social media post.

What is a HIPAA compliant social media policy?

A HIPAA compliant social media policy is a policy that stipulates the circumstances under which it is allowed to post any information to social media. As social media posts can never be fully retracted (because they may have been shared, screenshot, or copied and pasted prior to retraction) , it is a best practice to prohibit any post containing individually identifiable health information and enforce tough sanctions on any member of the workforce that breaches this policy.

What is the penalty for a social media HIPAA violation?

The penalty for a social media HIPAA violation depends on who is responsible for an impermissible disclosure of PHI and what the consequences are. For example, if a covered entity posts PHI on a social media site without authorization for a marketing campaign, and the subject(s) of the PHI complain to HHS’ Office for Civil Rights, the penalty could be a substantial fine.

However, if a member of a covered entity’s workforce posts PHI on a social media site without authorization, the penalty will be whatever sanction is listed in the covered entity’s sanctions policy. This could range from a verbal warning and retraining to termination of contract and loss of license – a more likely outcome if the violation demeans the patient or is a repeated offense.

Is Facebook HIPAA compliant?

Facebook is not HIPAA compliant. Although social media has some mechanisms to control unauthorized access to accounts, Meta will not sign a Business Associate Agreement with covered entities. Indeed, under Facebook’s terms for the Workplace by Facebook service, Meta prohibits the use of the service to  “submit […] any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations”.

Are there any examples of HIPAA violations on social media?

There are several examples of HIPAA violations on social media that have resulted in fines being issued by HHS’ Office for Civil Rights and dozens of examples of employees being fired and/or charged for HIPAA violations on social media.

• In 2017, ProPublica published more than fifty examples of HIPAA violations on social media that resulted in employees being sanctioned, fired, and/or charged with a criminal offense.
• In 2018, a pediatric nurse at Texas Children’s Hospital was fired for a posting about a rare case of measles she had treated. The rarity of the disease enabled the patient to be identifiable.
• In 2019, Elite Dental Associates was fined $10,000 for disclosing a patient’s name, details of her health condition, treatment plan, insurance, and cost information in response to a negative online review.
• In 2022, another dental practice – Dr. U. Phillip Igbinadolor and Associates – responded to a patient complaint on social media disclosing the patient’s name and treatment. The dentist was fined $50,000.
• In 2024, a nurse was disciplined for posting about a patient’s death, believing the post was sufficiently anonymized. The patient’s family saw the post and reported the nurse to the Board of Nursing.
• In 2025, a Florida nurse who livestreamed a med pass on TikTok was fired from her job and referred to the Board of Nursing. The Board subsequently suspended the nurse’s license.
• Also in 2025, Cadia Healthcare agreed to pay $182,000 to settle allegations the healthcare group had disclosed PHI on its social media account without obtaining authorizations from affected patients.

What are the recommended social media guidelines for healthcare professionals?

The recommended social media guidelines for healthcare professionals are not to post anything relating to patients on social media channels. Even if you have the patient’s authorization to comment about someone you are caring for or have treated, there is no way you can fully retract the social media post if the patient decides to revoke their authorization. As well as not being able to retract the post, if a friend or family member of the patient – who does not know you have the authority to publish the patient’s PHI  – sees the post, they may file a complaint with your employer or HHS’ Office for Civil Rights.

Is posting a photo of a patient on social media considered a disclosure?

Posting a photo of a patient on social media is considered a disclosure if the photo identifies the individual and either the photo or a description of the photo implies a past, present, or future treatment relationship. However, posting a photo of a patient on social media is not necessarily an impermissible disclosure if you have obtained the patient’s written authorization.

 Note: In 2015, the California Board of Registered Nursing revoked an RN’s nursing license after she shared images of a patient’s surgical wounds on Instagram in violation of HIPAA. Although the patient was not named in the Instagram post, the images showed identifying tattoos and the patient’s room number.

Is it a HIPAA violation to look up a patient on Facebook?

It is not a HIPAA violation to look up a patient on Facebook because information on Facebook pages is posted by individuals who are aware – or who should be aware – they are publishing information about themselves in the public domain. However, if you are discovered looking up a patient on Facebook, it may raise concerns you could also be snooping on the patient’s medical records. Although not a HIPAA violation, it is best to avoid looking up patient information on any media for purposes not permitted by the HIPAA Privacy Rule.

Who is allowed to share personal health information on social media sites?

The issue of who is allowed to share personal information on social media sites is complicated. There are guidelines in HIPAA about sharing protected health information on social media; but, if an individual or organization is not covered by the HIPAA guidelines or an employer’s social media policy, other data privacy laws may apply – and these can vary from state to state.

With regards to HIPAA and social media, covered entities and business associates can disclose personal health information on social media sites provided they have the patient’s authorization to do so. Employees of covered entities and business associates are advised not to share personal health information on social media sites unless they have a valid reason for doing so (i.e., marketing) and the patient’s authorization has been acquired by their employer.

What are the rules for social media and patient privacy in HIPAA?

There are no specific rules for social media and patient privacy in HIPAA because HIPAA was created many years before social media. However, each covered entity and business associate should have a social media policy that either prohibits members of the workforce from posting patient information on social media channels or that outlines the procedures to post patient information on social media channels in compliance with HIPAA. Each covered entity and business associate should also have – and enforce – a sanctions policy for patient privacy violations on social media.