Does This Facebook Post Violate HIPAA?

Carolyn Buppert, MSN, JD


November 04, 2016

To submit a legal/professional nursing question for future consideration, write to the editor at (Include "Ask the Expert" in subject line.)


A nurse asks the following social media question:

I made a comment on my Facebook page about a patient, but I didn't name her. It wasn't a derogatory comment, but someone took a screenshot and sent it to my supervisor. Now I have been cited for a patient privacy violation and am required to take a class on confidentiality. I don't believe that what I did is a Health Insurance Portability and Accountability Act (HIPAA) violation. What do you think?

Response from Carolyn Buppert, MSN, JD
Healthcare attorney

In this case, the nurse who posted the comment on Facebook mentioned the age, gender, and weight of the patient. The nurse and the patient live in a small town. Because of the weight—very abnormal—and the other identifying information, at least one reader in that town could figure out who that patient was. So, yes, this was a HIPAA violation.

Healthcare providers are bound by HIPAA and state privacy rules from disclosing any information about patients, unless the disclosure is necessary for treatment, payment, or healthcare operations. In this case, it was the nurse's personal Facebook page, and no treatment was involved.

However, let's say that the page was the nurse's business-related page, for the nurse's weight-loss coaching business. And let's say that a patient wrote a comment that she had lost 25 pounds and asked whether to continue with the high-protein diet for another month. In this situation, the patient is initiating an online conversation and the discussion relates to treatment. In this scenario, can the nurse engage in online dialogue with the patient?

Generally, no. A patient can talk or write about his or her own personal health information, and a patient can authorize a healthcare provider to make disclosures. But patient consent to disclosure or authorization of disclosure is a formal process involving written documents and signatures. The patient doesn't open the door to clinician disclosures by initiating the online discussion. And although a response from the nurse about the patient's diet is about "treatment," the social media page is not the appropriate venue.

An appropriate and legal response from nurse to patient, when the patient asks a question online, is one of the following:

  • Nothing. Delete the comment. If this patient is your patient, call him or her to discuss the question.

  • Write: "Congratulations on the loss! Please call your healthcare provider for a private discussion about your questions."

If a nurse is trying to build an online discussion group related to a condition or illness, he or she should post rules related to online discussions. The rules should state that the nurse cannot engage in giving personalized advice through the social media page; that the nurse cannot write about specific participants or their problems; and that the nurse may answer questions, but the questions will be changed so that the patient's identity can't be discerned by a reader. For example, a 50-year-old woman with a question about stress incontinence would be changed to a "perimenopausal" woman. The rules should say that answers will be generic—that is, related to the condition and patients with that condition, but not related necessarily to any specific patient. The nurse should consult legal counsel for exact wording.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.