When Social Media and Patient Privacy Collide

HIPAAEarlier this month, three employees of an assisted living facility in Glendale, Arizona were let go after allegedly videotaping patients and posting them to Snapchat. The video shows employees making fun of elderly residents in their care and, instead of taking care of one woman asking for help, the employee continues to film and make fun of her.

To its credit, management said it was investigating the matter and that it also had been reported to the State Board of Nursing as well as the Arizona Department of Health Services for review.

The matter came to management’s attention thanks to a whistleblower (a nurse) who saw the video on Snapchat and reported it.

The assisted facility center said in a statement that it planned to remind its employees of the “importance of adherence to our internal and external policies and procedures, especially regarding the use of cell phones during working hours, social media usage.”

It did not specify what those policies were.

A similar incident occurred in September at the Naval Hospital Jacksonville where medical officers posted a Shapchat video of a staff member inappropriately handling newborns and calling them mini-Satans. The employees were removed from patient care and were to be “handed over to the legal system and military justice,” according to a hospital spokesperson.

These two most recent incidents drive home the point that all healthcare facilities must have policies and procedures in place to ensure that instances such as this one do not occur and, if they do, how they are to be handled. Those who work in the healthcare field must be knowledgeable about how the HIPAA privacy rule works and how it can be violated.

Examples of HIPAA violations involving social media include:

  • Posting information to social media about a patient to unauthorized individuals, even if their name is not provided.
  • Sharing photos or videos without a patient’s written consent.
  • Posting comments about patients on social media.
  • Posting photos of patient records, the day’s schedule or any other document that may include protected health information.

Keep in mind that written authorization must be obtained using a HIPAA-compliant form. You can’t just say the patient said it was okay.

A breach of patient privacy can result in not only civil fines ranging from $100 up to $1.5 million, but also can result in criminal penalties which can land you in prison.

If you are a healthcare professional and you suspect a breach, immediately report it to your compliance officer. Once a breach has been determined, notification must be provided to HHS no later than 60 days following its discovery.

While social media can have its place within the healthcare arena, it’s imperative that everyone at your organization is educated about the do’s and don’ts of posting.

The Health Law Offices of Anthony C Vitale can assist clients with HIPAA-related matters, perform a risk assessment and to help them ensure that the right patient controls are in place.