A photo of a baby shared online by a MUSC Health employee without parental consent illustrated ongoing issues with HIPAA compliance and social media misuse.
The situation
In August 2019, MUSC Health notified Elizabeth Runge that a photo of her 10-month-old daughter, Maddison, had been shared on social media by an employee. The image, which had words imprinted over Maddison’s face, was posted without Runge’s knowledge or consent, violating HIPAA and the hospital’s policies.
However, The unauthorized post deeply unsettled her mother, whose daughter had cerebral palsy. “I just think that would creep any parent out, and it makes me feel very violated,” Runge said.
This was not the family’s first experience with a HIPAA breach at MUSC Health. Less than a year earlier, Runge’s medical information was announced aloud in a waiting room, leading to another confirmed violation. “Two incidents with the same family in under a year? That’s just unacceptable,” she said.
MUSC Health, which averages over 1.2 million patient encounters annually, acknowledged the incident and apologized but declined to provide details about the employee or the social media post. The hospital confirmed this was its sixth social media-related HIPAA violation in three years, despite a zero-tolerance policy.
What rules were violated
The incident violated HIPAA regulations, which strictly prohibit the unauthorized sharing of patient information, including photographs. MUSC’s policies further ban any social media activity involving patients without explicit consent.
Repeated violations suggest potential weaknesses in MUSC Health’s enforcement and training practices. While the hospital has taken disciplinary action, including firing employees for similar breaches, such incidents reflect systemic challenges in preventing misuse.
Read also: Patient consent: What you need to know
How companies can avoid violations in the future
To prevent similar issues, healthcare organizations should adopt stronger preventative measures:
- Provide HIPAA training: Regular and specific training sessions should stress the risks of social media misuse, using real-life examples to illustrate the consequences.
- Create stricter oversight: Implement clear rules prohibiting unauthorized photography in patient care areas and limit access to personal devices during work hours.
- Consistently enforce policies: Ensure all violations result in clear and consistent consequences to reinforce the seriousness of the rules.
- Improve patient communication: Be transparent with affected families by explaining breaches and detailing the actions taken to prevent recurrence.
- Adopt proactive monitoring: Use tools and processes to monitor compliance and flag potential violations before they escalate.
“I’m in the medical profession, so I understand mistakes can happen,” Elizabeth said. “But this is the second time, and it’s my child’s privacy at stake.”
These incidents underline the necessity of fostering a culture of accountability and respect for patient privacy. Stronger preventative measures and consistent enforcement are needed to rebuild trust and avoid further breaches.
Related: HIPAA and social media rules
FAQs
Can healthcare organizations use social media to share patient success stories or testimonials?
Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy, which may involve removing or altering details that could identify the patient.
Is de-identified healthcare information subject to HIPAA restrictions?
De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality.
Can healthcare professionals respond to patient inquiries or comments on social media without violating HIPAA?
Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.
See also: Social media & HIPAA compliance: The ultimate guide