Beware of HIPAA 'experts' on social media. Why most of them are wrong
- Alan Shoebridge

- 11 minutes ago
- 4 min read
Here is what healthcare communicators — and everyone else — should know when a social media debate breaks out about HIPAA.
You open social media, and here is what you see:
📣 “You violated HIPAA first by sharing your own information!”
📣 “The news media violated my HIPAA rights!”
📣 “This random person on social media violated my HIPAA rights!”
📣 “Facebook violated my HIPAA rights.”
☝️ Wrong. Wrong. Probably wrong. Wrong.
Yes, all of that yelling above comes from social media.
If you work in healthcare, you’ve probably seen it: a social media argument where everyone suddenly becomes a HIPAA expert — and almost everyone is wrong.
Recently, a brouhaha broke out on Threads over whether a doctor violated someone’s right to privacy by seemingly confirming that they were a patient without authorization (most likely) to do so.
Let’s set aside the merits of that specific case for now. What really interests me is how mistaken people are about what HIPAA covers.
HIPAA is not an all-encompassing privacy force field. It applies to specific people, organizations and information in very limited contexts. Let’s break it down.
OK, so what is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. Enacted by the federal government in 1996, it is designed to protect patient medical records and personal health information (PHI) from unauthorized disclosure by people working at “covered entities.” You’ll hear that term a lot.
Covered entities include physicians, nurses, healthcare providers, hospitals, health plans, healthcare clearinghouses and specific business associates of those groups that handle PHI.
Said plainly, HIPAA is meant to protect patients from the misuse or improper disclosure of their medical and other personal information by the people and organizations entrusted with it.
Go in-depth here if you want more information.
Who/what does HIPAA not apply to?
Quick disclaimer: I’m not a lawyer, and this isn’t legal advice. I’m writing from the perspective of a healthcare communicator who has spent a lot of time with HIPAA training, consent forms, legal reviews and compliance guidance.
With that said, let’s look at some of the statements I shared at the start of this article.
📣 “You violated HIPAA first by sharing your own information!”
Sorry, you cannot violate HIPAA against yourself.
HIPAA is designed to protect your protected health information from others. It does not prevent you from sharing your own health information.
That means you can share whatever you want — no matter how sensitive — on Facebook, Threads or a billboard on the freeway. However, once you post it publicly, you will lose control over where it goes next and who sees it. I wouldn’t recommend doing that, but HIPAA isn’t what stops you.
📣 “This random person on social media violated my HIPAA rights!”
Nope. Private citizens generally cannot violate HIPAA.
If a private citizen shares another person's medical information, it is not a HIPAA violation, though it could run afoul of other laws.
However, if that same private citizen is employed by a healthcare organization, they can be held personally and criminally liable if they improperly access or share protected health information. HIPAA applies to them.
Long story short, it’s never a good idea to share someone’s information unless they’ve authorized you to do it. Just don’t do it.
📣 “The news media violated my HIPAA rights!”
In general, the media cannot directly violate HIPAA because news organizations are not covered entities.
Medical professionals and organizations face severe penalties if they share protected health information with journalists or allow them to film in treatment areas without a patient's prior written consent.
Just ask any healthcare marketer or communicator. We can tell you all about patient consent forms. And we spend a lot of time explaining HIPAA to journalists.
📣 “Facebook violated my HIPAA rights!”
Since social media platforms are not covered entities bound by HIPAA, they are not legally considered violators of the law for what users post on their personal accounts.
If a doctor, nurse or any other healthcare employee posts your protected health information online without your written consent they are committing a HIPAA violation.
Again, it’s never a good idea to share anyone’s information on social media unless they have authorized you to do it.
Navigating gray areas
Social media has a way of bringing out the worst in people — and turning everyone into an instant expert with firm views on how things work. In fact, there are some gray areas.
The tricky part is that posting something on social media can be inappropriate, unethical, invasive or even actionable under another law without being a HIPAA violation.
HIPAA is important, but it is not the only privacy rule in the world. And ethics matter.
Tips for healthcare communicators to remember:
That distinction above matters for healthcare communicators and marketers, because our standard should be higher than whether something is “technically allowed.”
Here are some high-level best practices to follow:
Don’t confirm that someone is a patient unless you have authorization to do so.
Never assume something shared on social media is safe for you to repost or reference.
When in doubt, pause and ask legal/compliance for guidance.
Patient stories, photos, media access and social replies all need clear consent processes. Your organization has these in place. Ask about those policies if you haven’t been trained on them.
I hope this primer helps the next time a social media fight breaks out over whether something is a HIPAA violation.
Spoiler alert: most of the time, the example cited on social media probably isn’t a HIPAA violation. But there are exceptions. Don’t be one of them — it can get you and your organization into a lot of trouble.
Here is the post that inspired this blog. Join the conversation about it on LinkedIn.




Comments