Socializing
Are HIPAA Concerns Valid in Healthcare’s Embrace of Social Media Tools?
Are HIPAA Concerns Valid in Healthcare’s Embrace of Social Media Tools?
The healthcare industry has increasingly embraced social media tools to engage with patients, promote health awareness, and share information. However, this integration comes with significant concerns, particularly in relation to the Health Insurance Portability and Accountability Act (HIPAA). There are valid concerns that the threat of non-compliance is real and can lead to severe consequences.
Understanding HIPAA and Its Relevance in Healthcare
HIPAA was established in 1996 to protect the privacy and security of medical information (Protected Health Information, or PHI). It applies to healthcare providers, health plans, and healthcare clearinghouses that transmit any health information in electronic form. Despite its widespread adoption, HIPAA violations through social media have become increasingly common, especially as healthcare institutions use platforms like Facebook, Twitter, and Yelp to engage with patients.
Real-World Examples of Social Media HIPAA Violations
There are numerous cases that highlight the importance of HIPAA compliance in the healthcare sector.
Elite Dental Associates
Case Details: Elite Dental Associates was fined $10,000 by the Office of Civil Rights (OCR) for disclosing Protected Health Information (PHI) on Yelp. An employee responded to a patient review with detailed information about the patient, including their name, treatment plan, insurance, and costs. The patient's complaint led to an OCR investigation, which revealed multiple similar incidents from the practice.
Consequences: Elite Dental Associates faced severe penalties, as each violation could have cost up to $50,000. Since the violations were not corrected, and were found to have unreasonable cause, the maximum penalty could have been up to $1.5 million. (Note: The actual fine being much lower highlights the importance of being proactive in addressing compliance issues.)
Northwestern Medical Regional Group
Case Details: A patient, Gina Graziano, discovered a data breach of her medical records on Twitter. A hospital employee, Jessica Wagner, accessed the patient's records without authorization and posted them online. The ex-boyfriend of Graziano's then spread the information on Twitter.
Consequences: Wagner was fired for violating HIPAA. However, Graziano did not file a lawsuit against the hospital, citing that Wagner claimed unauthorized access. Even if that claim were true, employees must ensure that computers with PHI are never left unattended. The hospital took disciplinary action against Wagner, illustrating the seriousness of HIPAA violations.
Texas Children’s Hospital
Case Details: A nurse posted details of a pediatric patient’s condition to a Facebook group. The patient had contracted measles and included a description of his condition. The nurse's Facebook profile listed her employment information, alerting another parent at the same hospital who then posted screenshots to the hospital’s Facebook page.
Consequences: The hospital immediately suspended the nurse. She deleted some comments but was ultimately fired for posting PHI. Such incidents underscore the potential consequences and underline the strict policies healthcare facilities must follow.
Indiana Patient Care Technician
Case Details: A patient care technician in Indiana exposed a former high school friend’s health information on social media. She posted the friend’s full name, date of birth, and that they had HPV. The post stated that the employee wanted to “expose” the friend.
Consequences: After the friend informed a nursing supervisor, the hospital issued a warning. They stated that “appropriate action was taken” but did not specify further details. MUSC Health, the organization where the incident occurred, occasionally faces social media HIPAA violations, with this being the sixth incident in three years.
MUSC Health – Post of an Infant Patient
Case Details: An employee from MUSC Health posted a photo of an infant patient with words printed across her face without permission. The photo was immediately brought to the parent's attention.
Consequences: MUSC Health notified the parent and stated that "appropriate action was taken." While they did not release specific details, MUSC Health is known for its strict policies and has previously fired employees for HIPAA violations.
Conclusion
These cases illustrate the real and significant threat HIPAA violations pose to healthcare practices. The healthcare industry must remain vigilant and adhere strictly to HIPAA guidelines to protect patient information. Failure to comply can result in severe repercussions, including financial penalties, legal action, and loss of credibility.
By understanding the risks and implementing robust policies, healthcare providers can ensure they maintain compliance and protect their patients' privacy and data security.
Keywords: HIPAA, Social Media, Health Care