A photo of a baby shared online by a MUSC Health employee without parental consent illustrated ongoing issues with HIPAA compliance and social media misuse.
In August 2019, MUSC Health notified Elizabeth Runge that a photo of her 10-month-old daughter, Maddison, had been shared on social media by an employee. The image, which had words imprinted over Maddison’s face, was posted without Runge’s knowledge or consent, violating HIPAA and the hospital’s policies.
However, The unauthorized post deeply unsettled her mother, whose daughter had cerebral palsy. “I just think that would creep any parent out, and it makes me feel very violated,” Runge said.
This was not the family’s first experience with a HIPAA breach at MUSC Health. Less than a year earlier, Runge’s medical information was announced aloud in a waiting room, leading to another confirmed violation. “Two incidents with the same family in under a year? That’s just unacceptable,” she said.
MUSC Health, which averages over 1.2 million patient encounters annually, acknowledged the incident and apologized but declined to provide details about the employee or the social media post. The hospital confirmed this was its sixth social media-related HIPAA violation in three years, despite a zero-tolerance policy.
The incident violated HIPAA regulations, which strictly prohibit the unauthorized sharing of patient information, including photographs. MUSC’s policies further ban any social media activity involving patients without explicit consent.
Repeated violations suggest potential weaknesses in MUSC Health’s enforcement and training practices. While the hospital has taken disciplinary action, including firing employees for similar breaches, such incidents reflect systemic challenges in preventing misuse.
Read also: Patient consent: What you need to know
To prevent similar issues, healthcare organizations should adopt stronger preventative measures:
“I’m in the medical profession, so I understand mistakes can happen,” Elizabeth said. “But this is the second time, and it’s my child’s privacy at stake.”
These incidents underline the necessity of fostering a culture of accountability and respect for patient privacy. Stronger preventative measures and consistent enforcement are needed to rebuild trust and avoid further breaches.
Related: HIPAA and social media rules
Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy, which may involve removing or altering details that could identify the patient.
De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality.
Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.
See also: Social media & HIPAA compliance: The ultimate guide