COMMENTARY

Violating HIPAA on Social Media -- Does It Always Warrant Getting Fired?

Alok S. Patel, MD

Disclosures

July 16, 2021

This transcript has been edited for clarity.

Posting on social media can get one of us fired in so many different ways. So can HIPAA violations. Combine the two and you have a setup that can land you in administrative hot water. You have the allure, the ubiquity of social media, and then add in opportunities and temptations to share protected health information. That's a potential disaster.

I'm not talking about being unprofessional on social media. That is a whole other topic. There's a great Medscape article about the many ways social media can lose you patients and respect. Examples include a doctor making racist comments about Michelle Obama or a nurse downplaying COVID on TikTok.

I'm talking about HIPAA violations, and there are some egregious examples — like publicly shaming a patient on social media or sharing protected information in a private group. It's never really private on the internet. If your hospital wants to find something out, they can if they look hard enough. HIPAA violations are serious. There's no denying that. You could wind up with a slap on the wrist or be placed on administrative leave. Other times you may face criminal charges or huge fines depending on the HIPAA violation.

You're probably thinking, Oh, I'd never be that dumb. This is common sense. But don't just shake your head right away because there are plenty of examples of inadvertent, well-intentioned HIPAA violations out there on social media. I have even been tempted to make social media public service announcements about patients I've seen who weren't vaccinated, weren't wearing a helmet, a seatbelt, or continue to vape when they had lung disease.

I recently made a meme about how some physicians or healthcare professionals are tempted to violate HIPAA on social media and then subsequently wind up getting fired. The messages I got in response to this meme inspired me to make this video because they showed me just how many people truly did not understand the scope of protected health information.


 

Protected health information comes in a variety of forms, and there are actually 18 unique identifiers. I can't name all 18, but two obvious ones are patient's face and patient's name. There are two other identifiers on the list, which I see get thrown around on social media all the time, and that's geographic location and hospital admission dates. Think about all those tags and descriptions on those Instagram posts. Also, number 18 on this list usually says something like, "Any unique patient characteristic identifier or code." Basically, anything that can be used to backtrace who a particular patient is, is considered a HIPAA violation.


 

Now, in reading through the responses I got after posting the meme, I read about a lot of HIPAA violations where the person didn't actually know they did anything wrong.

There are some famous examples:

Think about all of the social media posts we've seen throughout the pandemic, across Instagram, Facebook, and Twitter. They were mostly responsible posts, but there were a lot of HIPAA violations. Posts about intubating patients included information like age, hospital location, and a post about coding a patient that included the admission date.

Are you really going to fire a frontline medical provider who's trying to spread awareness about a pandemic, and who may just need some clear HIPAA training? Well, maybe you wouldn't fire this person, but the hospital definitely might.

My personal take? If I see a HIPAA violation on social media and it's not malicious and there is no malicious intent, I directly message that person and suggest they change the wording or just take the post down altogether. I do this regularly because there's a lot of content out there that tiptoes into that number 18 category on the unique HIPAA identifiers list.

I have a few questions for all of you. If you see a HIPAA violation on social media, do you report it? What do you do about it?

Also, are these really all fireable offenses across the board? HIPAA compliance is an ongoing part of our training. Why is there a disconnect between the rules and so much of what we see online?

Share your thoughts. Comment below.

Alok S. Patel, MD, is a pediatric hospitalist, television producer, media contributor, and digital health enthusiast. He splits his time between New York City and San Francisco, as he is on faculty at Columbia University/Morgan Stanley Children's Hospital and UCSF Benioff Children's Hospital. He hosts The Hospitalist Retort video blog on Medscape. Follow Alok Patel on Twitter.

Follow Medscape on Facebook, Twitter, Instagram, and YouTube

Comments

3090D553-9492-4563-8681-AD288FA52ACE
Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as:

processing....