On Monday this week, a case against University of Cincinnati Medical Center (UCMC) was heard by Judge Jody Luebbers in the Hamilton County Common Pleas Court regarding the posting of Protected Health Information of a patient on social media.
The incident that triggered the lawsuit concerned the posting of a patient’s medical records by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of her medical records and uploaded the image to her Facebook account. The image was then shared with members of a Facebook group. The same image was also emailed to the same individuals. The group in question had been named “Team No Hoes.” The patient in question had contracted syphilis and was pregnant at the time.
The naming and shaming of the patient on social media was investigated by the hospital as soon as the privacy violation was discovered, and the employee, who was in her early twenties, lost her job as a result.
Cases involving vicarious liability are often filed by co-workers who have suffered sexual harassment in the workplace, or have otherwise come to harm as a result of actions or omissions of another person. However, typically an employer can only be found liable for the actions of an employee if it can be demonstrated that the actions or omissions occurred during the course of employment while furthering the purpose of an employer. Judge Jody Luebbers ruled that under Ohio law there were no grounds to support the claim against the hospital.
While there is no doubt that HIPAA Rules were violated by the hospital employee, the hospital could not be held liable because the employee was not acting “within the scope of her employment.”
Healthcare providers have a responsibility to provide training on HIPAA Privacy and Security Rules to all employees required to come into contact with PHI. Employees must be informed of circumstances under which patient data can be disclosed, and which individuals are allowed access to data.
They should also be informed of the penalties for violating HIPAA Rules, as well as for violations of the organization’s privacy policies. The potential penalties for willful and accidental disclosure of protected data should also be explained. Staff members should be informed that the penalties can be severe, and may involve heavy fines and lengthy prison terms.
The rise in popularity of social media websites, and the ease at which posts can be uploaded, has inevitably led to the publication of some patients’ PHI by hospital employees. There is little that a healthcare provider can do to prevent this other than by providing training. However, it is important to explain that the sharing of PHI via social media is also prohibited and is a violation of HIPAA Rules. This may seem obvious, but for some individuals, especially those in their early twenties or late teens, it may not be.
Some individuals may not view Facebook posts as constituting a breach of HIPAA Rules, especially if PHI is only shared between a group of friends.
Back in 2011, a similar incident occurred when a temporary worker at the Providence Holy Cross Medical Center posted a photograph of a patient on Facebook and made fun of her condition in the post. When asked about his actions, the employee said “People, it’s just Facebook…Not reality. Hello?” The Daily News reported that the individual also said,” if you don’t like it too bad because it’s my wall and I’ll post what I want to.”