15+ Real-World Examples of Social Media HIPAA Violations

SocialMediaHIPAAViolations_102019.png

People use social media so often today, and there is no sign that it will slow down. Although it’s a fun activity, it increases the risk of data breaches.

In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. Some of these were HIPAA violations from employees posting a patient’s protected health information (PHI) the social web.

Some of these were accidental. Maybe PHI was in the background unknowingly. In some cases, employees don’t realize that what they’re posting is a HIPAA violation.

Online comments and images violate patient privacy even if they don’t mention the patient’s name.

Talking about PHI is always off-limits, and posting it online is as bad, if not worse. It has the potential to become widespread in a matter of minutes. 

Yet employees still share patient information.

Citadel Winston-Salem

TikTok - June 2021

Former nurse Kelly Morris posted videos onto TikTok involving jokes about mistreating patients.

Morris claimed that the videos were comedy skits and did not harm anyone in the videos. Her employer suspended her due to misuse and unprofessional use of social media platforms. The Citadel at Winston Salem said Morris’s behavior violates their core values and her actions were not tolerated.

Is this a HIPAA violation? Maybe.

The videos took place in the breakroom, front desk, or office space. Although there wasn't any identifiable information, many of her actions showed negligence and abusive behavior. 

Many nurses, healthcare workers, doctors, EMTs, and other individuals have commented on Morris’s videos. They explained how her content is not acceptable, appropriate, nor humorous. 

Morris was suspended and legal actions have been taken.

Spectrum Health

Instagram - March 2021

A group of resident doctors took pictures during operations. The pictures showcased body parts removed from patients and posted the images online.

Authorization was not obtained from the patients and the doctors created public amusement at the expense of the patients. Thus, a judge could rule that the HIPAA privacy rule was not followed.

In some pictures, the patients were still on the operating table and the procedure was still in progress. Someone could potentially identify one of the patients through these pictures. The doctors in question could have an issue with the HIPAA Privacy Rule with this argument.

Ballad Health

Online - October 2020

Employees at Ballad Health in Tennessee posted a photo of an individual enduring surgery while the surgeons wore a racing helmet

The post's description included the hashtag “wear your helmet to work”.

The photo didn’t include any identifiable features and is not a HIPAA violation. 

Ballad Health stated that the actions were unacceptable and violated internal policies. The organization stated that they are taking measures with the care provider. 

Norton Healthcare EMT

Facebook - September 2020

Protestors stormed the streets of many major cities throughout the summer of 2020 demanding racial reform. The public unrest happened because of the gruesome videos of George Floyd and Breonna Taylor. The significance of those incidents lead to HIPAA violations.

After Breonna Taylor’s case came to a conclusion, a report came out stating that Norton Healthcare placed one of their EMT’s, Will Smith, on leave. After treating one of the officers at the crime scene, Smith posted on Facebook that said he felt like he “saved a monster.” There hasn’t been any further discipline reported but this case is similar to another within this blog post.

Lincoln Hospital

Youtube - April 2020

Nurse Lillian Udell shared a video with online publication The Intercept. Throughout the video, she interviewed her coworkers about working at a hospital during the COVID-19 pandemic.

Each of her coworkers identify themselves and speak about hardships they all had to overcome while working during a crisis. About midway through the video one of Udell’s coworkers expresses that if the hospital had the resources that they requested, “Ms. Ocran would still be alive.”

The video then cuts to a CBS story that covered the late Freda Ocran, a former head nurse at Jacobi Medical Center who died from COVID-19 at Lincoln Hospital.

By the time the video reached Youtube Ocran’s tragic death had already made national news

However, Udell confirmed with The Intercept that the hospital informed her of the potential violation and that they’re investigating it. She also received notices regarding the hospital’s social media policy.

The investigation could take up to 18 months to conclude.

Hospital Corporation of America (HCA)

Facebook Group - March 2020

An internal memo from Hospital Corporation of America (HCA) leaked to Business Insider in April 2020. The email, originally sent to all employees in March, detailed the health conglomerate’s newest addition to its social media policy.

In essence, the policy stated that HCA could discipline or terminate staff for posting information on the social web about treating patients with COVID-19.

As a result, the organization immediately suspended nurse Jhonne Porter for a discussion she held in a private Facebook group with her colleagues. The conversation mentioned that the hospital she worked at turned an entire floor into one for treating patients with the disease.

Porter maintains that she didn’t leak any protected health information and that her punishment is the result of whistleblowing over equipment shortages.

Grady Hospital

Facebook Group - November 2019

In November 2019 a news investigation drudged up an online EMS Facebook group that contained gruesome content. The group had over 23,000 members, most of whom were emergency responders The community would regularly post uncensored videos and pictures of scenes they’d visit while on the job.

The investigation also came to the conclusion that Facebook already shutdown the group twice for violating terms and conditions. Admins pinned a series of posts so that all members could see that stated the rules on reporting content, “If you report a post because you don't know how to scroll past it, the post will stay and you will be removed.”

The news team who originally found the community reached out to Facebook who disbanded it for the third time. However, members quickly created a new group with a different name and let others know of its existence.

The owner of the group worked for Grady Hospital as a paramedic at the time of the investigation and was since let go. The organization stated it was the second time in six months where the admin received discipline for posting about patients on social media.

Elite Dental Associates

Yelp - October 2019

The Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp.

Yelp is a social media platform for reviewing businesses. Elite responded to one review with a patient’s name, treatment plan details, and information on the patient’s insurance and treatment cost. 

The patient complaint launched an OCR investigation. This uncovered previous similar comments on Yelp from Elite. Elite had to pay $10,000 to settle the complaint in October 2019.

Elite was lucky that the fine was this low because each violation could have cost $50,000. Since Elite had multiple uncorrected violations with unreasonable cause, the penalty could have been up to $1.5 million.

MUSC Health

Unspecified - August 2019

An employee from MUSC Health posted a photo of an infant patient with words printed across her face. 

The employee posted the photo without permission. MUSC Health notified the parent immediately after the hospital learned of the post. 

The health organization officials informed the parent that “appropriate action was taken,” though they couldn’t elaborate on the employee’s consequences or provide details of the image.

MUSC Health does not release specifics on HIPAA breaches due to privacy and confidentiality laws. But they did say that they have a zero-tolerance policy and fired employees in the past for violations. 

Even though this incident was surprising to the baby’s mother, she received letters before about privacy violations at MUSC Health.

This was MUSC Health’s sixth violation related to social media in three years.

Glenview Nursing Home

Snapchat Story - August 2019

In August of 2019, Chicago local news reported that Glenview nursing homes faced a lawsuit for violating the Nursing Home Care Act, HIPAA and other state privacy laws.

The case surfaced because of a video of a Snapchat post in December 2018 that showed two employees taunting a 91-year-old resident suffering from dementia. 

Staff members of the nursing home knew that the victim didn’t like hospital gowns. However, 

The video showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her. It turned out that the two employees who uploaded the video were significant others. Due to their gross negligence of the HIPAA Privacy Rule, the nursing home terminated both of them.

Texas Children’s Hospital

Facebook Group - May 2019

Texas Children’s Hospital fired a nurse who posted details of a patient’s conditions to a Facebook group.

The pediatric patient was too young to receive the measles vaccination before he contracted the rare disease. When he went to the hospital, he had a painful rash and a high fever. 

The nurse posted details of the boy’s condition to an anti-vaccination support group on Facebook. She said that his condition didn’t change her stance, but she could understand why parents vaccinate out of fear for these conditions. 

While she did not include the child’s name, her Facebook profile listed where she worked. One parent in the group had a child at the same hospital. Worried about exposure to the disease, the parent posted screenshots to the hospital’s Facebook page. 

The hospital launched an investigation and immediately suspended the nurse. The nurse then deleted some of her comments, but the hospital fired her for posting PHI.

Northwestern Medical Regional Group

Twitter - March 2019

Northwestern Medical Regional Group failed to inform a patient about the privacy breach of her medical records. Patient Gina Graziano learned of the breach herself when she saw her records on Twitter. 

The employee behind this social media HIPAA violation was Jessica Wagner, the girlfriend of Graziano’s ex-boyfriend.

Wagner accessed Graziano’s medical records, charts, and files without authorization. Graziano’s ex-boyfriend then posted information from the records on Twitter.

The hospital fired Wagner for violating HIPAA. Graziano filed a lawsuit against the hospital, Wirth, and Wagner. The couple was not charged in this case. 

Wagner told the police that someone else used her computer to access the records after she logged in. This wasn't true, but even if it was, employees cannot leave computers with PHI unlocked for anyone to view. 

UC Davis Health

Facebook Comment - November 2018

Tragedy struck in September of 2018 when local California news outlets reported that a 3-year-old girl was a bystander of a drive-by shooting at her home. Emergency responders rushed the victim to US Davis Medical Center. Just a few days after the event she passed away.

One month later, in October, one of the hospital’s employees commented on a news story posted on Facebook about their daughter. The comment contained “limited information” about the victim’s medical status.

UC Davis found out about the post from a complaint that launched an investigation. They determined that the perpetrator accessed the toddler’s medical record one day after she came to the hospital. The big takeaway during all of this was that the employee wasn’t authorized to look at the data.

In November, UC Davis Health sent a letter to the victim’s family notifying them of what transpired and that they took corrective action against the employee.

South Carolina Hospice/Home Healthcare

Instagram Direct Message - July 2018

Ashley Jacobs lived in South Carolina while starring in the reality show Southern Charm. She also worked as a hospice nurse and home healthcare aid during this time. 

Jacobs sent a video to a fan through an Instagram direct message that included one of her patients, a non-verbal pediatric. The fan reported the video to the South Carolina board of nursing for violating HIPAA. 

Her fans also encouraged her to post pictures with her patients. She mentioned that this would violate HIPAA regulations, but she posted pictures anyway.

Roane County EMS

Facebook Post - May 2018

Leon Raymond’s grandson and wife, Kathy, found him unresponsive after a heart attack in a chicken coop. His grandson called 911 while Kathy attempted to revive him. 

The Roane County emergency medical response (EMS) team performed CPR on him but failed to revive him.

After, an EMS worker posted on Facebook about the strange location of the incident. The worker wrote:

“Well, we had a first...We worked a code in a chicken coop! Knee deep in chicken droppings.”

Kathy complained and considered a lawsuit because it was insensitive and unprofessional. The post didn’t mention Leon’s name, but Kathy said that “everybody knows where my husband died,” so people would know that it referred to her husband.

County Executive Ron Woody apologized for the incident. The county attorney didn’t think the post was a HIPAA violation, but he agreed that it was inappropriate. 

Woody said they consulted the employee and met with the EMS team about not intersecting what’s business and personal.

New York-Presbyterian Hospital

Instagram Image - January 2014

Katie Duke was an ER nurse that used to work at New York-Presbyterian Hospital. At the time she gained some popularity and fame by starring as one of the nurses in ABC’s hospital documentary-series entitled New York Med.

Towards the end of June 2014, she uploaded a photo of the room where she had just treated a man who got hit by a subway train. The photo had the caption, “Man vs. 6 train.”

Later that same week the hospital announced that she was no longer employed. The show didn’t go into detail what happened to her, only contained a scene where she was shown sobbing after hearing the news.

However, she held an interview with ABC News to go over what happened in greater detail and stated that she wasn’t accused of violating the patient’s HIPAA right to privacy.

Indiana

Facebook Post - January 2014

A patient care technician in northwest Indiana posted PHI of a former high school friend. The technician released the friend’s full name, date of birth, and that they had the sexually transmitted disease HPV. The post stated that the employee wanted to “expose” the friend.

After the friend informed a nursing supervisor of the post, she received a letter from the hospital. While it didn’t give specifics, it stated that the hospital took action based on their policies and procedures.

Conclusion

Whether employees don’t understand what violates HIPAA, or they don’t care, some still neglect following the rules for likes on the social web.

The stories discussed in this blog post stem from a lack of employee training. Properly trained employees understand what violates a patient’s privacy. As a result, they’re more cautious when posting.

Don’t let this blog post scare you from using social media if you work within healthcare. Just know that there are both pros and cons to evaluate.

Employees can only use or disclose PHI when the HIPAA Privacy Rule permits or requires it, or with the authorized individual’s signature. This also holds true for celebrities and public figures.

If you don’t have written consent to share information about a patient, even if it doesn’t mention the patient’s name, don’t post it.