Social media HIPAA violation series: Twitter disclosure

A patient’s private medical information was shared on Twitter by an unauthorized hospital employee, raising questions about privacy protections and hospital accountability.

The situation

In March 2019, Gina Graziano discovered her private medical records had been accessed without her consent and shared on Twitter. The unauthorized access was carried out by Jessica Wagner, an employee at Northwestern Medical Regional Group, who used her credentials to view Graziano’s records. Wagner then provided the information to her boyfriend, David Wirth, who posted it online.

Graziano was not informed of the breach and found out only after seeing the posts on Twitter. Feeling humiliated and betrayed, she contacted Northwestern Medical Regional Group to report the breach. Following an investigation, Wagner was fired for violating patient privacy, but the incident led Graziano to file a lawsuit against Northwestern, Wagner, and Wirth.

“It’s a complete invasion of my privacy,” Graziano said. “Northwestern needs better policies in place for their staff to understand what HIPAA really means.”

What rules were violated

The unauthorized access and disclosure of Graziano’s medical records violated the Health Insurance Portability and Accountability Act (HIPAA), which mandates that patient health information (PHI) remain confidential and be accessed only for legitimate purposes. Wagner’s use of her credentials to retrieve Graziano’s records, coupled with the subsequent social media post, represented a direct breach of federal law and Northwestern’s internal privacy policies.

Attorney Ted Diamantopoulos, representing Graziano, stated, “When a patient goes to a hospital, they expect to have their medical records private.” Northwestern Medical acknowledged the unauthorized access in a letter to Graziano, but the hospital’s delayed notification of the breach added to Graziano’s frustration and mistrust.

Read also: What is HIPAA? 

How companies can avoid violations in the future

Healthcare organizations must take stronger measures to prevent similar breaches of patient privacy:

• Enhance monitoring of access logs: Implement monitoring systems to track who accesses patient records and flag unusual activity, such as prolonged viewing of a single record or access by employees outside their assigned roles.
• Provide frequent HIPAA training: Conduct ongoing, scenario-based training to reinforce the importance of patient privacy and the consequences of violations.
• Enforce strict access controls: Limit employees’ access to patient records based on their specific roles and responsibilities. Require periodic audits to ensure access privileges are appropriate.
• Strengthen breach notification protocols: Notify affected patients immediately when a breach occurs, providing transparency and maintaining trust.
• Encourage a culture of accountability: Stress that any misuse of patient data will result in disciplinary actions, including termination, and establish clear processes for reporting concerns.

Graziano’s case serves as a reminder of the damage caused by privacy violations. Hospitals must prioritize stringent data protection measures to safeguard patient trust. “Protecting the confidentiality of patient information is essential to our mission,” Northwestern Medical stated. Ensuring this mission is upheld requires proactive measures to prevent and respond to breaches effectively.

Related: HIPAA and social media rules 

FAQs

Can healthcare organizations use social media to share patient success stories or testimonials?

Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient. 

Is de-identified healthcare information subject to HIPAA restrictions?

De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality. 

Can healthcare professionals respond to patient inquiries or comments on social media without violating HIPAA?

Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.

Related: How to stay HIPAA compliant on social media