Facebook is not HIPAA compliant for HIPAA Covered Entities or Business Associates because Facebook does not sign a HIPAA Business Associate Agreement and its services, including Facebook Messenger, are not intended to be used to create, receive, maintain, or transmit protected health information on behalf of regulated healthcare organizations.
HIPAA requires a written HIPAA Business Associate Agreement when a vendor performs functions involving protected health information for a HIPAA Covered Entity or Business Associate. Without that agreement for the service in use, protected health information cannot be routed through the platform, stored in platform systems, or exchanged through platform messaging as part of a regulated workflow. Facebook’s consumer and advertising services do not provide a HIPAA contracting path for protected health information handling.
Facebook Messenger is not appropriate for patient communications involving protected health information because message content, message metadata, contact identifiers, and account information can be processed and retained in ways that the healthcare organization cannot control under HIPAA Security Rule safeguard requirements. The same risk applies to comments, direct messages, and group interactions on Facebook pages where staff might respond to patient questions or where patients might disclose their own protected health information. A patient-initiated disclosure does not permit workforce members to reply with protected health information or to confirm treatment relationships in a public or uncontrolled channel.
Marketing and analytics features add additional exposure pathways. Facebook pages, lead forms, and advertising tools can collect identifiers and interaction data that can become protected health information when tied to treatment, payment, or healthcare operations. Website tracking tools associated with Facebook advertising can transmit event data and identifiers from healthcare web pages to Facebook, creating potential disclosures when those events relate to appointment requests, portal access, symptom information, services sought, or other healthcare-related actions tied to an identifiable person. When communications meet the HIPAA Privacy Rule definition of marketing and protected health information is used or disclosed for that purpose, a valid authorization may be required depending on the content and purpose of the communication.
Healthcare organizations may use Facebook for general brand and service information that excludes protected health information and avoids confirming an individual’s patient status. Patient-specific support, scheduling, care coordination, and billing communications should be moved to channels supported by a vendor that will execute a HIPAA Business Associate Agreement for the services in scope and that can be configured and governed to meet HIPAA Security Rule requirements.