The question nurses most often ask is whether they can post about their work — venting about a hard shift, sharing something that moved them, documenting their daily reality. The honest answer is that most posts nurses instinctively feel are “fine” are fine. But the category of posts that cross into HIPAA territory is wider than most nurses realize, and the consequences — termination, BON complaint, federal investigation — are serious enough that the line is worth knowing precisely.
This guide covers the actual legal framework, the 18 PHI identifiers you need to know by memory, and a real yes/no framework for the posts that sit in the gray zone.
Fast-scan summary
| Post type | Safe? |
|---|---|
| ”Exhausted after a 12-hour shift. Grateful for my team.” | Yes |
| ”Hardest day I’ve had in years. Lost a patient I’d grown close to.” | Yes, if nothing identifies the patient or unit |
| ”ICU patient in room 14 today had the rarest condition I’ve ever seen” | No — room number + unit + unusual diagnosis = identifiable |
| Selfie in scrubs outside the hospital | Generally yes |
| Selfie in a patient care area | Risky — hospital policy likely prohibits it regardless of HIPAA |
| Venting about a specific case, even without naming the patient | Depends — see the identifiability analysis below |
| Posting about “a patient I had last Tuesday in the [unit]” with a distinctive case detail | No |
| Photo from the hospital hallway where a patient is visible in the background | Potential HIPAA violation + likely fireable |
The core HIPAA rule
HIPAA’s Privacy Rule protects “protected health information” (PHI) — any information that relates to a person’s health condition, healthcare, or payment for care AND that could identify the individual. The key phrase is “could identify.” A patient’s name is the most obvious identifier, but HIPAA recognizes 18 categories of information that can identify someone, and any one of them combined with health information creates PHI.
This means: a post that never mentions a name can still be a HIPAA violation if the combination of details makes the patient identifiable — to a colleague who knows the unit, to a family member who recognizes the story, or to the patient themselves.
The 18 PHI identifiers
These are the identifiers HIPAA specifically lists. Any of these, combined with health information, creates PHI:
- Names
- Geographic data smaller than a state (street address, city, county, zip code, and anything more specific than state)
- Dates (other than year) directly related to an individual — birth date, admission date, discharge date, date of death
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate or license numbers
- Vehicle identifiers and serial numbers (including license plates)
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (fingerprints, voiceprints)
- Full-face photographs and any comparable images
- Any other unique identifying number, characteristic, or code
Number 18 is the one that catches nurses. “Any other unique identifying characteristic” encompasses unusual diagnoses, rare procedures, distinctive physical descriptions, and the combination of ordinary details that together identify a specific person. A 34-year-old woman with a rare autoimmune condition admitted to your med-surg unit last week is potentially identifiable even without her name — particularly if you work in a smaller city or a specialized unit.
The identifiability question
HIPAA’s “safe harbor” method for de-identification requires all 18 identifiers to be removed AND for the covered entity to have no actual knowledge that the remaining information could identify the individual. In practice, this means:
Small community + any detail = high risk. A nurse in a rural county hospital posting about “a patient I had today” is describing a pool of perhaps 20 people. Any detail narrows that pool quickly.
Unusual condition + unit + timeframe = identifiable. “The patient I had in the ICU last Tuesday with the rare clotting disorder” can identify someone even in a large facility if colleagues know who was on that unit.
Photo context + patient visible = clear violation. A photo of the break room with a whiteboard in the background showing patient room assignments is a HIPAA violation. A photo that incidentally captures a patient in a bed in the background is a HIPAA violation, plus likely an additional patient privacy violation under state law.
Date + diagnosis + demographic = identifiable at the community level. “The 19-year-old I had on Friday with the cardiac arrest” is potentially identifiable at a facility where that’s an unusual combination.
Safe vs. unsafe: a real framework
Safe to post
- General emotional content about the work: fatigue, meaning, frustration, gratitude — with no patient details
- Information about your own professional experience: years in nursing, specialty, certifications, career reflections
- General educational content: nursing school advice, NCLEX prep, specialty overviews — not derived from a specific patient interaction
- Selfies in scrubs, outside the clinical area, not in patient care spaces (check your employer’s policy first — some prohibit any clinical uniform photos)
- Reactions to news, policy, or nursing issues in general terms
- Encouragement to nursing students or new nurses — generically
Requires careful analysis
- Describing a patient case for educational purposes: safe only if fully de-identified per the 18 identifiers AND you can confirm no actual knowledge of identifiability. Many nurses believe this is safe if they remove the name; HIPAA requires more.
- Venting about a difficult shift: safe if there are no patient details, unsafe if you describe what happened to a specific patient even without naming them
- Posting about professional challenges in your unit: safe if describing systemic issues (staffing, policy), risky if it could identify a specific incident or patient
Not safe
- Any photo taken in a patient care area, including hallways, nursing stations, or rooms — even if “no patients are visible” (HIPAA; also hospital policy in most facilities)
- Any post describing a specific patient interaction in enough detail to allow identification
- Naming or describing a colleague’s error in a way that identifies the patient context
- Posts that combine unit, timeframe, and case details even without a name
- Screenshots of patient charts, monitors, whiteboards, or any clinical documentation
How nurses actually get fired for social media posts
The cases that have resulted in terminations and BON complaints share a common pattern: a nurse believed the post was de-identified because they removed the name. In most documented cases, the patient — or the patient’s family — saw the post and recognized themselves. In others, a colleague reported it. In a smaller number, an employer found it during routine social media monitoring.
Several documented cases involve:
- Posts describing an unusual or newsworthy case that was locally known (a child with a rare diagnosis, a case that appeared in local news, a public figure)
- Posts in Facebook groups that nurses believed were “private” — private groups are not private to group members or to screenshots
- TikTok videos filmed in clinical areas or with clinical uniforms that incidentally captured information visible on screens or whiteboards
- Threads on Reddit or nursing forums where the original post was de-identified but the nurse’s comment history identified their location and specialty, making the patient identifiable
BON complaints from social media posts come from three sources: employers who monitor social media, colleagues who report posts, and patients or families who find the content. All three have resulted in disciplinary actions.
Selfies in clinical areas
Many nurses take photos in their workplace — at the nursing station, in the break room, in hallways. The HIPAA question is whether the photo captures any PHI. The practical question is whether your employer’s policy permits photos in clinical areas at all.
Most hospitals prohibit photography in clinical areas regardless of patient visibility — because the risk of incidental capture (a whiteboard in the background, a monitor visible in a reflection, a patient in a doorway) is too high to manage case by case. Violating this policy is typically grounds for termination independent of whether a HIPAA violation occurred.
Location tags add another layer of risk. Tagging a post at your hospital, on a date, creates a searchable record linking you to that location that can be used alongside other post details to argue a case was identifiable.
LinkedIn and professional social media
LinkedIn is often treated as categorically different from Facebook or TikTok. It isn’t. The same HIPAA rules apply. The risk profile is somewhat different — LinkedIn posts are less likely to be seen by patients’ family members scrolling social media — but a post describing a clinical case on LinkedIn is still a HIPAA violation if the patient is identifiable.
A profile photo in clinical clothing is generally fine. Posting about a specific patient case — even framed as a clinical insight or a professional reflection — carries the same risks as on any other platform.
What to do if a past post worries you
If you’ve already posted something and you’re now wondering whether it crossed the line:
Do not delete it immediately. This counterintuitive advice comes from the same logic that applies to legal situations generally: if the post has already been seen, screenshotted, or shared, deleting it doesn’t erase it and may look like evidence of awareness of wrongdoing. If the post hasn’t been flagged and no one has seen it yet, deletion may be appropriate — but evaluate that judgment carefully.
Screenshot and preserve the post first. Before taking any action, document what you posted, when, and who could have seen it. If this becomes a complaint later, you want a record of what the original post said.
Assess the identifiability honestly. Go through the 18 identifiers above. Does your post, combined with your publicly available profile information (your employer, your unit, your city), allow someone to identify a specific patient? If yes, the risk is real.
Check whether it’s already been shared or screenshotted. Search for the post URL, search your name, look in any groups where you posted. If the post has been shared, the calculus changes.
Consult an employment attorney before your employer comes to you. If you believe the post may have crossed a HIPAA line, getting advice before an employer or BON inquiry is far better than responding after.
BON complaints and social media
State BONs take social media HIPAA violations seriously because they represent a fundamental failure of patient privacy — one that is, by definition, documented and deliberate (you chose to post). Unlike a documentation error or a medication mistake, a social media post is a considered act.
BON complaints arising from social media violations typically allege a breach of the ethical duty to maintain patient privacy and confidentiality, and they can result in the same range of outcomes as other BON complaints: from letters of concern to consent orders to, in egregious cases, suspension.
The practical guidance is simple: the ANA’s Principles for Social Networking state that nurses must “maintain patient privacy and confidentiality” and should assume that any patient-related content could identify the patient, regardless of the nurse’s intent. When in doubt, the post doesn’t go up.
Decision framework: can I post this?
-
Does the post describe a specific patient interaction, case, or incident? If yes, proceed to question 2. If no, it’s likely safe.
-
Have I removed all 18 HIPAA identifiers? Work through the list above. Does anything in the post — combined with your profile information, your location, your employer, and the timeframe — allow someone to identify the patient? If any identifier remains or if the combination is identifiable, don’t post.
-
Was the post taken in a clinical area? If yes, check your employer’s policy. Most prohibit this. Don’t post.
-
Is the post about a case that was locally notable — in the news, unusual enough to be regionally known, or involving a public figure? If yes, don’t post, regardless of how well you believe it’s de-identified.
-
Am I confident this passes the test? If you are asking whether you can post it, the answer is probably no.
What to do right now
- Review your recent social media history with the 18 identifiers in mind
- Read your employer’s social media policy — most hospitals have one, and many nurses have never read it
- If you find a post that concerns you, screenshot it, assess the identifiability, and consult an employment attorney before acting
- Before any future posts about work: if there is a specific patient involved in any way, the post doesn’t go up until it passes the full de-identification standard
For related guidance, see nursing documentation and malpractice, complaints against your nursing license, nursing employment contracts, and nursing with a felony on your record.