What are Common HIPAA Violations on Social Media?

by

The most common HIPAA violations on social media are due to healthcare professionals taking photos or videos of patients and impermissibly disclosing PHI on social media platforms such as Facebook, Snapchat, and TikTok. The penalties for HIPAA violations on social media vary depending on covered entities’ sanction policies, state laws, and regulatory  actions.

In July 2015, New York Giants defensive end Jason Pierre-Paul injured his right index finger in a Fourth of July fireworks accident. Pierre-Paul attended the Jackson Memorial Hospital  in Miami, where the index finger was amputated. An operating room nurse at the hospital took a photo of Pierre-Paul’s medical record and posted it on Twitter, where the image was seen and reposted by a member of the ESPN sports team.

As a result of the HIPAA violation on social media, the operating room nurse was fired, a lawsuit was filed by Pierre-Paul against the hospital (which was settled for an undisclosed amount), and the violation was added to an existing investigation into non-compliance throughout the Jackson Health System. The investigation resulted in the Jackson Health System being fined $2.15 million by HHS’ Office for Civil Rights.

In June 2017, Advanced ENT Head and Neck Surgery – a high-end Beverly Hills plastic surgery – reported the insider theft of PHI potentially affecting 15,000 individuals. The surgery had been alerted to the theft by before-and-after images of its clients – many of whom were celebrities – being posted to social media. The insider was sacked, reported to the police, and charged with a violation of §1177 of the Social Security Act.

Jail Time for Posting PHI on Social Media

There are hundreds of cases in which healthcare professionals have been given jail sentences for stealing and/or misusing PHI to commit identity fraud, but few in which a healthcare professional has been given jail time for posting PHI on social media. The best chronicled case concerns 21-year-old Grace Riedlinger from Kenosha, WI, who in  January 2016 was sentenced to 30 days for capturing an image of nudity without consent.

Riedlinger had taken a video of a 93-year-old resident of the care home at which she worked as a nursing assistant and had posted it on Snapchat thinking “it was funny”. A friend of Riedlinger reported the video to the care home, who contacted state regulators and the local police department. Initially charged with a felony offense – and a potential jail term of three and a half years – the charge was reduced to a misdemeanor on sentencing.

Other cases in which criminal charges are filed most often result in probation. However, in April 2015, a nursing assistant at the Golden Living Center in Pierre, SD, was sentenced to three days in jail for posting a video of a bathing resident on Snapchat. The following February, a nursing assistant at the Arbors at Michigan City Nursing Home received 180 days home detention for posting a video of a resident on social media.

In addition to charges being brought against employees, there can also be consequences for the employer. In 2017, two employees of Meadows Mennonite Retirement Community in Chenoa, IL, were charged with posting inappropriate photos of residents on social media. The Retirement Community was fined $25,000 by the Illinois Department of Public Health and settled a lawsuit brought on behalf of a resident for $50,000.

HIPAA Fines for Social Media Violations

There are several cases in which fines have been issued for HIPAA violations on social media. In the first case  – the Jackson Health System investigation mentioned above – the HIPAA violation on social media was a factor in the overall fine. Because the nature of multiple compliance failures overlapped, it is impossible to determine how much of the total fine of $2.15 million related to HIPAA fines for social media violations.   

A second case in which HIPAA violations on social media resulted in a financial settlement concerns Elite Dental Associates, TX. The case was brought to the attention of HHS’ Office for Civil Rights when a patient of Elite Dental Associates alleged that the dental practice had disclosed their name, health condition, treatment plan, insurance, and cost information in a response to a review left on Yelp.com.

HHS’ Office for Civil Rights investigated the allegation and found that Elite had previously impermissibly disclosed the PHI of multiple patients on its Yelp review webpage. In addition to settling the allegation for $10,000, the dental practice was required to undertake a corrective action plan that included two years of monitoring by HHS’ Office for Civil Rights to ensure compliance with the HIPAA Rules and workforce retraining.

Impermissibly disclosures of PHI in Yelp reviews were also the reason for a HIPAA fine for a social media violation in 2022. In this case, the fine on Dr. U. Phillip Igbinadolor was increased to $50,000 due to the North Carolina dentist’s lack of cooperation with the Office for Civil Rights’ investigation. Because of the lack of cooperation, it took more than six years for the original complaint against Dr. Igbinadolor to be resolved.

Disciplinary Action for Violating Social Media Policies

HIPAA covered entities are required to enforce sanctions against workforce members that violate policies developed to comply with HIPAA. Because covered entities have a degree of autonomy over what the policies consist of – and what sanctions apply for violations of the policies – there are cases in which disciplinary action has been taken for a violation of a social media policy that did not violate HIPAA.

In 2020, a healthcare professional at Ballad Health, TN, posted a photo of himself online performing a surgical procedure in a racing helmet. Although the identity of the patient could not be determined from the photo, Ballad Health took disciplinary action against the healthcare professional stating: “This is not a HIPAA violation. However, it is unacceptable and in violation of our internal policies.”

The following year, Spectrum Health in Grand Rapids, MI,  took “corrective action” against a group of 35 resident physicians who had published photos on Instagram of body parts removed from patients during surgical procedures (i.e., fibrous tissues and body organs). None of the photos could identify the patients from whom the body parts were removed, so the “disclosures” did not constitute HIPAA violations on social media.

Also in 2021, Kelly Morris was suspended from her job as a nurse at the Citadel Winston Salem nursing facility, NC, after objections were raised about her “experience-based” comedy sketches posted on TikTok. Morris claims she did not disclose PHI to her 32,000 followers, but a spokesperson for the nursing facility said, “the unprofessional use of social media platforms by employees violates our core values and is not tolerated”.   

The Consequences of Impermissible Disclosures

The consequences of impermissible disclosures on social media can affect patients, healthcare professionals, and healthcare organizations. As far as patients are concerned, the consequences of impermissible disclosures on social media include hurt, embarrassment, and potential identity theft. In many cases, the disclosures hurt and embarrass family members and friends as well as the patient.

For healthcare professionals, the consequences of HIPAA violations on social media vary depending on covered entities’ sanctions procedures. In some cases (i.e., when no identifiable information has been published), the consequences may consist of a warning and additional HIPAA training. More serious violations of a covered entity’s social media policy may lead to more severe sanctions being administered.

Healthcare professionals that violate HIPAA on social media may also be in breach of state licensing, privacy, or elder abuse laws. A violation of these laws may lead to the termination of employment, forfeiture of professional license, and a criminal record. In some cases, a healthcare professional can be added to a state or federal “exemptions list” which means they will be unable to find work in the healthcare industry.

For healthcare organizations,  HHS Office for Civil Rights can impose penalties for HIPAA violations on social media by workforce members if it is established that the healthcare organization contributed to the impermissible disclosure. As seen from the Meadows Mennonite Retirement Community example above, healthcare organizations can also be fined by state regulators and subject to lawsuits.

How to Mitigate HIPAA Violations on Social Media

The most direct way to mitigate HIPAA violations on social media is to prohibit the use of personal mobile devices in the workplace. However, while this might prevent workforce members taking photos and videos of patients and posting them on social media, it does not stop a member of the workforce disclosing information about a patient on social media when they are away from the workplace.

In addition to not guaranteeing it will mitigate HIPAA violations on social media, it is not practical to prohibit the use of personal mobile devices in the workplace. Many healthcare professionals rely on their personal mobile devices to remain in contact with colleagues. To replace personal devices with limited-functionality corporate devices would likely be too expensive for most healthcare organizations.

As a result, the best way to mitigate HIPAA violations on social media is to implement HIPAA compliant social media policies that not only support HIPAA compliance, but that also warn of the other consequences that could result from impermissibly disclosing PHI on social media. Healthcare organizations that require assistance developing a suitable policy are advised to speak with a healthcare compliance professional.