Social media HIPAA violation examples are most often attributable to healthcare workers impermissibly disclosing facts about patients on social media or posting images and videos without a patient’s authorization. Because these events can result in employers being fined or facing lawsuits, covered entities are advised to enforce HIPAA compliant social media policies.
In December 2015, propublica.org published a list of 47 social media HIPAA violation examples. Most of the examples concerned healthcare workers taking photos and videos of care home residents and uploading them to social media platforms. Most also resulted in a disciplinary action being taken against the healthcare worker responsible for the HIPAA violation. A selection of the social media HIPAA violation examples includes:
- A nursing assistant employed at the CareOne at Livingstone care home in New Jersey photographed a resident’s genitals and sent the image to a friend, who posted it on Facebook. When the violation was discovered, the nursing assistant was fired and both she and her friend were charged with third-degree invasion of privacy.
- A nurse aide employed at the Greenfield Health and Rehabilitation Center in New York was found to have posted an image of an incontinent resident’s genitals on Snapchat. The nurse aide was fired, required to surrender his CNA certificate, and sentenced to one year conditional discharge with 100 hours of community service.
- Two 19-year-old nursing home assistants were fired from the Rosewood Care Center in Illinois after it became known that one had videoed the other mistreating a resident of the care center and the video was posted on social media. Both were fined $500, given two years’ probation, and ordered to do 100 hours of community service.
- A nursing assistant from Kenosha, WI, was fired from her job at the Parkside Manor assisted living center for posting a video of a semi-naked patient with Alzheimer’s on Snapchat. The incident was reported to law enforcement, the woman was charged with capturing an image of nudity without consent, and sentenced to 30 days in jail.
The publication of the ProPublica list prompted the Centers for Medicare and Medicaid Services (CMS) to publish a memorandum reminding nursing facilities of their responsibilities with regards to residents’ rights to privacy and confidentiality. The memo also reminded nursing facilities of their training and reporting obligations – especially with regards to reporting any reasonable suspicion of a crime committed against a resident to law enforcement agencies.
Further Social Media HIPAA Violation Examples
The exposure given to the ProPublica list and the CMS memo did not appear to have much impact on care home healthcare workers. In June 2017, ProPublica updated and republished the list of social media HIPAA violation examples – adding a further 18 examples in just 18 months. Many of the new examples are similar to those listed above. The primary difference is the increased level of enforcement action taken by CMS State Survey Agencies.
To access a wider range of social media HIPAA violation examples, it is necessary to review the Archive section of the Office for Civil Rights (OCR) Breach Report and the resolution notices published on the HHS.gov website. From these sources, it is possible to identify three further examples of social media violations that resulted in a financial settlement or civil monetary penalty for a HIPAA violation. The three examples are:
- In July 2015, an operating room nurse at the Jackson Memorial Hospital, FL, took a photo of the medical records of New York Giants defensive end Jason Pierre-Paul and posted the image on Twitter. The post was reposted by ESPN and a complaint was made to OCR. The complaint was added to an ongoing compliance investigation into the Jackson Memorial Hospital and contributed to a $2.15 million fine being issued in 2019.
- In June 2016, a patient of Elite Dental Associates, Dallas, TX, complained to OCR that their PHI had been disclosed in a response to a review the patient had left on Yelp.com. When OCR investigated, it found the dental practice had previously impermissibly disclosed patients’ PHI in responses to Yelp reviews. In October 2019, Elite Dental Associates agree to settle the allegations of social media HIPAA violations for $10,000.
- A similar social media HIPAA violation example ended quite differently. In 2015, a patient of Dr. U. Phillip Igbinadolor, Charlotte, NC, complained to OCR that the dentist had impermissibly disclosed their PHI in a response to a Yelp review. Despite OCR finding that this was a single HIPAA violation on social media, Dr. Igbinadolor failed to interact or cooperate with OCR’s investigation and was fined $50,000 in 2022.
In addition to HIPAA penalties, there can be further financial consequences of HIPAA violations for healthcare organizations. In 2016, the Lone Tree Health Care Center, IA, was fined $68,000 by state regulators after photos of residents were posted on Snapchat, while there have been multiple lawsuits filed against healthcare organizations for invasion of privacy – including a 2019 case in which PHI was vindictively disclosed on both Facebook and Twitter.
How to Reduce the Risk of HIPAA Violations on Social Media
Civil money penalties, fines, and lawsuit settlements are not the only reasons why healthcare organizations should reduce the risk of HIPAA violations on social media. HIPAA violations damage an organization’s reputation, reduce patient trust in healthcare professionals, and – in the event of an employee being terminated – increase recruitment costs. In extreme cases, HIPAA violations on social media can also result in exclusion from Medicare and Medicaid.
However, reducing the risk of HIPAA violations on social media is not easy. Banning personal mobile devices from the workplace will prevent workforce members taking photos of patients or their medical records to post on social media. But banning personal mobile devices is not practical – especially for community nurses – and it will not stop impermissible disclosures of PHI on social media that are written on a personal device away from the workplace.
For this reason, the way to reduce the risk of HIPAA violations on social media is to educate members of the workforce on the consequences of all impermissible disclosures. The HIPAA training should include the consequences to patients, to themselves, and to their employer, and should include information on both internal and external sanctions (i.e., state privacy laws, HHS OIG Exclusion List, penalties for violating §1177 of the Social Security Act, etc.).
Healthcare organizations who require help compiling training to reduce the risk of HIPAA violations on social media are invited to use the social media HIPAA violation examples listed above in their training content. For further information about which external sanctions may apply to members of the workforce in a specific location, it is best to speak with a HIPAA compliance professional with knowledge of state privacy, decency, and data protection laws.