A nurse’s social media post about a pediatric measles patient led to her termination and showcased the risks of sharing patient information online.
The situation
In May 2019, a nurse at Texas Children’s Hospital, referred to as Ms. N, shared details about a pediatric measles case in a private Facebook group for anti-vaccination supporters. The post described the toddler’s symptoms and condition but did not include the child’s name. However, Ms. N’s Facebook profile listed her place of employment, allowing others to infer information about the patient’s identity.
Ms. N, shaken by the severity of the child’s illness, shared her experience to caution fellow group members about the realities of the disease. “The kid was super sick—sick enough to be admitted to the ICU,” she wrote, noting how the case almost challenged her anti-vaccination views.
A parent who recognized the hospital from Ms. N’s profile raised concerns about potential exposure and reported the post. The hospital launched an investigation, ultimately firing Ms. N three days later for breaching HIPAA’s privacy rule and hospital policy.
Read more: What is the HIPAA Privacy Rule?
What rules were violated
The HIPAA privacy rule protects patient information, requiring healthcare workers to treat all identifiable health details as confidential. Even though Ms. N omitted the child’s name, the combination of the disease, the hospital, and her workplace association made the patient indirectly identifiable.
Texas Children’s Hospital stated that Ms. N’s actions violated its privacy policies and breached the trust patients place in the institution. Sharing seemingly anonymized details online can be enough to compromise patient confidentiality, especially in rare cases like this one, where the disease’s low prevalence made identification easier.
How companies can avoid violations in the future
Healthcare organizations must ensure employees understand the boundaries of patient privacy and social media usage. Steps to prevent similar incidents include:
- Strengthen social media policies: Prohibit any sharing of patient-related information on social media, even in private or closed groups.
- Provide targeted training: Regularly educate staff on what constitutes protected health information (PHI) and how sharing it, even without names, can lead to violations.
- Promote awareness of indirect identifiers: Train employees to recognize how seemingly harmless details, like workplace associations or rare conditions, can make patients identifiable.
- Foster a privacy-first culture: Encourage staff to separate their personal beliefs from their professional responsibilities and stress patient trust.
- Implement accountability measures: Actively monitor and address policy violations to maintain a consistent standard of patient privacy.
Related: HIPAA and social media rules
FAQs
Can healthcare providers connect with patients on social media?
Connecting with patients on social media is acceptable but requires careful consideration. While HIPAA doesn't directly mention social media, its principles extend to online engagement. Ensure your interactions steer clear of sharing any private health information to abide by HIPAA regulations.
Do healthcare organizations need special training for staff on HIPAA and social media?
Specialized staff training ensures HIPAA compliant social media use. Cover the elements of HIPAA regulations, stressing ongoing education to instill a culture of privacy awareness within the healthcare organization.
Is it okay to share general health information on social media, like upcoming events or tips?
Sharing general health information on social media is generally acceptable, but be cautious to prevent inadvertent disclosure of patient-specific details. Avoid using specific examples that could be linked to identifiable individuals to maintain the confidentiality of patient information.
See also: Social media & HIPAA compliance: The ultimate guide
Farah Amod
