In the first half of 2018 alone, more than 56% of the 4.5 billion compromised data records were tied to social media incidents. These breaches can stem from seemingly harmless mistakes, like employees accidentally including protected health information (PHI) in a social media post, to intentional acts, such as sharing sensitive patient details for personal gain or amusement.
Addressing this issue, OCR Director Melanie Fontes Rainer stated: “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or the internet. Simply put, this is not allowed. The HIPAA Privacy Rule expressly protects patients from this type of activity, which violates both patient trust and the law. OCR will investigate and take action against such impermissible disclosures, no matter how large or small the organization.”
According to Medsafe, “social media is one of the main avenues where breaches of protected health information (PHI) occur for healthcare organizations.” This suggests that many healthcare professionals may not fully comprehend the extent of HIPAA regulations when it comes to social media usage. Even seemingly innocuous comments or images can constitute a violation, as patient privacy can be compromised without explicitly mentioning the patient's name.
Read more: HIPAA and social media rules
In June 2021, former nurse Kelly Morris faced suspension from her employer, Citadel Winston-Salem, for posting videos on TikTok that involved jokes about mistreating patients. While Morris claimed the videos were mere comedy skits and did not harm anyone, her employer deemed the content a violation of their core values and took appropriate disciplinary action.
In October 2020, employees at Ballad Health in Tennessee posted a photo of an individual undergoing surgery while the surgeons wore a racing helmet. Although the post did not include any identifiable features, Ballad Health deemed the actions unacceptable and a violation of internal policies.
In April 2020, nurse Lillian Udell shared a video with the online publication The Intercept, interviewing her coworkers about the hardships they faced while working during the COVID-19 pandemic. While the video did not explicitly mention patient names, one of Udell's coworkers made a statement that could be seen as a potential HIPAA violation, leading to an investigation by the hospital.
According to the Journal of AHIMA, Facebook groups are “no exception.” In November 2019, a news investigation uncovered an online EMS Facebook group with over 23,000 members, most of whom were emergency responders. The group regularly posted uncensored videos and pictures of the scenes they encountered while on the job, a clear violation of patient privacy. The owner of the group, who worked as a paramedic at Grady Hospital, was disciplined for the second time in six months for posting about patients on social media.
In October 2019, the Office of Civil Rights (OCR) fined Elite Dental Associates for disclosing PHI on Yelp, a social media platform for reviewing businesses. The organization had responded to a patient's review with details about their treatment plan, insurance, and cost, leading to a HIPAA violation investigation and a $10,000 settlement.
In August 2019, an employee from MUSC Health posted a photo of an infant patient with words printed across the child's face, without obtaining permission from the parent. This incident marked MUSC Health's sixth social media-related HIPAA violation in three years, despite the organization's zero-tolerance policy and past disciplinary actions. The Journal of AHIMA suggests that “Healthcare professionals must always think critically about what they are posting on social media and take HIPAA, state, federal, or local laws into consideration first, while also carefully reviewing their internal organizational guidelines before posting anything online.“
In August 2019, a lawsuit was filed against Glenview Nursing Home for violating the Nursing Home Care Act, HIPAA, and other state privacy laws. The case stemmed from a Snapchat video that showed two employees taunting a 91-year-old resident suffering from dementia by waving a hospital gown in front of her.
In May 2019, Texas Children's Hospital fired a nurse who posted details of a pediatric patient's measles condition to an anti-vaccination support group on Facebook. While the nurse did not include the child's name, her Facebook profile listed her workplace, potentially compromising the patient's privacy. The Journal of AHIMA notes, “Posting patient information online, even in a private community, is problematic from a healthcare regulatory compliance perspective.”
In March 2019, Northwestern Medical Regional Group failed to inform a patient, Gina Graziano, about the privacy breach of her medical records. Graziano's ex-boyfriend's girlfriend, Jessica Wagner, had accessed Graziano's records without authorization and then posted the information on Twitter, leading to the hospital's termination of Wagner's employment.
A recurring issue in these incidents is a lack of understanding of HIPAA guidelines, particularly around social media use. Effective training programs should go beyond generic HIPAA overviews to include:
Healthcare organizations need detailed social media policies tailored to their operational realities. Specific examples include:
Accountability must extend beyond punitive measures. Encourage a proactive, supportive environment where employees feel comfortable seeking guidance. Key strategies include:
Related: The importance of social media literacy among healthcare staff
Healthcare organizations should refrain from discussing specific patient health details on social media. Encourage patients to use secure communication channels or contact their healthcare provider directly for personalized inquiries.
Yes, sharing general health information is fine, but avoid examples that might inadvertently reveal patient-specific details.
Yes, but ensure advertisements avoid disclosing patient-specific details to comply with HIPAA guidelines.
See also: HIPAA Compliant Email: The Definitive Guide