In today’s digital era, we rely heavily on social media platforms for both professional and personal use.
HIPAA violation penalties do not discriminate based on environment and carry serious consequences whether a violation happens online or offline. It’s easy to share too much information without even realizing it.
Additionally, HIPAA specifies 18 types of patient information (aside from names) that must remain private. Sharing any one of those 18 - whether accidentally or otherwise - is a violation of HIPAA.
Here are four of the most common social media HIPAA violations, plus some incredibly uncomfortable examples of recent online violations.
Review the HIPAA Compliance Checklist for your practice
4 Social Media HIPAA Violations That Are Shockingly Common
According to Healthcare Compliance Pros, there are four major breaches of HIPAA compliance on social media.
- Posting information about patients to unauthorized users (even if their name is left out)
- Sharing photos of patients, medical documents, or other personal information without written consent
- Inadvertently exposing any of the above while sharing a picture of something else (e.g. visible documents in photos of employees)
- Assuming posts are deleted or private when they’re not
The easiest solution? Keep strict policies in place for how employees can use social media.
While you should have rules in place, you shouldn’t cut off access completely - social media can hugely benefit your practice when used correctly.
4 Uncomfortable Examples of Social Media HIPAA Violations
Former nurse Kelly Morris took to TikTok and posted what she felt were “humorous” videos about the mistreatment of patients.
Morris claimed that the videos were simply for comedic relief and that nobody was ever harmed in the videos. She was suspended with her employer citing misuse and unprofessional use of social media platforms. Her employer felt that Morris’ actions went against their core values and they would not tolerate the type of behavior she displayed.
Is this considered a HIPAA violation? Possibly.
The videos took place while at work on company property. Although there wasn't any protected health information exposed, many of her actions displayed negligence and abusive behavior.
Many members of the healthcare community, as well as other individuals, commented on Morris’s videos. They argued that her content was not appropriate or even humorous.
Morris was suspended, and legal action has since been taken.
During operations, a group of resident surgeons took pictures of their patients. The images were of body parts removed from the patients and uploaded online without consent.
In some pictures, the patients were still on the operating table during the operation. The patients in the pictures could easily be identified by anyone viewing the images who knew them. The suspected resident surgeons could be facing serious issues with HIPAA safety violations. Sharing photos that include a patient’s face, name, initials, birth date, etc. can lead to substantial consequences.
Ashley Jacobs is a former cast member on the reality show Southern Charm. During her time on the show, she worked as a hospice nurse and home healthcare aide.
Jacobs put herself at risk for violating HIPAA regulations when she sent a video to a fan that included one of her patients, a non-verbal pediatric patient. The fan reported the video to the South Carolina board of nursing for violating HIPAA.
Jacobs’ fans would often encourage her to post pictures with her patients. Although she stated that posting pictures of patients would violate HIPAA regulations, she posted pictures anyway.
A nurse at Texas Children’s Hospital was caught posting details of a patient’s condition in a Facebook group and was terminated as a result.
The pediatric patient was too young to receive the measles vaccination and unfortunately, he contracted the rare disease.
The nurse turned to an anti-vaccination group on Facebook posting details of the boy’s condition. She said that his condition didn’t change her stance, but she could understand why parents vaccinate out of fear of these conditions.
While she did not include the child’s name, the nurse’s Facebook profile listed where she worked. One parent in the group had a child at the same hospital and, worried about exposure to the disease, posted screenshots of the post to the hospital’s Facebook page.
The hospital launched an investigation and immediately suspended the nurse. The nurse then deleted some of her comments, but the hospital fired her for posting PHI.
Social media HIPAA violations are alarmingly common and can be difficult to predict and avoid. Unfortunately, whether accidental or not, the consequences of compliance breaches remain the same.
One way to prevent HIPAA violations on social media is to get proper compliance training for your staff. Even further, if you're hesitant to use social media to promote your practice, healthcare social media management can help you capitalize on social media and its reach while remaining compliant.