oh lord yes...like a monstrous, you need to be fired one. You can't put phi on any electronic system which you do not have a signed business associate agreement with. I suppose there's a chance that FB signed a baa, in which case this would be their problem, but it seems pretty unlikely to me.
IANAL, but there is a legal concept of ‘Joint And Several Liability’ — it might be the case that Facebook and the doctor were in violation.
Or it might have been just the doctor until someone complained and from that point on just the fact that Facebook knew about it might make them suddenly and automatically liable for further bad behaviour.
I think perhaps what's being described is akin to a bulletin board with fliers outside the doctors office, with general advice to the public, not specific directed advice to a patient about their specific health issues. I'm not sure that falls afoul of HIPAA, I would imagine it doesn't since it's not specific at all.
At the same time, that also makes it irrelevant to the point at hand, since it's not Facebook messenger at all, just general health posts and items offered by that medical group.
