Does your midwifery practice or birth center display...

  • A "new arrivals board" in the office with first names and weights of the latest babies born. 
  • A testimonial on your business website that the client wrote themselves.
  • A Facebook post that has no photos, but shares a birth story as told by a member of the care team, using only the first initials of the parents and baby.
  • An Instagram photo that shows only the baby's head, displaying impressive caput after a posterior birth, with no written client information.



Without proper client permission, these could all be Tier 3 HIPPA violations, with fines starting at $10,000 per violation.



If you already have a general consent for social media that is signed at the start of care, it may cover some of the scenarios listed above - but it will NOT cover all of them! 

So how can midwives share client information when celebrating new births, or using social media? The FAQs below are a good starting place when designing protocols for your practice.


Sources:  US Dept of Health and Human Services, HIPAA Omnibus Rule.

US Dept of Health and Human Services, HIPAA Marketing 45 CFR 164.501, 164.508(a)(3).

This FAQ has been created to be used by midwives and doulas as a free resource when considering ethical and legal issues. It does not replace the need for HIPAA training, nor does it replace the need for legal advice, if needed.

HIPAA FAQ for Midwives

Consents and Social Media:

  • What is Protected Health Information (PHI)?

    Health Information is anything that "relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual." Example: If you client gives you a great recipe for zucchini bread, that is not health information. Anything that is about the person themself, probably is.

  • What are the tiers of HIPAA violations, and the associated fines?

    Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules (Minimum fine of $100 per violation, up to $50,000.) Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care, but falling short of willful neglect of HIPAA Rules. (Minimum fine of $1,000 per violation, up to $50,000.) Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation (Minimum fine of $10,000 per violation, up to $50,000.) Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation (Minimum fine of $50,000 per violation.) Please note: These figures were as of 2013, and that document also specifies that there should be adjustment for inflation! So minimum fines are even higher now.

  • What is the different between a general consent and a specific consent form?

    Whether the subject is protected health information (PHI) on social media, or anything else, it is important to keep in mind the difference in these concepts. A general consent form, sometimes called a blanket consent form, covers all possibilities. A specific consent form is just that - specific! Specific consent forms are more likely to prevent problems down the road. In some situations, a general consent form will not meet the standards set forth by HIPAA. Safest bet: When in doubt, spell it out!

  • Can a client sign a consent at the start of care that will cover social media posts after the birth?

    Probably not. One important element of these written consents is that they must spell out exactly what Protected Health Information (PHI) will be disclosed. Because it is impossible to know what health information will even exist at the start of care, those general waivers do not allow you to disclose detailed information. For example, if you want to post a birth story about a posterior birth, a consent at the start of care could not specify the fact that the baby was posterior, so they would be unable to give consent to that fact ahead of time. Safest bet: If you want to make a post about a client's birth, ask them to sign a consent that specifically includes the proposed post (both words and photos).

  • What does a social media consent at the start of care cover?

    When it comes to Protected Health Information (PHI), any consent can only cover what the consent specifically describes. It is easy to use a consent at the start of care to cover the routine disclosure of basic information, like the first name and weight of new babies. It's also easy to use this consent to cover anything the client writes...for example, the client writing their own birth story, and submitting to you to share on your business page. (Remember: A social media consent needs to meet all the criteria for written authorizations for marketing.) Safest bet: If it can't be easily explained in a general consent, it needs a separate one.

  • Can a general consent cover photographs?

    Again, it depends if the photograph(s) can be accurately described in a general consent. The consent must not only give consent for the photo, but for the specific private health information that is depicted in the photograph. A group photo from a client reunion picnic? That's easy to include in a blanket consent at the start of care. But graphic photos of their birth? Those need a separate and specific consent. Safest bet: For photographs taken during any time care was provided (births, prenatal or postpartum visits), include the actual photograph you are requesting permission regarding in the consent. Next best option would be to include a detailed description of each photograph, such as "Photo 1: Arbor in birth tub, holding Baby Wren. Both people are unclothed, but no genitals or nipples are showing. The tub water is red due to blood loss."

  • Do doulas need to follow HIPAA?

    Previously, doulas were not legally required to follow HIPAA privacy protections. However, recent Medicaid coverage of doula services in some states requires doulas to take HIPAA training. Between that, and a new NPI code for doulas, it seems that doulas may be required to follow HIPAA privacy practices in the future. Safest bet: Following HIPAA privacy practices helps ensure ethical handling of protected health information. So whether it is required or not, following HIPAA standards will only help, not harm, doula clients.

  • Got a question not answered here?

    Do you have a question about Protected Health Information (PHI) on social media, that isn't covered here? Email [email protected] - we'll add it to the FAQ if it makes sense to do so!

Ethics FAQ for Midwives and Doulas

Social Media and Birth Stories:

  • Whose story is it?

    It's important to remember that the story of a birth belongs to the birthing parent and the baby. It doesn't belong to those in attendance. Should the birth happen outside the home, it doesn't belong to the birth center, or the hospital.

  • When is it appropriate to ask to share someone else's story?

    It's so exciting when a birth happens...and for those welcoming the new baby into their family, it can also be overwhelming, exhausting, and nearly universally, Not Exactly What They Thought It Would Be. (This is true for everyone, even those with previous children.) As birth workers, it is our duty to safeguard the focus of those tender early days, and support the family in ignoring outside stressors. Many midwives and doulas provide families with a sign for their door, asking visitors to support the family in preserving their privacy. So ask yourself: Is this the time to ask them to review a legal document so you can share a story about their vagina for your marketing purposes? Safest bet: If you want to ask your client to share information that is beyond what could easily be covered in a general consent, it is best done after the conclusion of care, to avoid any unintentional coercion that the client could experience.

  • Got a question not answered here?

    Do you have a question about health information on social media, that isn't covered here? Email [email protected] - we'll add it to the FAQ if it makes sense to do so!

Marketing Considerations FAQ for Midwives and Doulas

Social Media and Birth Stories:

  • What are the benefits of posting birth stories and/or client photos on social media?

    Nothing does a better job of describing what care with you can look like. It's that simple.

  • What are downsides of posting birth stories and/or client photos on social media?

    1. If you don't have clear permission to share the specific details included in their birth story, this could land you in trouble with HIPAA fines, a private lawsuit, or both. 2. If you have that explicit and specific permission, but don't mention that permission in your post, it may cause potential clients to worry that you shared information without permission.

  • Got a question not answered here?

    Do you have a question about Protected Health Information (PHI) on social media, that isn't covered here? Email [email protected] - we'll add it to the FAQ if it makes sense to do so!

Online HIPAA Training on HiveCE

HiveCE currently offers two versions of our online HIPAA Training: One for CE, and for employee training. 

(What's the difference? The employee training version does not provide CE.)

These trainings will provide the framework needed for you to understand HIPAA issues in your practice, including social media.