This transcript has been edited for clarity.
Posting on social media can get one of us fired in so many different ways. So can HIPAA violations. Combine the two and you have a setup that can land you in administrative hot water. You have the allure, the ubiquity of social media, and then add in opportunities and temptations to share protected health information. That's a potential disaster.
I'm not talking about being unprofessional on social media. That is a whole other topic. There's a great Medscape article about the many ways social media can lose you patients and respect. Examples include a doctor making racist comments about Michelle Obama or a nurse downplaying COVID on TikTok.
I'm talking about HIPAA violations, and there are some egregious examples — like publicly shaming a patient on social media or sharing protected information in a private group. It's never really private on the internet. If your hospital wants to find something out, they can if they look hard enough. HIPAA violations are serious. There's no denying that. You could wind up with a slap on the wrist or be placed on administrative leave. Other times you may face criminal charges or huge fines depending on the HIPAA violation.
You're probably thinking, Oh, I'd never be that dumb. This is common sense. But don't just shake your head right away because there are plenty of examples of inadvertent, well-intentioned HIPAA violations out there on social media. I have even been tempted to make social media public service announcements about patients I've seen who weren't vaccinated, weren't wearing a helmet, a seatbelt, or continue to vape when they had lung disease.
I recently made a meme about how some physicians or healthcare professionals are tempted to violate HIPAA on social media and then subsequently wind up getting fired. The messages I got in response to this meme inspired me to make this video because they showed me just how many people truly did not understand the scope of protected health information.
Protected health information comes in a variety of forms, and there are actually 18 unique identifiers. I can't name all 18, but two obvious ones are patient's face and patient's name. There are two other identifiers on the list, which I see get thrown around on social media all the time, and that's geographic location and hospital admission dates. Think about all those tags and descriptions on those Instagram posts. Also, number 18 on this list usually says something like, "Any unique patient characteristic identifier or code." Basically, anything that can be used to backtrace who a particular patient is, is considered a HIPAA violation.
Now, in reading through the responses I got after posting the meme, I read about a lot of HIPAA violations where the person didn't actually know they did anything wrong.
There are some famous examples:
A medical technician who was fired after commenting on a Facebook article about a woman who died in a car crash. She commented, "Should have worn a seatbelt."
A nurse who was fired after writing about a rare measles case in her hospital.
A nurse at NewYork-Presbyterian Hospital posted a photo of an empty trauma bay with the caption 'Man vs 6 train'. The hospital thought this photo was insensitive and they fired her. Now, bear in mind, the story was already told in local news and the photo was previously shared by another hospital employee. But it didn't matter. I'll give a shout-out to this nurse, Katie Duke, who now uses her story as a cautionary tale for others.
A hospital employee took a photo of an empty operating room and then posted it online, describing a long day of surgery after completing an 11-hour procedure. The photo was then reported to the hospital who said it violated HIPAA. Visualize this photo for one second, because we have all seen many photos like this posted online for educational purposes. Yes, it's technically a mistake, but should you really lose your medical license over this thing?
Think about all of the social media posts we've seen throughout the pandemic, across Instagram, Facebook, and Twitter. They were mostly responsible posts, but there were a lot of HIPAA violations. Posts about intubating patients included information like age, hospital location, and a post about coding a patient that included the admission date.
Are you really going to fire a frontline medical provider who's trying to spread awareness about a pandemic, and who may just need some clear HIPAA training? Well, maybe you wouldn't fire this person, but the hospital definitely might.
My personal take? If I see a HIPAA violation on social media and it's not malicious and there is no malicious intent, I directly message that person and suggest they change the wording or just take the post down altogether. I do this regularly because there's a lot of content out there that tiptoes into that number 18 category on the unique HIPAA identifiers list.
I have a few questions for all of you. If you see a HIPAA violation on social media, do you report it? What do you do about it?
Also, are these really all fireable offenses across the board? HIPAA compliance is an ongoing part of our training. Why is there a disconnect between the rules and so much of what we see online?
Share your thoughts. Comment below.
Alok S. Patel, MD, is a pediatric hospitalist, television producer, media contributor, and digital health enthusiast. He splits his time between New York City and San Francisco, as he is on faculty at Columbia University/Morgan Stanley Children's Hospital and UCSF Benioff Children's Hospital. He hosts The Hospitalist Retort video blog on Medscape. Follow Alok Patel on Twitter.
© 2021 WebMD, LLC
Any views expressed above are the author's own and do not necessarily reflect the views of WebMD or Medscape.
Cite this: Violating HIPAA on Social Media -- Does It Always Warrant Getting Fired? - Medscape - Jul 16, 2021.