Published on June 10th, 2018 | by Guest0
HIPAA and Social Media: Are Your Employees Aware of the Rules?
In April 2018, an EMS worker in Roane County, Tennessee posted a status update on Facebook detailing a somewhat atypical call out. After visiting a property where a man had had a heart attack and died, the EMS worker posted the following message on Facebook – “well, we had a first … We worked a code in a chicken coop! Knee deep in chicken droppings.”
The post did not mention the patient’s name, or any other PHI, although the post could potentially have allowed the individual to be identified. It certainly allowed the woman’s husband to identify her husband from the post.
A complaint was made, the matter was investigated, and the EMS worker was reprimanded, but that was not the end of it. Questions have also been raised about whether HIPAA Rules were violated. In this case, no PHI was mentioned, but the uniqueness of the location allowed her husband to be identified.
While the jury is still out over whether HIPAA Rules were violated in this case, these types of incidents are commonplace, and in many cases, they involve much clearer violations of HIPAA Rules.
If any PHI is added to a post on Facebook or any other social media platform without first having obtained consent from the patient, it is a violation of the HIPAA Privacy Rule. That applies to the sharing of photos on social media, posting or sharing medical documents, or any information that could allow a patient to be identified. That applies to posts viewable by anyone as well as posts in a private group.
HIPAA Social Media Violations
- In 2017, a med tech took a photo of a deceased patient who had been killed in a car crash and posted the photo on Facebook with the message – “Should have worn her seatbelt”. The patient could be identified from the image.
- In 2017, when a patient visited an emergency room to have an object removed from her genitalia, at least one healthcare employee took a photo of the unconscious woman and shared the image.
- Two employees shared an image of a screenshot on social media about a woman’s STD diagnosis on a Facebook group with 2,300 members. In that case, the workers were fired and sued.
- A ProPublica investigation published in December 2015 uncovered 47 incidents of nursing home workers who had taken photographs and videos of patients being abused and shared those images and videos via social media – Often private Facebook groups.
These are just a very small selection of some of the HIPAA social media violations that are occurring on a regular basis. All it takes is for one worker to carelessly post a message on Facebook, Twitter, or any other social media site that reveals protected health information for patient privacy and HIPAA Rules to be violated. Such actions leave the worker and their organization liable for substantial fines.
Healthcare organizations should create a clear policy on social media use and ensure it is communicated to all staff. Healthcare employees should be instructed never to share PHI on social media sites, but also never to discuss any patient matters over social media, even if PHI is not mentioned. It is too easy for posts to be linked to specific patients – from dates and locations for example.
Healthcare workers should be told that it is not acceptable to share gossip about patients on social media channels with co-workers.
Before any photo is posted on social media, healthcare workers should be told to carefully check the images to make sure there is no PHI in the post, such as information on a printed report or a photo of a patient in the background.
Healthcare employees should be encouraged to report any potential social media violations by co-workers. If a HIPAA violation has occurred, it is essential that action is taken. HIPAA requires notifications to be issued and corrective actions must be taken to prevent any further violations of HIPAA Rules.
If healthcare organizations fail to train staff on the potential HIPAA violations that can occur via social media or if too little is done to prevent social media violations, fines for noncompliance can be issued and they can be severe.
A fine of up to $1.5 million is possible per violation category, which can be multiplied by the number of years that the violation has been allowed to persist.