There’s more to patient privacy and social media than HIPAA

Posted on March 12, 2012 3:33 pm by | Healthcare | Social Media

In the lead-up to the first of a series of workshops on digital and social media for healthcare organizations I’m leading with Chris Boyer, I’ll be cranking out several healthcare focused posts over the next couple weeks. The workshop, Health Care Communicators Boot Camp, starts out in Philadelphia on March 26. Get details and register here.

HIPAAMost hospitals and other healthcare organizations spout a single two-syllable word when asked whey they’re not engaging in social media. That word—an acronym—is HIPAA, short for the Health Information Portability and Accountability Act. HIPAA covers a lot of ground, but in this context, it prevents a healthcare organization from divulging personal health information about its patients. To be completely official about it, the U.S. Department of Health and Human Services, on its site dedicated to summarizing the HIPAA Privacy Rule, says…

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule—called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.

The penalties for a HIPAA violation can be severe, up to $50,000 per violation along with criminal penalties “if the wrongful conduct involves false pretenses,” so it’s easy to see why hospital counsel shies away from activities that could lead to fines.

Plenty of hospitals manage to balance HIPAA compliance with robust social engagement, however, including prestigious institutions like The Mayo Clinic, Johns Hopkins Medicine, The Cleveland Clinic and the M.D. Anderson Cancer Center. In fact, they have determined that the benefits of a social media strategy can far outweigh the risks of HIPAA violations. Besides, as former Beth Israel Deaconess Medical Center CEO Paul Levy put it, “Any form of communication (even conversations in the elevator!) can violate important privacy rules, but limiting people’s access to social media in the workplace will mainly inhibit the growth of community and discourage useful information sharing.”

Most hospitals that permit or even encourage staff engagement in social media channels conduct some kind of training to ensure employees are up to speed—not just on social media, but on patient privacy in general. Some hospitals develop standalone training while others incorporate social media into their annual HIPAA sessions.

If your organization hasn’t developed training, now’s the time, not just because of HIPAA but because, as it turns out, your staff could be liable for more severe punishment if the run afoul of the law, no matter how ignorant they may be of the rules or how innocent they thought their post may have been.

Consider the case of Nai Mai Chao, a nursing assistant in Oregon who spent eight days in jail over invasion of the personal privacy of residents of the nursing home where she worked. Reports say that she posted graphic images of patients, accompanied by some offensive comments, to her Facebook page. While she insisted she wasn’t the actual photographer, she confseed to posting the images, resulting in a conviction for the misdemeanor of invading personal privacy. quoted a prosecutor in the case saying the conviction is a lesson for responsibility over what people post online. Of course, it’s HSS that prosecutes HIPAA violations, so both Ms. Chao and the nursing home where she worked could be in for some additional penalties.

All of which could have been avoided if Ms. Chao and her colleagues at all levels had been trained on their obligations, the rules and the consequences related to posting online. As it stands, Ms. Chao probably won’t have to worry about it any longer, since she was also sentenced to probation, community service and a fine. She had to surrender her nursing certificate and was fired from her job. In an interesting side note, the judge required her to write a 1,000-word apology to a patient and if she fails to do so, she could be charged with violation her probation.

That’s a lot of punishment that could have been avoided through a simple one-hour training session that could have not only prevented any future violations by other employees but resulted in positive online staff engagement that could have boosted the nursing home’s reputation.

If you’re not training your staff on the connection between patient privacy and social media, don’t put it off any longer. The consequences clearly go beyond HIPAA.

You can read more about Ms. Chao’s case on The Security Scrutinzer blog.



  • 1.The healthcare industry has so many places to turn to find examples of good social media practices and policy that work with HIPAA. How unfortunate--for everyone involved in this case--that the organization didn't provide training for its employees. A good example how things wrong things can go with social media if you skip or skimp on the training and policy side. Thanks for the post.

    Allen Mireles | March 2012 | United States

  • 2.With so many medical students and established professionals engaged in social media activities both professionally and personally, social media discussion absolutely needs to be integrated into HIPAA training.

    What an awful situation you describe here. :(

    Jason Boies
    Radian6 Community Team

    Jason Boies | March 2012 | Fredericton NB, Canada

  • 3.My patients are enjoying and benefiting from my facebook at Dr Clay-Flores. At all times I make sure not to share any personal information about any of my patients. I am curious though if there is a concern for a patient posting personal information about his or her self on my facebook page.

    dr clay-flores | March 2012 | san antonio, tx

  • 4.I ran into a situation at work where a surgeon was tweeting, via a salesrep, the surgery in progress so the family could keep up with the progress of the surgery. (This was in addition to the 1 1/2 hour updates of the nurse to the family). The surgeon did mention the patient's name and had the family's permission along with their pictures. His operative permit had a small mention of internet usage but no specific permit from the family to use the specific information to tweet. The doctor also did not inform the hospital he was doing this nor receive permission to from the staff to use their pictures in his tweets.

    How does HIPAA interact with this type of situation? Any input and comments.

    I am also working on my MSN and would like to write a paper on the expanding use of social media and patient care. All input would be helpful.

    Rick McGowan | December 2013 | clayton, nc

Comment Form
What is the four-letter acronym for Bring Your Own Device?

« Back