Social media HIPAA violations

In the first half of 2018 alone, more than 56% of the 4.5 billion compromised data records were tied to social media incidents. These breaches can stem from seemingly harmless mistakes, like employees accidentally including protected health information (PHI) in a social media post, to intentional acts, such as sharing sensitive patient details for personal gain or amusement.

Addressing this issue, OCR Director Melanie Fontes Rainer stated: “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or the internet. Simply put, this is not allowed. The HIPAA Privacy Rule expressly protects patients from this type of activity, which violates both patient trust and the law. OCR will investigate and take action against such impermissible disclosures, no matter how large or small the organization.”

The blurred lines of HIPAA compliance

According to Medsafe, “social media is one of the main avenues where breaches of protected health information (PHI) occur for healthcare organizations.” This suggests that many healthcare professionals may not fully comprehend the extent of HIPAA regulations when it comes to social media usage. Even seemingly innocuous comments or images can constitute a violation, as patient privacy can be compromised without explicitly mentioning the patient's name.

Read more: HIPAA and social media rules 

Cautionary tales: Real-world examples of social media HIPAA violations

Citadel Winston-Salem: Tiktok missteps

In June 2021, former nurse Kelly Morris faced suspension from her employer, Citadel Winston-Salem, for posting videos on TikTok that involved jokes about mistreating patients. While Morris claimed the videos were mere comedy skits and did not harm anyone, her employer deemed the content a violation of their core values and took appropriate disciplinary action.

Ballad Health: Helmet hijinks

In October 2020, employees at Ballad Health in Tennessee posted a photo of an individual undergoing surgery while the surgeons wore a racing helmet. Although the post did not include any identifiable features, Ballad Health deemed the actions unacceptable and a violation of internal policies.

Lincoln Hospital: Pandemic perspectives

In April 2020, nurse Lillian Udell shared a video with the online publication The Intercept, interviewing her coworkers about the hardships they faced while working during the COVID-19 pandemic. While the video did not explicitly mention patient names, one of Udell's coworkers made a statement that could be seen as a potential HIPAA violation, leading to an investigation by the hospital.

Grady Hospital: Gruesome gratification

According to the Journal of AHIMA, Facebook groups are “no exception.” In November 2019, a news investigation uncovered an online EMS Facebook group with over 23,000 members, most of whom were emergency responders. The group regularly posted uncensored videos and pictures of the scenes they encountered while on the job, a clear violation of patient privacy. The owner of the group, who worked as a paramedic at Grady Hospital, was disciplined for the second time in six months for posting about patients on social media.

Elite Dental Associates: Yelp woes

In October 2019, the Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp, a social media platform for reviewing businesses. The organization had responded to a patient's review with details about their treatment plan, insurance, and cost, leading to a HIPAA violation investigation and a $10,000 settlement.

MUSC Health: Infant indiscretion

In August 2019, an employee from MUSC Health posted a photo of an infant patient with words printed across the child's face, without obtaining permission from the parent. This incident marked MUSC Health's sixth social media-related HIPAA violation in three years, despite the organization's zero-tolerance policy and past disciplinary actions. The Journal of AHIMA suggests that “Healthcare professionals must always think critically about what they are posting on social media and take HIPAA, state, federal, or local laws into consideration first, while also carefully reviewing their internal organizational guidelines before posting anything online.“

Glenview Nursing Home: Snapchat scandal

In August 2019, a lawsuit was filed against Glenview Nursing Home for violating the Nursing Home Care Act, HIPAA, and other state privacy laws. The case stemmed from a Snapchat video that showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her.

Texas Children's Hospital: Vaccination controversy

In May 2019, Texas Children's Hospital fired a nurse who posted details of a pediatric patient's measles condition to an anti-vaccination support group on Facebook. While the nurse did not include the child's name, her Facebook profile listed her workplace, potentially compromising the patient's privacy. The Journal of AHIMA notes, “Posting patient information online, even in a private community, is problematic from a healthcare regulatory compliance perspective.”

Northwestern Medical Regional Group: Twitter transgression

In March 2019, Northwestern Medical Regional Group failed to inform a patient, Gina Graziano, about the privacy breach of her medical records. Graziano's ex-boyfriend's girlfriend, Jessica Wagner, had accessed Graziano's records without authorization and then posted the information on Twitter, leading to the hospital's termination of Wagner's employment.

Lessons learned

Enhancing HIPAA awareness and training

A recurring issue in these incidents is a lack of understanding of HIPAA guidelines, particularly around social media use. Effective training programs should go beyond generic HIPAA overviews to include:

• Scenario-based training: Use examples like those from Citadel Winston-Salem or Ballad Health to illustrate how seemingly harmless actions on social media can lead to severe consequences.
• Guidance on gray areas: Clarify what constitutes PHI and why even indirect disclosures, such as workplace details, can pose risks.
• Regular refreshers: Offer mandatory quarterly sessions to address trends, such as platform-specific risks (e.g., TikTok challenges or Snapchat content).

Developing clear social media policies

Healthcare organizations need detailed social media policies tailored to their operational realities. Specific examples include:

• Explicit prohibitions: Ban sharing patient-related content, even if identifying details are omitted, as seen in the MUSC Health and Texas Children's Hospital cases.
• Guidelines for professional boundaries: Educate employees on separating personal and professional lives on platforms like Facebook and Twitter to prevent incidents such as the Grady Hospital EMS group misuse.
• Platform-specific rules: Include policies for platforms that use transient content, like Snapchat, stressing that temporary visibility does not negate HIPAA compliance.

Fostering a culture of accountability

Accountability must extend beyond punitive measures. Encourage a proactive, supportive environment where employees feel comfortable seeking guidance. Key strategies include:

• Approval mechanisms: Implement a system where employees can submit proposed posts for review by supervisors or compliance officers. This reduces stress and avoids "guessing" whether a post is compliant.
• Reporting channels: Provide confidential ways to report potential violations or seek clarification without fear of retaliation.
• Leadership modeling: Leaders should demonstrate HIPAA-compliant behavior, reinforcing the organization’s commitment to patient privacy.

Related: The importance of social media literacy among healthcare staff

FAQs

Can healthcare organizations address patient queries on social media platforms?

Healthcare organizations should refrain from discussing specific patient health details on social media. Encourage patients to use secure communication channels or contact their healthcare provider directly for personalized inquiries.

Is it acceptable to share general health tips and updates on social media?

Yes, sharing general health information is fine, but avoid examples that might inadvertently reveal patient-specific details.

Can healthcare services be advertised on social media platforms?

Yes, but ensure advertisements avoid disclosing patient-specific details to comply with HIPAA guidelines.

See also: HIPAA Compliant Email: The Definitive Guide