I read 45 CFR 164.510 the same way. A detailed authorization specific to the PHI disclosure would be needed in each unique instance. On the one hand, the patient is self-disclosing so the Privacy Rule no longer applies. However, the FaceBook contract stating "You own the content you create and share on Facebook..." and "These guidelines apply if you create or administer a Facebook Page, group, or event, or if you use Facebook to communicate or administer a promotion," introduces this privacy risk on the part of the covered entity even as it's the patient doing the posting (but you own the shared content on your page.) I'm not a lawyer, this is just my opinion.
That aside, I'm struggling to see the value in having a FB page where patients can post anyway.
I believe a FB page can be set up to not allow any posts to show without first being approved by the administrator of the page. Might be helpful in making sure no PHI is posted.
Michael Scudillo, OTR, CHC Chief Compliance Officer/Privacy Officer 15 Microlab Road Suite 101 • Livingston, New Jersey 07039 P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964 www.uirehab.com