Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

4 min read

Social media HIPAA violations

Social media HIPAA violations

Social media has become an integral part of our personal and professional lives. But, for healthcare providers, understanding the complexities of social media usage is important to avoid potential Health Insurance Portability and Accountability Act (HIPAA) violations. 

 

The rise of social media and the perils of patient privacy

The ubiquity of social media platforms has transformed how healthcare professionals communicate and share information. While these digital tools offer numerous benefits, such as enhanced patient engagement and efficient information-sharing, they also present a challenge: the potential for accidental or intentional breaches.

 

The impact of social media breaches

In the first half of 2018 alone, more than 56% of the 4.5 billion compromised data records were attributed to social media incidents. These breaches can range from employees accidentally posting protected health information (PHI) in the background of a social media post to deliberate attempts to share sensitive patient details for personal gain.

 

The blurred lines of HIPAA compliance

Many healthcare professionals don’t fully comprehend the extent of HIPAA regulations for social media. Even seemingly innocuous comments or images can constitute a violation, as patient privacy can be compromised without explicitly mentioning the patient's name.

Read more: HIPAA and social media rules 

 

Real-world examples of social media HIPAA violations

Citadel Winston-Salem: Tiktok missteps

In June 2021, former nurse Kelly Morris faced suspension from her employer, Citadel Winston-Salem, for posting videos on TikTok that involved jokes about mistreating patients. While Morris claimed the videos were mere comedy skits and did not harm anyone, her employer deemed the content a violation of their core values and took disciplinary action.

 

Ballad Health: Photo post

In October 2020, employees at Ballad Health in Tennessee posted a photo of an individual undergoing surgery while the surgeons wore a racing helmet. Although the post did not include identifiable features, Ballad Health deemed the actions unacceptable and a violation of internal policies.

 

Lincoln Hospital: Pandemic perspectives

In April 2020, nurse Lillian Udell shared a video with the online publication The Intercept, interviewing her coworkers about working during the COVID-19 pandemic. While the video did not explicitly mention patient names, one of Udell's coworkers made a statement that could be seen as a potential HIPAA violation, leading to an investigation by the hospital.

 

Grady Hospital: Facebook posts

In November 2019, a news investigation uncovered an online EMS Facebook group with over 23,000 members, most of whom were emergency responders. The group regularly posted uncensored videos and pictures of the scenes they encountered while on the job, a violation of patient privacy. The owner of the group, who worked as a paramedic at Grady Hospital, was disciplined for the second time in six months for posting about patients on social media.

 

Elite Dental Associates: Yelp review

In October 2019, the Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp, a social media platform for reviewing businesses. The organization responded to a patient's review with details about their treatment plan, insurance, and cost, leading to a HIPAA violation investigation and a $10,000 settlement.

 

MUSC Health: Infant photo

In August 2019, an employee from MUSC Health posted a photo of an infant patient with words printed across the child's face, without obtaining permission from the parent. This incident marked MUSC Health's sixth social media-related HIPAA violation in three years, despite the organization's zero-tolerance policy and past disciplinary actions.

 

Glenview Nursing Home: Snapchat video

In August 2019, a lawsuit was filed against Glenview Nursing Home for violating the Nursing Home Care Act, HIPAA, and other state privacy laws. The case stemmed from a Snapchat video that showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her.

 

Texas Children's Hospital: Vaccination controversy

In May 2019, Texas Children's Hospital fired a nurse who posted details of a pediatric patient's measles condition to an anti-vaccination support group on Facebook. While the nurse did not include the child's name, her Facebook profile listed her workplace, potentially compromising the patient's privacy.

 

Northwestern Medical Regional Group: Twitter disclosure

In March 2019, Northwestern Medical Regional Group failed to inform a patient, Gina Graziano, about the privacy breach of her medical records. Graziano's ex-boyfriend's girlfriend, Jessica Wagner, had accessed Graziano's records without authorization and then posted the information on Twitter, leading to the hospital's termination of Wagner's employment.

 

Lessons learned

Enhancing HIPAA awareness and training

One of the takeaways from these case studies is the need for more thorough and frequent HIPAA training for healthcare employees. Lack of understanding or disregard for HIPAA regulations is a common thread in many reported incidents, indicating the necessity for regular educational programs about patient privacy and social media usage.

 

Developing comprehensive social media policies

In addition to enhanced training, healthcare organizations must establish clear and detailed social media policies that outline acceptable and prohibited practices for employees. These policies should address the use of social media platforms, the sharing of patient information, and the potential disciplinary actions for noncompliance.

 

Fostering a culture of accountability

Beyond training and policy development, healthcare organizations must cultivate a culture of accountability and responsible social media usage. Employees should be empowered to report potential violations, and leadership should demonstrate a strong commitment to HIPAA compliance through consistent enforcement and swift disciplinary measures.

 

Leveraging technological safeguards

Healthcare organizations can also use technological solutions to mitigate the risks of social media-related HIPAA breaches, including data access controls, content monitoring systems, and secure communication platforms that prioritize patient privacy.

Related: The importance of social media literacy among healthcare staff

 

FAQs

Can healthcare organizations address patient queries on social media platforms?

Healthcare organizations should refrain from discussing specific patient health details on social media. Encourage patients to use secure communication channels or contact their healthcare provider directly for personalized inquiries.

 

Is it acceptable to share general health tips and updates on social media?

Yes, sharing general health information is fine, but avoid examples that might inadvertently reveal patient-specific details.

 

How can social media be used for HIPAA-compliant patient engagement?

Use social media to share general health information and educational content. Encourage patients to seek personalized advice through secure channels to ensure privacy.

See also: HIPAA Compliant Email: The Definitive Guide

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.