2 min read

Social media HIPAA violations: Nurse shares pandemic perspective

Picture of Farah Amod Farah Amod Nov 20, 2024 1:18:25 PM

Editorial
Social media HIPAA violations: Nurse shares pandemic perspective

A nurse’s video about working conditions during the COVID-19 pandemic sparked a HIPAA investigation, raising concerns about patient privacy and employee rights.

 

The incident

In April 2020, Lillian Udell, a nurse at Lincoln Hospital in the Bronx, shared a video with The Intercept detailing her experiences and those of her colleagues during the COVID-19 pandemic. The footage showed the severe shortages of protective equipment and ventilators and the emotional toll of caring for patients dying from the virus. Two colleagues in the video referenced Freda Ocran, a former head nurse at Jacobi Medical Center’s psychiatric unit, who died of COVID-19 at Lincoln Hospital.

While Ocran’s death had already been covered extensively in the media, the hospital launched an investigation, citing concerns that mentioning her name without family consent might violate HIPAA. Udell’s union representative revealed that the investigation could lead to discipline, temporary suspension, or legal consequences.

Udell compared the situation to selective enforcement of policies. “It’s kind of like getting a ticket for jaywalking when you’re around 50 other people jaywalking that aren’t getting a ticket,” she said.

Read also: Patient consent: What you need to know 

 

What rules were violated

HIPAA prohibits sharing protected health information (PHI), which includes any details that could potentially identify a patient, without explicit consent. Lincoln Hospital’s policies also ban employees from referencing patients or PHI in public forums without authorization, even if the information is indirectly identifiable.

The hospital argued that Ocran’s mention could be a privacy violation, despite her family having shared her story publicly in major outlets like CBS News and The Washington Post. Additionally, administrators cited potential breaches of internal media and press policies.

However, critics, including fellow healthcare workers, suggested the hospital was following HIPAA selectively. “I feel like a lot of hospitals are using HIPAA almost under the guise of patient protection,” said Kelley Cabrera, another nurse. “But really, it becomes more apparent that HIPAA is kind of being used to gag people.”

Related: HIPAA and social media rules 

 

How companies can avoid violations in the future

Healthcare organizations need to create environments where staff can advocate for change without fear of repercussions while maintaining compliance:

  • Define clear boundaries: Regularly educate employees on what constitutes PHI and when it is permissible to reference patients in public or private forums.
  • Support public advocacy: Balance advocacy and privacy by creating approved channels for staff to share their experiences, ensuring compliance with HIPAA and internal policies.
  • Train on media interaction: Equip employees with the tools to speak about systemic issues without unintentionally breaching privacy laws.
  • Adopt a consistent approach: Avoid selective enforcement of policies to maintain trust between staff and leadership.

Hospital administrators must recognize the necessity of public advocacy while protecting patient privacy. As Pat Kane of the New York State Nurses Association said, “Nurses are patient advocates. Given the public health crisis the COVID-19 pandemic presents, the need of our members to speak out for the protection of public health could not be greater.”

 

FAQs

Can healthcare organizations use social media to share patient success stories or testimonials?

Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient. 

 

Is de-identified healthcare information subject to HIPAA restrictions?

De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality. 

 

Can healthcare professionals respond to patient inquiries or comments on social media without violating HIPAA?

Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.

See also: Social media & HIPAA compliance: The ultimate guide