OGC
Act Immediately

Employee Posted Patient Info on Social Media

A workforce member shared patient information on social media.

Act Within Minutes, Not Hours

A social media post containing PHI can spread to thousands of people within minutes. The longer it stays live, the greater the potential exposure and the worse your breach assessment will look. Your absolute first priority is removal.

Step 1: Remove the Post Immediately

If you discover the post and have access to the account:

  1. Delete the post immediately from the social media platform
  2. If it was posted from a personal account, contact the employee directly and instruct them to delete it immediately — do not wait for a meeting or formal process
  3. Check if the content was shared, retweeted, or reposted by others — note those accounts for documentation
  4. If the post was on a platform with screenshot/caching features (like Twitter/X), take note that deletion may not eliminate all copies
Screenshot everything before deleting. You need documentation of what was posted, when, and what was visible. Take screenshots (or have someone else take them) before the post is removed. This is evidence for your breach investigation.

Step 2: Document Everything

Before anything else changes, capture:

  • Screenshot of the post with timestamp visible
  • The platform where it was posted
  • The employee's account name
  • What PHI was visible (patient name, photo showing their face, diagnosis, treatment information, etc.)
  • How many views, likes, shares, or retweets it had at the time of discovery
  • When the post was made and when it was discovered
  • When it was deleted

Step 3: Assess the Breach

Your Privacy Officer must conduct a breach risk assessment. Key factors:

  • What PHI was exposed? Patient name alone may not be PHI in all contexts, but any health information combined with an identifier is PHI. Photos of patients in clinical settings, references to diagnoses, or any information that identifies someone as a patient is PHI.
  • How many individuals were affected? Even one patient's information exposed publicly is a reportable breach.
  • How long was it live? Hours vs. days makes a significant difference in likely exposure.
  • How widely was it shared? A post seen by 50 people is different from one that went viral.
  • Did the patient consent? In rare cases, a patient may have publicly shared their own health information and tagged or referenced your organization. This changes the analysis — but generally, your workforce sharing PHI without authorization is still problematic even if the patient is "public" about their condition.

Step 4: Sanction the Employee

HIPAA requires covered entities to have and apply a sanction policy for workforce members who violate HIPAA. Failing to sanction an employee who committed a violation puts you at risk of OCR finding that your sanction policy is insufficient.

The sanction should be proportionate to:

  • Whether the disclosure was intentional or a mistake
  • The severity of the violation (one patient vs. many; incidental vs. egregious)
  • The employee's history of compliance issues
  • The employee's role and level of training

Sanctions can range from additional training (for minor, unintentional violations) to written warning, suspension, or termination (for serious or intentional violations). Document the sanction decision and rationale in writing.

Step 5: Breach Notification

A social media disclosure of PHI without authorization is generally a reportable breach. Once your risk assessment confirms breach status:

  • Notify the affected patient(s) in writing within 60 days of discovery
  • Notify HHS OCR (annually for fewer than 500 individuals; within 60 days if 500 or more)
  • If applicable, notify media outlets in the affected state if 500+ individuals in that state are affected

Step 6: Training Reinforcement

Use this incident (appropriately anonymized) as a training opportunity:

  • Issue an all-staff reminder about social media policies and PHI
  • Reinforce that patients are never to be discussed on social media — even without names, if the context makes them identifiable
  • Review and update your social media policy if it doesn't explicitly address PHI
  • Consider adding a social media module to your annual HIPAA training

Policy Review

If your workforce social media policy doesn't explicitly prohibit posting PHI, update it now. The policy should clearly state:

  • No patient information of any kind may be posted on social media
  • No photos taken in patient care areas may be posted
  • This applies to personal accounts, not just organizational accounts
  • Violations are subject to disciplinary action up to and including termination

Related Guides

Act Immediately

Did I Just Witness an Incident?

I saw something that might be a breach — what do I do?

Read Guide
Act Within 24 Hours

A Patient Filed a HIPAA Complaint Against Us

A patient has filed a formal HIPAA complaint with HHS OCR.

Read Guide
Plan Ahead

Annual HIPAA Compliance Review

It's been a year — here's what needs to be renewed and redone.

Read Guide
Back to all guides