Talk to sales
Start for free

Facebook is the world’s largest social network with over 3 billion active users and more than half of them log on every day . Since millions of healthcare workers are present on the platform, if behooves them to know if Facebook is HIPAA compliant. This blog explains how Facebook relates to HIPAA compliance. We will also recommend content ideas you can use to succeed on the world’s largest social media platform while staying HIPAA compliant. SEE ALSO: Social Media & HIPAA Compliance: The Ultimate Guide


About Facebook

Facebook is a social networking site that became one of the world’s largest conglomerates when it acquired other companies such as Instagram and WhatsApp. It has expanded from personal profiles to business pages to groups and beyond. Its ad network alone made $17.74 billion in revenue last year .  Facebook is the king of social media, reaching 60.6% of all internet users . Sixty-nine percent of American adults have a personal Facebook profile and spend an average of 58.5 minutes on the platform daily. Over 90 million small businesses are present on the platform. It’s standard to include Facebook in a modern marketing strategy.


SEE ALSO:  Can I use WhatsApp and be HIPAA Compliant?


The business associate agreement and HIPAA compliance

A business associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) for a covered entity . If a business associate handles, stores, or in any way uses PHI for a covered entity, then a business associate agreement (BAA) must be in place. A BAA is a written contract between a covered entity and a business associate and is required by law for HIPAA compliance.


Is Facebook HIPAA compliant?

Similar to other platforms like LinkedIn,   Twitter , and Instagram, Facebook will not sign a BAA with covered entities. However, this does not mean healthcare providers cannot use it. It simply means that they must steer clear of transmitting any PHI via the platform. Conclusion: Facebook is not HIPAA compliant because it will not sign a BAA. However, covered entities can use it—as long as they do not share any PHI.


How medical professionals use Facebook

Considering Facebook is the third-most visited website in the world (behind only Google and YouTube) , it’s no wonder so many medical providers use it both personally and professionally.  Facebook is cost-effective and simple to use. It's an excellent platform to market your medical practice. Facebook allows medical professionals to:
  • Grow brand awareness and create new connections
  • Establish authority and share expert advice
  • Add a personal touch to your practice
  • Keep tabs on your competition
Here are three examples of medical practices that are rocking their Facebook presence .


HIPAA violations on Facebook

As beneficial as Facebook is for marketing, it can be a troublesome place for healthcare providers because of potential HIPAA violations.  Much like other social media platforms, the most common HIPAA breach is sharing PHI. One example is when a nurse from Texas Children’s Hospital posted about a young measles patient in a Facebook group . Even though she didn’t release the patient’s name, the hospital launched an investigation which resulted in her firing. However, Facebook holds another threat for HIPAA violations: its ad network. Because Facebook collects data like web history to share retargeted ads, browsing Facebook at a hospital has the potential to become a HIPAA violation .


SEE ALSO: Is Facebook Pixel HIPAA Compliant?


What not to share on Facebook

Many people are not aware of how how much data is encompassed by PHI and how strict HIPAA regulations are in this department. Any personal detail linked to someone’s health condition automatically becomes PHI.  For example, patient name or email alone can be considered PHI if it is in any way associated with a healthcare provider. Avoid posting any patient information, stories, and conditions even if the name is left out. Also, never post photos of patients or their medical documents. That includes any photos where PHI might be visible in the background!


What you can share on Facebook

There is infinite content you can share on Facebook while remaining safely HIPAA compliant. Some ideas for healthcare practitioners include:
  • Sharing updates or news about your practice
  • Educating the public about popular or timely health topics
  • Communicating about COVID-19 
  • Sharing health and wellness tips
  • Supporting other local businesses and partners
  • Promoting events related to your practice


Facebook is a great channel to recycle your existing content as well. Break up your blogs, emails, and announcements into Facebook posts. You can also use Facebook to collect new subscribers to your email list. On the flip side, you can attract more Facebook followers and page “likes” by including your social media links in your HIPAA compliant email newsletterPaubox Marketing makes email campaigns like this possible in a HIPAA compliant manner. You can send  personalized marketing emails that include PHI directly to your recipients’ email boxes—no passwords or portals required. Read more about what sets Paubox Marketing apart from non-HIPAA compliant solutions (such as  Mailchimp and  Constant Contacthere. SEE ALSO: Healthcare Email Marketing Use Cases In conclusion, keep an eye on your social media and train your staff to communicate without PHI. For everything else, there’s HIPAA compliant email for direct communication with patients.


Try Paubox Marketing for free and make your email marketing HIPAA compliant today.

Start a 14-day free trial of Paubox Email Suite today