A nurse’s video about working conditions during the COVID-19 pandemic sparked a HIPAA investigation, raising concerns about patient privacy and employee rights.
In April 2020, Lillian Udell, a nurse at Lincoln Hospital in the Bronx, shared a video with The Intercept detailing her experiences and those of her colleagues during the COVID-19 pandemic. The footage showed the severe shortages of protective equipment and ventilators and the emotional toll of caring for patients dying from the virus. Two colleagues in the video referenced Freda Ocran, a former head nurse at Jacobi Medical Center’s psychiatric unit, who died of COVID-19 at Lincoln Hospital.
While Ocran’s death had already been covered extensively in the media, the hospital launched an investigation, citing concerns that mentioning her name without family consent might violate HIPAA. Udell’s union representative revealed that the investigation could lead to discipline, temporary suspension, or legal consequences.
Udell compared the situation to selective enforcement of policies. “It’s kind of like getting a ticket for jaywalking when you’re around 50 other people jaywalking that aren’t getting a ticket,” she said.
Read also: Patient consent: What you need to know
HIPAA prohibits sharing protected health information (PHI), which includes any details that could potentially identify a patient, without explicit consent. Lincoln Hospital’s policies also ban employees from referencing patients or PHI in public forums without authorization, even if the information is indirectly identifiable.
The hospital argued that Ocran’s mention could be a privacy violation, despite her family having shared her story publicly in major outlets like CBS News and The Washington Post. Additionally, administrators cited potential breaches of internal media and press policies.
However, critics, including fellow healthcare workers, suggested the hospital was following HIPAA selectively. “I feel like a lot of hospitals are using HIPAA almost under the guise of patient protection,” said Kelley Cabrera, another nurse. “But really, it becomes more apparent that HIPAA is kind of being used to gag people.”
Related: HIPAA and social media rules
Healthcare organizations need to create environments where staff can advocate for change without fear of repercussions while maintaining compliance:
Hospital administrators must recognize the necessity of public advocacy while protecting patient privacy. As Pat Kane of the New York State Nurses Association said, “Nurses are patient advocates. Given the public health crisis the COVID-19 pandemic presents, the need of our members to speak out for the protection of public health could not be greater.”
Healthcare organizations can share patient success stories or testimonials on social media with patient consent. Ensure that the information shared is de-identified to protect patient privacy. That involves removing or altering details that could identify the patient.
De-identified healthcare information that cannot be linked to an individual is not subject to HIPAA restrictions. Healthcare professionals should ensure that any information shared on social media has been properly de-identified to protect patient confidentiality.
Healthcare professionals can respond to general inquiries or comments on social media if they do not disclose any patient-specific information. Responses should be general and avoid discussing individual cases or revealing PHI, even inadvertently.
See also: Social media & HIPAA compliance: The ultimate guide