Facebook and HIPAA: More Ways to Get In Trouble

After a rough day at work, an emergency room physician decided to let off some steam. She logged onto Facebook and wrote about an odd-ball patient. Because of confidentiality requirements imposed by her professional ethics and by HIPAA, the federal privacy regulations, the doctor knew better than to publish her patient’s name. Unfortunately, she put enough information about the patient in her post that her readers were able to figure out his identity. In the uproar that followed, the doctor lost her job and her staff privileges at the hospital. The Medical Board issued a formal reprimand and fined her. We don’t know yet whether the HIPAA police have taken action or whether the patient has filed an invasion of privacy lawsuit.

The case reminded me of a defamation suit from the 1950’s. It involved a book about a world-famous fashion store. (Note that I’m not telling you which one.) The author wrote that the models from New York and Paris were “call girls” and that wealthy men paid thousands of dollars to go out with the women. He wrote that the salesmen were homosexuals. He claimed that the saleswomen were cheaper than the models but were also available for hire. Of course, the store filed suit for defamation. The nine models employed by the store also filed suit. Of the store’s 25 salesmen, 15 filed suit. In addition, 30 of the 382 saleswomen filed a claim with the court.

The author asked the court to dismiss the employees’ suit. Because he had not published their names, he argued that he was not liable to them. The court ruled that even though the author had not identified the models by name, readers of the book could easily determine the models’ identities. Likewise, it ruled that readers would be able to figure out the names of the 25 salesmen. However, the court found that it would be very difficult to figure out the identities of the saleswomen mentioned in the book because the store had 382 saleswomen at the time. Accordingly, the court allowed the models and salesmen to go to the jury, but dismissed the claims of the saleswomen.

HIPAA prohibits unauthorized disclosure of protected “individually identifiable” information. In other words, if you can figure out the identity of the patient from the information disclosed, the information is protected. For example, if a physician says he is treating the Governor of North Carolina, most North Carolinians would know the name of the doctor’s patient.

Assume a nurse asks her Facebook prayer group to pray for “one of our beloved ministers and his wife.” She writes that the clinic where she works has diagnosed the preacher with a social disease. If there is more than one minister, the members of the prayer group wouldn’t know which minister the nurse had outed. Has the nurse violated HIPAA?

If a court were to look to the fashion store case for guidance, the answer might depend on how many ministers worked at the church. If there were 25 or fewer, the nurse would be liable. If the nurse belonged to a church with hundreds of ministers, she might not.

However, another recent case indicates that a health care provider might suffer punishment even when it is impossible to figure out the identity of the patient he writes about. The case involved two nurses who posted on a social media site cell phone pictures of a patient’s x-ray. The x-ray showed that the patient had a sex toy lodged in her body. Although the public couldn’t determine the patient’s name, the hospital fired the nurses. The hospital didn’t claim that the nurses had violated HIPAA. It fired them on the grounds that making fun of any patient in public was “unprofessional conduct.”

Clearly, businesses, especially health care facilities, need written social media policies and should educate employees about those policies. The policies should apply to any publication made by employees on Facebook, Twitter, MySpace and other social media sites. It should prohibit employees from identifying customers, patients, co-workers, suppliers, referral sources, supervisors, and others connected to the employer on those sites. It should also prohibit publishing photographs or x-rays related to work on the sites. Businesses should consider prohibiting posts that reflect poorly on the company, such as pictures showing employees in compromising situations. It may also require employees who post opinions on sensitive topics to include a note that the opinions do not reflect the views of the employer. Finally, the policies should specify how the employer will discipline employees who violate the regulations. Employees should sign a statement that they have a copy of the policies and agree to abide by their terms.

Meanwhile, we’ll all enjoy those wonderfully entertaining blogs, videos, and photos of ourselves and others at our worst – and best. And be glad that some of our parents still haven’t figured out how to turn on a computer.