and in professional contexts, social media such as Facebook and Twitter can
provide useful vehicles for communicating general healthcare information to the
public, promoting new hospital/provider facilities and programs, building
professional connections and providing an outlet to share experiences. Personal
uses of social media, however, can have serious legal consequences, especially
if patient-specific information is shared.
Q: What are some improper uses of social media
by healthcare providers?
A physician, on his blog,
referring to a patient by name and describing details of her care; a medical
student filming a surgery with the patient’s face clearly visible and posting
the video on YouTube; a nurse posting on her Facebook page that she had treated
a “cop killer” the day following many news accounts naming the accused shooter
and the hospital where he was treated; and a hospital admissions clerk, using
her personal Smartphone, and after work hours, posting on her Facebook page the
name of a celebrity that came to the hospital where she worked – and the reason
for his admission.
Do such “posts” break any laws?
federal Health Insurance Portability and Accountability Act (“HIPAA”) privacy
regulations forbid healthcare facilities (and their employees) from using or
disclosing patient information without authorization, unless the use is for a
legitimate purpose, such as patient treatment. Under HIPAA, patient information
in all forms—electronic, “paper,” and verbal—is protected. Healthcare workers
cannot talk about their patients outside of work, so, unless a patient gives
written permission to disclose her patient information, a posting on Facebook,
Twitter, YouTube or other form of social media likely is a HIPAA violation. It
could also give rise to a host of claims under Ohio common law (e.g. invasion
of privacy, intentional infliction of emotional distress, etc.)
What makes social media sharing a particular HIPAA risk?
Because social media is
informal, fast-paced, and conversational in nature, the risk of a HIPAA violation
may not be appreciated. Healthcare workers who would never dream of handing out
a paper document or even an e-mail with patient information may, without
thinking, reveal too much in a Facebook post.
Might a hospital be responsible for a social media HIPAA violation,
even if unaware of the post?
yes. HIPAA rules require hospitals and
other “covered entities” to implement detailed policies and procedures and
train their workforce members about HIPAA, including employees’ personal obligations
to protect the privacy of patient information.
For HIPAA violations, fines can be imposed: ranging from $100 for a
single, unintentional disclosure of one patient’s information up to $1.5
million for “willfully negligent” violations of HIPAA involving multiple
disclosures or multiple patients. For an intentional HIPAA violation, the
government can bring a criminal prosecution of up to 10 years in prison. Not
every HIPAA violation leads to government penalties, but if the Government
believes that employees’ improper social media posts reflect a facility’s
general laxity about HIPAA compliance, the facility is more likely to be
required to undertake extensive corrective action and pay hefty fines.
Can an individual be penalized for a HIPAA violation for sharing
patient information with Facebook “friends”?
Yes. Individuals, as well as
facilities, can be prosecuted criminally for HIPAA violations. Also, HIPAA
specifically requires the employing healthcare facility to impose disciplinary measures—up
to and including termination—for HIPAA violations. An individual who is a physician, nurse,
social worker or other licensed professional could also face discipline from
the state’s licensing board for breach of patient confidentiality or unprofessional
Q: What steps can healthcare providers take to
minimize HIPAA liability risks associated with social media?
Providers should have
comprehensive HIPAA privacy policies and procedures that are regularly
reviewed. Given the special risks
associated with social media, providers should consider including a specific
policy (and workforce education) on the subject.
“Law You Can Use” column was provided by the Ohio State Bar Association (OSBA).
It was prepared by Cincinnati attorney Sara Simrall Rorer, a partner in the
Health and Life Sciences Practice Group of Taft Stettinius & Hollister,
LLP. Articles appearing in this column are intended to provide broad, general
information about the law. Before applying this information to a specific legal
problem, readers are urged to seek advice from an attorney.
Labels: Facebook, health care, HIPAA, social media, Twitter