10 Examples of HIPAA Violations on Social Media
A benefit of including examples of HIPAA violations on social media in HIPAA training is so members of the workforce can see the potential consequences of violating HIPAA. However, healthcare organizations also need to be aware of the consequences of failing to prevent impermissible disclosures of Protected Health Information on social media.
The primary purpose of HIPAA training is to communicate policies and procedures to members of the workforce “with respect to Protected Health Information”. The training must be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” However, there is a good reason for providing all members of the workforce with training about HIPAA violations on social media.
Regardless of their “functions”, any member of the workforce could identify a celebrity patient and post details about their health condition on social media. Unless the celebrity patient has authorized the social media post, it is an impermissible disclosure of Protected Health Information and a violation of HIPAA. This could have consequences for both the workforce member who posted the information and the healthcare organization.
Even if a patient is not a celebrity patient, all patients have a right to privacy and confidentiality. In many cases, the violation of a patient’s privacy by disclosing Protected Health Information on social media is not only a violation of HIPAA. It may also violate the conditions for participation in Medicare and Medicaid, professional licensing requirements, and/or state privacy laws. The following examples of HIPAA violations on social media show how.
10 Examples of HIPAA Violations on Social Media
Although there are many publicly reported examples of HIPAA violations on social media, these are possibly the tip of the iceberg. This is because there is a known culture of underreporting in healthcare for patient safety events, workplace violence, and musculoskeletal injuries. It may be possible that HIPAA violations on social media are also underreported or that they are dealt with quietly without attracting the attention of news reporting outlets.
Nursing Assistant Charged with Felony Offense
In 2012, Helien Williams – a nursing assistant at the CareOne care home in Livingstone, NJ – took a photo of a patient’s genitals on her cell phone and sent the photo to her friend Michele Walker, who posted the photo on Facebook. When the HIPAA violation was brought to the care home’s attention, Williams was fired and the incident reported to Livingstone PD. Both Williams and Walker were subsequently charged with third-degree invasion of privacy.
Aide Loses License – Gets Community Service
In 2013, Edward Melock – a nurse aide at the Greenfield Health and Rehabilitation Center, NY – shared photos of an incontinent patient’s genitals with a colleague on Snapchat. The colleague reported the incident to the center’s administrator, who reported it to the state health department. Melock was sacked, told to surrender his nurse aide license, and sentenced to 100 hours of community service as part of a conditional discharge.
Two Assistants Fired, Fined, and Put on Probation
In 2014, Jacqueline Santos and Chemyra Barnett were fired from their nursing assistant jobs at the Rosewood Care Center, IL, after Santos videoed Barnett abusing a patient and posted the video on social media. After discussing the case with the patient’s family, prosecutors charged the nursing assistants with a misdemeanor count of battery, fined each of them $500 and 100 hours of community service, and put both on probation for two years.
Nursing Assistant Jailed – Nursing Home Sued
In 2015, Callie Jones – a nurse aide at the Golden Living Center, SD – was sentenced to three days in jail for taking nude photographs of a resident and posting them on social media. The care home was also sued by relatives of the resident for being negligent in hiring, training, and supervising Jones, for failing to attain and maintain the resident’s well-being, and for failing to promote the resident’s quality of life.
Covered Entity Fined by Office for Civil Rights
Also in 2015, a complaint was received by HHS’ Office for Civil Rights alleging that Dr. U. Phillip Igbinadolor – a dentist based in Charlotte, NC – had impermissibly disclosed the PHI of a patient in his response to a negative review on Yelp.com. The complaint was upheld, and due the doctor’s lack of cooperation with the compliance investigation, HHS’ Office for Civil Rights imposed a civil monetary penalty of $50,000.
Another Nursing Assistant Jailed for a Social Media Violation
In 2015, Grace Riedlinger – a nursing assistant at the Parkside Manor Care Home, WI – posted a photo of a semi-nude resident on Snapchat thinking “it was funny”. When the photo was reported to the care home, it was escalated to law enforcement – who charged Riedlinger with capturing an image of nudity without consent. The original felony charge was reduced to a misdemeanor and Riedlinger was sentenced to 30 days in jail.
Another Covered Entity Fined by Office for Civil Rights
In 2016, a patient of Elite Dental Associates, Dallas, TX, complained to HHS’ Office for Civil Rights that their PHI had also been disclosed in a response to a review on Yelp.com. The compliance investigation found the dental practice had impermissibly disclosed other patients’ PHI in responses to Yelp reviews. Elite Dental Associates subsequently settled the allegations of HIPAA violations on social media for $10,000.
Care Home Given Jeopardy Designation and Fined by CMS
In 2016, despite being alerted to images of residents posted on social media, the Lone Tree Health Care Center in Lone Tree, IA, failed to report the HIPAA violation to state or federal regulators. The violation was subsequently identified by CMS inspectors, who declared that patients were in immediate jeopardy of harm and fined the care home $68,000. The fine was reduced by 50% and the designation removed after an appeal.
Patient Sues Hospital for Breach of Trust
In 2019, Jessica Wagner – an employee of Northwestern Medicine Kishwaukee Hospital, IL – accessed PHI belonging to Gina Graziano and shared it with Graziano’s former boyfriend, David Wirth. Wirth posted the PHI on Twitter, and when Graziano was informed of the post by a friend, she complained to the hospital. The hospital sacked Wagner, but Graziano has since filed a lawsuit against the hospital for a breach of trust.
Two More Sentences and Another Lawsuit
In 2019, Brayan Cortez and Jamie Montesa – certified nursing assistants at Abingdon Nursing Home in Glenview, IL – were videoed taunting a resident. The video was uploaded to Snapchat. Following an investigation, the nursing assistants were arrested on misdemeanor charges and sentenced to supervision and community service. The family of the resident have filed a lawsuit alleging violations of the Nursing Home Care Act, HIPAA, and state privacy laws.
The List of Potential Consequences is a Long One
The list of potential consequences for HIPAA violations on social media is variable because each HIPAA covered entity and business associate is required to develop a sanctions policy. Each organization’s sanction policy could apply different levels of sanction depending on the nature of the violation, the harm caused by the violation, and the workforce member’s previous record of compliance with HIPAA policies and procedures.
However, for a member of a workforce, it is important to be aware that a HIPAA violation on social media can result in a warning, a suspension, or the loss of employment. If reported to state authorities, the consequences could escalate to loss of license, exclusion from working in the healthcare industry criminal charges, and jail time. The penalties for violations of federal law (i.e. §1177 of the Social Security Act) can be much higher.
For healthcare organizations, HIPAA violations on social media due to the failure of the organization to comply with HIPAA can result in civil monetary penalties, lawsuits, inclusion on the HHS OIG LEIE List, and exclusion from Medicare and Medicaid. For these reasons, it is recommended healthcare organizations make a good faith effort to educate members of the workforce about the consequences of HIPAA violations on social media.