Used appropriately and in professional contexts, social media such as Facebook and Twitter can provide useful vehicles for communicating general healthcare information to the public, promoting new hospital/provider facilities and programs, building professional connections and providing an outlet to share experiences. Personal uses of social media, however, can have serious legal consequences, especially if patient-specific information is shared.
Q: What are some improper uses of social media by healthcare providers?
A: A physician, on his blog, referring to a patient by name and describing details of her care; a medical student filming a surgery with the patient’s face clearly visible and posting the video on YouTube; a nurse posting on her Facebook page that she had treated a “cop killer” the day following many news accounts naming the accused shooter and the hospital where he was treated; and a hospital admissions clerk, using her personal Smartphone, and after work hours, posting on her Facebook page the name of a celebrity that came to the hospital where she worked – and the reason for his admission.
Q: Do such “posts” break any laws?
A: The federal Health Insurance Portability and Accountability Act (“HIPAA”) privacy regulations forbid healthcare facilities (and their employees) from using or disclosing patient information without authorization, unless the use is for a legitimate purpose, such as patient treatment. Under HIPAA, patient information in all forms—electronic, “paper,” and verbal—is protected. Healthcare workers cannot talk about their patients outside of work, so, unless a patient gives written permission to disclose her patient information, a posting on Facebook, Twitter, YouTube or other form of social media likely is a HIPAA violation. It could also give rise to a host of claims under Ohio common law (e.g. invasion of privacy, intentional infliction of emotional distress, etc.)
Q: What makes social media sharing a particular HIPAA risk?
A: Because social media is informal, fast-paced, and conversational in nature, the risk of a HIPAA violation may not be appreciated. Healthcare workers who would never dream of handing out a paper document or even an e-mail with patient information may, without thinking, reveal too much in a Facebook post.
Q: Might a hospital be responsible for a social media HIPAA violation, even if unaware of the post?
A: Potentially, yes. HIPAA rules require hospitals and other “covered entities” to implement detailed policies and procedures and train their workforce members about HIPAA, including employees’ personal obligations to protect the privacy of patient information. For HIPAA violations, fines can be imposed: ranging from $100 for a single, unintentional disclosure of one patient’s information up to $1.5 million for “willfully negligent” violations of HIPAA involving multiple disclosures or multiple patients. For an intentional HIPAA violation, the government can bring a criminal prosecution of up to 10 years in prison. Not every HIPAA violation leads to government penalties, but if the Government believes that employees’ improper social media posts reflect a facility’s general laxity about HIPAA compliance, the facility is more likely to be required to undertake extensive corrective action and pay hefty fines.
Q: Can an individual be penalized for a HIPAA violation for sharing patient information with Facebook “friends”?
A: Yes. Individuals, as well as facilities, can be prosecuted criminally for HIPAA violations. Also, HIPAA specifically requires the employing healthcare facility to impose disciplinary measures—up to and including termination—for HIPAA violations. An individual who is a physician, nurse, social worker or other licensed professional could also face discipline from the state’s licensing board for breach of patient confidentiality or unprofessional conduct.
Q: What steps can healthcare providers take to minimize HIPAA liability risks associated with social media?
A: Providers should have comprehensive HIPAA privacy policies and procedures that are regularly reviewed. Given the special risks associated with social media, providers should consider including a specific policy (and workforce education) on the subject.
This “Law You Can Use” column was provided by the Ohio State Bar Association (OSBA). It was prepared by Cincinnati attorney Sara Simrall Rorer, a partner in the Health and Life Sciences Practice Group of Taft Stettinius & Hollister, LLP. Articles appearing in this column are intended to provide broad, general information about the law. Before applying this information to a specific legal problem, readers are urged to seek advice from an attorney.