How to Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, webpages, Google+, LinkedIn. What do all of these social media outlets have in common? Each can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. It seems that all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and most of which could have been avoided.

Physicians should be aware of the intersection of social media—both for personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.

PHI is defined under HIPAA, in part, as health information that (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Under HIPAA, a physician may use and disclose PHI for “treatment, payment, or healthcare operations.” Generally, using or disclosing PHI through social media does not qualify as treatment, payment, or healthcare operations. If a physician were to use or disclose a patient’s PHI without permission, this would be a violation of HIPAA—and likely state law as well.

In order to use or disclose a patient’s PHI without obtaining the patient’s consent, a physician must de-identify the information so that the information does not identify the patient and there is no reasonable basis to believe that the information can be used to identify the patient. One option under HIPAA is to retain an expert to determine “that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively, and more commonly, a physician seeking to use or disclose patient PHI can remove the following identifiers from the PHI:

1. Names;
2. Geographic information;
3. Dates (e.g. birth date, admission date, discharge date, date of death);
4. Telephone numbers;
5. Fax numbers;
6. E-mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. URLs;
15. IP address numbers;
16. Biometric identifiers (e.g. finger and voice prints);
17. Full-face photographic images and any comparable images; and
18. Other unique identifying numbers, characteristics, or codes.

Identifier #18 is the most difficult to comply with in light of the significant amount of personal information available on the Internet, particularly through search engines like Google. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly difficult to comply with the de-identification standards under HIPAA. Even if the first 17 identifiers are carefully removed, the broadness of #18 can turn a seemingly harmless post on social media into a patient privacy violation.

Do not let the following examples be you:

Example 1: An ED physician in Rhode Island was fired, lost her hospital medical staff privileges, and was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for posting information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient names and had no intention to reveal any confidential patient information. However, because of the nature of one person’s injury … the patient was identified by unauthorized third parties. As soon as it was brought to [her] attention that this had occurred, [she] deleted her Facebook account.” Despite the physician leaving out all information she thought might make the patient identifiable, she apparently did not omit enough.

Example 2: An OB-GYN in St. Louis took to Facebook to complain about her frustration with a patient: “So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now 3 hours late for her induction. May I show up late to her delivery?” Another physician then commented on this post: “If it’s elective, it’d be canceled!” The OB-GYN at issue then responded: “Here is the explanation why I have put up with it/not cancelled induction: prior stillbirth.”

Although the OB-GYN did not reveal the patient’s name, controversy erupted after someone posted a screenshot of the post and response comments to the hospital’s Facebook page. The hospital issued a statement indicating that its privacy compliance staff did not find the posting to be a breach of privacy, but the hospital added it would use this opportunity to educate its staff about the appropriate use of social media. Many believe this physician got off too easy.

The penalties for patient privacy violations (or even alleged patient privacy violations) are multifaceted. Not only can the federal government impose civil and criminal sanctions under HIPAA on the physician and his/her affiliated parties (e.g. physician’s employer), but states can also impose penalties. State-imposed penalties for patient privacy violations vary from state to state. Additionally, the patient may sue the violating physician and his/her affiliated parties for privacy violations. Although HIPAA does not afford patients the right to bring a private cause of action against a physician, state law often does grant patients such a right. Also, state medical boards often have the right to impose penalties, monetary and non-monetary, on a physician for privacy violations. These can include suspension or termination of medical licensure.

Recent reports indicate that people who “like,” “share,” “re-tweet,” or comment on inappropriate social media posts are also getting reprimanded. Finally, the reputational harm associated with an inappropriate post on social media is immeasurable, especially in light of the availability of information on the Internet. Unfortunately, when the physicians described above enter their names in a search engine, they do not see their professional accomplishments and prestigious educations; instead, their top hits are news articles reporting on their inappropriate posts.

Post with caution.

Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC in Chicago. Write to him at [email protected].

Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, webpages, Google+, LinkedIn. What do all of these social media outlets have in common? Each can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. It seems that all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and most of which could have been avoided.

Physicians should be aware of the intersection of social media—both for personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.

PHI is defined under HIPAA, in part, as health information that (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Under HIPAA, a physician may use and disclose PHI for “treatment, payment, or healthcare operations.” Generally, using or disclosing PHI through social media does not qualify as treatment, payment, or healthcare operations. If a physician were to use or disclose a patient’s PHI without permission, this would be a violation of HIPAA—and likely state law as well.

In order to use or disclose a patient’s PHI without obtaining the patient’s consent, a physician must de-identify the information so that the information does not identify the patient and there is no reasonable basis to believe that the information can be used to identify the patient. One option under HIPAA is to retain an expert to determine “that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively, and more commonly, a physician seeking to use or disclose patient PHI can remove the following identifiers from the PHI:

1. Names;
2. Geographic information;
3. Dates (e.g. birth date, admission date, discharge date, date of death);
4. Telephone numbers;
5. Fax numbers;
6. E-mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. URLs;
15. IP address numbers;
16. Biometric identifiers (e.g. finger and voice prints);
17. Full-face photographic images and any comparable images; and
18. Other unique identifying numbers, characteristics, or codes.

Identifier #18 is the most difficult to comply with in light of the significant amount of personal information available on the Internet, particularly through search engines like Google. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly difficult to comply with the de-identification standards under HIPAA. Even if the first 17 identifiers are carefully removed, the broadness of #18 can turn a seemingly harmless post on social media into a patient privacy violation.

Do not let the following examples be you:

Example 1: An ED physician in Rhode Island was fired, lost her hospital medical staff privileges, and was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for posting information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient names and had no intention to reveal any confidential patient information. However, because of the nature of one person’s injury … the patient was identified by unauthorized third parties. As soon as it was brought to [her] attention that this had occurred, [she] deleted her Facebook account.” Despite the physician leaving out all information she thought might make the patient identifiable, she apparently did not omit enough.

Example 2: An OB-GYN in St. Louis took to Facebook to complain about her frustration with a patient: “So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now 3 hours late for her induction. May I show up late to her delivery?” Another physician then commented on this post: “If it’s elective, it’d be canceled!” The OB-GYN at issue then responded: “Here is the explanation why I have put up with it/not cancelled induction: prior stillbirth.”

Although the OB-GYN did not reveal the patient’s name, controversy erupted after someone posted a screenshot of the post and response comments to the hospital’s Facebook page. The hospital issued a statement indicating that its privacy compliance staff did not find the posting to be a breach of privacy, but the hospital added it would use this opportunity to educate its staff about the appropriate use of social media. Many believe this physician got off too easy.

The penalties for patient privacy violations (or even alleged patient privacy violations) are multifaceted. Not only can the federal government impose civil and criminal sanctions under HIPAA on the physician and his/her affiliated parties (e.g. physician’s employer), but states can also impose penalties. State-imposed penalties for patient privacy violations vary from state to state. Additionally, the patient may sue the violating physician and his/her affiliated parties for privacy violations. Although HIPAA does not afford patients the right to bring a private cause of action against a physician, state law often does grant patients such a right. Also, state medical boards often have the right to impose penalties, monetary and non-monetary, on a physician for privacy violations. These can include suspension or termination of medical licensure.

Recent reports indicate that people who “like,” “share,” “re-tweet,” or comment on inappropriate social media posts are also getting reprimanded. Finally, the reputational harm associated with an inappropriate post on social media is immeasurable, especially in light of the availability of information on the Internet. Unfortunately, when the physicians described above enter their names in a search engine, they do not see their professional accomplishments and prestigious educations; instead, their top hits are news articles reporting on their inappropriate posts.

Post with caution.

Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC in Chicago. Write to him at [email protected].

Facebook, Twitter, Instagram, Snapchat, YouTube, blogs, webpages, Google+, LinkedIn. What do all of these social media outlets have in common? Each can get physicians in trouble under the Health Insurance Portability and Accountability Act (HIPAA), state privacy laws, and state medical laws, to name a few. It seems that all too often, news outlets are reporting data breaches generated in the medical community, many of which arise out of physicians’ use of social media, and most of which could have been avoided.

Physicians should be aware of the intersection of social media—both for personal and professional use—and HIPAA and state laws. Even an inadvertent, seemingly innocuous disclosure of a patient’s protected health information (PHI) through social media can be problematic.

PHI is defined under HIPAA, in part, as health information that (i) is created or received by a physician, (ii) relates to the health or condition of an individual, (iii) identifies the individual (or with respect to which there is a reasonable basis to believe the information can be used to identify the individual), and (iv) is transmitted by or maintained in electronic media, or transmitted or maintained in another form or medium. Under HIPAA, a physician may use and disclose PHI for “treatment, payment, or healthcare operations.” Generally, using or disclosing PHI through social media does not qualify as treatment, payment, or healthcare operations. If a physician were to use or disclose a patient’s PHI without permission, this would be a violation of HIPAA—and likely state law as well.

In order to use or disclose a patient’s PHI without obtaining the patient’s consent, a physician must de-identify the information so that the information does not identify the patient and there is no reasonable basis to believe that the information can be used to identify the patient. One option under HIPAA is to retain an expert to determine “that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information.” Alternatively, and more commonly, a physician seeking to use or disclose patient PHI can remove the following identifiers from the PHI:

1. Names;
2. Geographic information;
3. Dates (e.g. birth date, admission date, discharge date, date of death);
4. Telephone numbers;
5. Fax numbers;
6. E-mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. URLs;
15. IP address numbers;
16. Biometric identifiers (e.g. finger and voice prints);
17. Full-face photographic images and any comparable images; and
18. Other unique identifying numbers, characteristics, or codes.

Identifier #18 is the most difficult to comply with in light of the significant amount of personal information available on the Internet, particularly through search engines like Google. Inputting even a small amount of information into a search engine will generate relevant “hits” that make it increasingly difficult to comply with the de-identification standards under HIPAA. Even if the first 17 identifiers are carefully removed, the broadness of #18 can turn a seemingly harmless post on social media into a patient privacy violation.

Do not let the following examples be you:

Example 1: An ED physician in Rhode Island was fired, lost her hospital medical staff privileges, and was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for posting information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient names and had no intention to reveal any confidential patient information. However, because of the nature of one person’s injury … the patient was identified by unauthorized third parties. As soon as it was brought to [her] attention that this had occurred, [she] deleted her Facebook account.” Despite the physician leaving out all information she thought might make the patient identifiable, she apparently did not omit enough.

Example 2: An OB-GYN in St. Louis took to Facebook to complain about her frustration with a patient: “So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now 3 hours late for her induction. May I show up late to her delivery?” Another physician then commented on this post: “If it’s elective, it’d be canceled!” The OB-GYN at issue then responded: “Here is the explanation why I have put up with it/not cancelled induction: prior stillbirth.”

Although the OB-GYN did not reveal the patient’s name, controversy erupted after someone posted a screenshot of the post and response comments to the hospital’s Facebook page. The hospital issued a statement indicating that its privacy compliance staff did not find the posting to be a breach of privacy, but the hospital added it would use this opportunity to educate its staff about the appropriate use of social media. Many believe this physician got off too easy.

The penalties for patient privacy violations (or even alleged patient privacy violations) are multifaceted. Not only can the federal government impose civil and criminal sanctions under HIPAA on the physician and his/her affiliated parties (e.g. physician’s employer), but states can also impose penalties. State-imposed penalties for patient privacy violations vary from state to state. Additionally, the patient may sue the violating physician and his/her affiliated parties for privacy violations. Although HIPAA does not afford patients the right to bring a private cause of action against a physician, state law often does grant patients such a right. Also, state medical boards often have the right to impose penalties, monetary and non-monetary, on a physician for privacy violations. These can include suspension or termination of medical licensure.

Recent reports indicate that people who “like,” “share,” “re-tweet,” or comment on inappropriate social media posts are also getting reprimanded. Finally, the reputational harm associated with an inappropriate post on social media is immeasurable, especially in light of the availability of information on the Internet. Unfortunately, when the physicians described above enter their names in a search engine, they do not see their professional accomplishments and prestigious educations; instead, their top hits are news articles reporting on their inappropriate posts.

Post with caution.

Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC in Chicago. Write to him at [email protected].