Social media icons on a mobile device

Social Media Meets HIPAA

Let’s bust some myths about Social Media and HIPAA compliance.

Myth: HIPAA rules are so complicated that I should avoid using Facebook and other social media.

Reality: Your practice CAN have a Facebook page. You simply need to adjust the privacy settings on your Facebook page to limit how patients share information.

Facebook has many settings, so familiarize yourself to stay in compliance. Note – Similar guidelines apply to Instagram (owned by Facebook), Twitter, LinkedIn, and other social media sites – the key is to use the privacy settings to limit patient postings.

Myth: If a patient voluntarily posts a comment or a review on my Facebook page they have consented to their name being published, so this doesn’t violate HIPAA.

Reality: There is no such thing as “voluntary consent” in HIPAA. The only recognized consent is a written “Authorization” in advance. Covered Entities under HIPAA, such as health care providers, are the guardians of patient privacy and are required to obtain a written Authorization from a patient before allowing disclosure of the patient’s identity. A valid HIPAA Authorization has specific requirements. Using a general “consent” or “release” without the HIPAA requirements is not enough.

Myth: If I advertise on Facebook but don’t have a Facebook page for my practice, I can’t control whether patients leave comments, reviews or recommendations on the ad, so I don’t need to worry about HIPAA.

Reality: You may advertise on Facebook and not violate HIPAA as long as you don’t include testimonials or allow for comments or recommendations from patients UNLESS those patients have given you an Authorization in advance.

What about independent review sites such as Yelp?

Review sites are different than social media sites such as Facebook because you own your Facebook page and are legally responsible for all its content, even posts by others. As long as you don’t publicly respond to a patient post on Yelp, you are not responsible for patient information disclosed there.


  • If you choose to moderate visitor comments, you can either scrub out any Protected Health Information (PHI) such as names, dates of service, etc. or reach out to the patient for an Authorization before publishing.
  • Facebook has recently changed “Reviews” to “Recommendations.” As a health care provider, you should turn Reviews/Recommendations off to protect patients from accidentally violating their own privacy (and making you responsible as the page owner). Patients may still publish “posts,” on your business page, as long as you review them in advance to scrub out identifiable information or seek a valid Authorization.

If you need help with HIPAA rules about social media, contact us for answers – step by step guidance shows you HIPAA is easy to follow once you know the steps.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2022 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free