Social media is now at the very core of our culture and gone are the days when websites like Myspace and Facebook were nothing more than a guilty pleasure of adolescents and college students. Social media outlets like Facebook, Twitter, Instagram, Snapchat, and numerous others are now utilized not only by our younger generations, but also corporate giants, local businesses, celebrities, and just about everyone, everywhere. The use of social media in the professional healthcare setting is widely accepted, but with it comes ever growing concerns about patient privacy and the consequences associated with the unauthorized use and disclosure of protected health information. Consider the following scenarios:
- A nursing student creates a post on her Myspace page that details her experience with a mother's birth of her child. Although the post does not contain the mother's name, the student's Myspace page indicates the hospital at which the birth occurred, the date of the birth, and details of the medical treatment administered during the birth.
- A nurse posts a statement on her Facebook page excitedly sharing that she met a celebrity at work today and identifies the celebrity by name.
- A receptionist at a physician's office snaps a photo of a patient in the waiting room and posts it on Facebook with a comment that he is drug-seeking. The comment also contains the name of the patient's employer and details regarding the patient's referral to another medical provider.
- A medical student obtains video of a physician inserting a chest tube into a patient and posts the video on YouTube. The patient's face is visible in the video.
- Employees of a nursing home use Snapchat to record and transmit videos of themselves harassing the residents.
Each of these scenarios implicates serious patient privacy concerns that have the potential to expose the healthcare provider, as well as the provider's employer, to a variety of administrative, civil, and potentially criminal penalties. It does not matter that the social media posts omit the patient's name or other identifiers. Rather, the Health Insurance Portability and Accountability Act (HIPAA) defines protected health information to include individually identifiable health information, meaning any health information created or received by the health care provider that relates to the past, present or future physical or mental health or condition of a patient. § 45 C.F.R. §§ 164.501, 164.502, 160.103. Therefore, social media posts containing information regarding a patient's physical or mental health, or condition will likely constitute HIPAA violations if disclosed to unauthorized users for a purpose unrelated to the patient's treatment or other limited exceptions.
In the first scenario, irrespective of the fact that the Myspace post contains no information regarding the patient's name, the patient-specific information in the post discusses the patient's pregnancy and healthcare, and was found by a Federal District Court to implicate patient privacy concerns. In the second scenario, although the nurse did not identify the celebrity as a patient or specify the treatment provided, her profile page identifies the hospital at which she works and the date on which the post was made. The remaining three scenarios are much easier to identify, as the patient's identity is clearly depicted.
From the employer's perspective, HIPAA violations involving social media require the employer to take action. For example, notification must be sent to the individual patient within a set period of time after discovery of the violation, and this information is ultimately submitted to the U.S. Department of Health and Human Services. Based upon the matter at issue, employers may be subject to civil monetary penalties and, if warranted, criminal fines. Importantly, the individual employee who made the unauthorized disclosure may also be subject to these civil and criminal penalties.
Not only do these social media posts implicate possible civil and criminal fines under HIPAA, but they also expose the healthcare provider to potential disciplinary actions by the Department of Health. For example, a physician engaging in such conduct may be faced with an administrative action and possible discipline on his or her license, including the assessment of fines, by the Board of Medicine. Further, the employee responsible, and likely the employer, may find themselves faced with the threat of litigation in a civil lawsuit filed by the patient. Causes of action sounding in breach of privacy or fiduciary duty, negligent hiring and supervision, or defamation are possible as a result of the social media post. In those instances, employers and employees alike may spend thousands of dollars and countless hours defending the lawsuits.
To avoid these unfortunate situations, employers should take preventive measures to ensure that employees are fully aware of the possible repercussions associated with posting patient information on social media sites. It is also a good business practice for the employer to implement policies concerning employee use of social media, and to educate employees on the importance of avoiding any situations which implicate patient privacy concerns. An example of this guidance is the ethical opinion issued by the American Medical Association in 2011 concerning physician use of social media and networking applications online. This opinion highlights the importance of refraining from posting any information that may contain identifiable patient information. By ensuring that all employees are abiding by such guidelines, employers are in a much better position to avoid the unauthorized use and disclosure of protected health information on social media.
Chanel A. Mosley is an attorney in the Orlando, Florida office of Marshall Dennehey Warner Coleman & Goggin. She devotes her practice to the defense of claims involving medical malpractice, long-term care, and other healthcare and general liability matters. She can be reached at email@example.com or through the firm's website at www.marshalldennehey.com.