A nurse’s social media post about a pediatric measles patient led to her termination and showcased the risks of sharing patient information online.
In May 2019, a nurse at Texas Children’s Hospital, referred to as Ms. N, shared details about a pediatric measles case in a private Facebook group for anti-vaccination supporters. The post described the toddler’s symptoms and condition but did not include the child’s name. However, Ms. N’s Facebook profile listed her place of employment, allowing others to infer information about the patient’s identity.
Ms. N, shaken by the severity of the child’s illness, shared her experience to caution fellow group members about the realities of the disease. “The kid was super sick—sick enough to be admitted to the ICU,” she wrote, noting how the case almost challenged her anti-vaccination views.
A parent who recognized the hospital from Ms. N’s profile raised concerns about potential exposure and reported the post. The hospital launched an investigation, ultimately firing Ms. N three days later for breaching HIPAA’s privacy rule and hospital policy.
Read more: What is the HIPAA Privacy Rule?
The HIPAA privacy rule protects patient information, requiring healthcare workers to treat all identifiable health details as confidential. Even though Ms. N omitted the child’s name, the combination of the disease, the hospital, and her workplace association made the patient indirectly identifiable.
Texas Children’s Hospital stated that Ms. N’s actions violated its privacy policies and breached the trust patients place in the institution. Sharing seemingly anonymized details online can be enough to compromise patient confidentiality, especially in rare cases like this one, where the disease’s low prevalence made identification easier.
Healthcare organizations must ensure employees understand the boundaries of patient privacy and social media usage. Steps to prevent similar incidents include:
Related: HIPAA and social media rules
Connecting with patients on social media is acceptable but requires careful consideration. While HIPAA doesn't directly mention social media, its principles extend to online engagement. Ensure your interactions steer clear of sharing any private health information to abide by HIPAA regulations.
Specialized staff training ensures HIPAA compliant social media use. Cover the elements of HIPAA regulations, stressing ongoing education to instill a culture of privacy awareness within the healthcare organization.
Sharing general health information on social media is generally acceptable, but be cautious to prevent inadvertent disclosure of patient-specific details. Avoid using specific examples that could be linked to identifiable individuals to maintain the confidentiality of patient information.
See also: Social media & HIPAA compliance: The ultimate guide