A patient’s private medical information was shared on Twitter by an unauthorized hospital employee, raising questions about privacy protections and hospital accountability.
In March 2019, Gina Graziano discovered her private medical records had been accessed without her consent and shared on Twitter. The unauthorized access was carried out by Jessica Wagner, an employee at Northwestern Medical Regional Group, who used her credentials to view Graziano’s records. Wagner then provided the information to her boyfriend, David Wirth, who posted it online.
Graziano was not informed of the breach and found out only after seeing the posts on Twitter. Feeling humiliated and betrayed, she contacted Northwestern Medical Regional Group to report the breach. Following an investigation, Wagner was fired for violating patient privacy, but the incident led Graziano to file a lawsuit against Northwestern, Wagner, and Wirth.
“It’s a complete invasion of my privacy,” Graziano said. “Northwestern needs better policies in place for their staff to understand what HIPAA really means.”
The unauthorized access and disclosure of Graziano’s medical records violated the Health Insurance Portability and Accountability Act (HIPAA), which mandates that patient health information (PHI) remain confidential and be accessed only for legitimate purposes. Wagner’s use of her credentials to retrieve Graziano’s records, coupled with the subsequent social media post, represented a direct breach of federal law and Northwestern’s internal privacy policies.
Attorney Ted Diamantopoulos, representing Graziano, stated, “When a patient goes to a hospital, they expect to have their medical records private.” Northwestern Medical acknowledged the unauthorized access in a letter to Graziano, but the hospital’s delayed notification of the breach added to Graziano’s frustration and mistrust.
Read also: What is HIPAA?
Healthcare organizations must take stronger measures to prevent similar breaches of patient privacy:
Graziano’s case serves as a reminder of the damage caused by privacy violations. Hospitals must prioritize stringent data protection measures to safeguard patient trust. “Protecting the confidentiality of patient information is essential to our mission,” Northwestern Medical stated. Ensuring this mission is upheld requires proactive measures to prevent and respond to breaches effectively.
Related: HIPAA and social media rules
Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient.
De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality.
Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.
Related: How to stay HIPAA compliant on social media