In an era of social media, healthcare professionals still have much to learn about HIPAA.
In nearly any facility throughout the United States, a survey could be piloted with nursing professionals, asking nurses to define the magnitude of HIPAA. Nearly all would agree they understand basic elements of the Health Insurance Portability and Accountability Act (HIPAA), a U.S. law designed to protect patient privacy and the integrity of medical records.5
Yet again and again, we find the inverse to be true. With the explosion of social media, a few professionals appear to disregard the rights of patients, whether it be in the form of a post on Facebook or Instagram (does this rash look like Measles to you?), or an out and out case of celebrity snooping, such as the incident with the recent firings of multiple professionals following Jussie Smollett’s ER visit to a Chicago hospital.
HIPAA, developed by the Department of Health and Human Services, was a grouping of Federal standards that went into effect on April 13, 2003. The standards were designed to provide patients with access to their own medical records, and more control over how “personal information is used and disclosed.” The law provides a consistent standard of care and privacy protection for consumers across the country. Infractions can be brutal. Hospitals can be fined. Individuals can be terminated.
The most infamous infractions have to do with celebrities, or with large corporate hackings, but these are the icing on top of the cake. Minor infractions may be an everyday occurrence.
In 2008, 13 hospital workers were terminated for snooping into Britney Spears’ medical record at UCLA, where she had been seeking treatment for psychiatric care. What is interesting is that this occurrence was the second breach into Britney’s records, and this occurred after UCLA’s Chief Compliance Officer had sent a memo to all staff members reminding them that HIPAA prohibits anyone from accessing a patient’s medical record without a valid reason for doing so. The first breach into the singer’s records occurred in 2005, during the birth of her son.8
For the record, it wasn’t just nurses at UCLA hospital system who appeared to have a problem with following HIPAA guidelines. During the 2008 episode, six physicians were also suspended for accessing the medical records of Britney Spears.8
That was then, this is now. Fast forward to 2019, and at least 50 Northwestern Memorial Hospital employees in Chicago were terminated in March for inappropriate access to actor Jussie Smollett’s medical records. A few of the employees were interviewed on talk shows or by news media. They discussed “not knowing” they could be terminated for viewing his name on a list of patients quickly scrolling through a screen. Others admitted a moment of “curiosity” got the best of them, stating they would take it back if they could. One administrator, however, believed she acted in good faith when an employee questioned whether Mr. Smollett was admitted under an alias. She assumed the employee was asking for professional reasons, and promptly probed a computer to answer the question. She was also fired.6,7
But the amazing issue here? The Jussie Smollett incident followed immediately on the heels of another HIPAA violation at the exact same location, the same Emergency Room. A young woman treated in the Emergency Room in early March had her records breached and her personal information posted on social media, by an employee who worked for Northwestern Memorial Hospital at the time. In this case, the breach was willful, and personal harm was the intended result. The employee has since been terminated, and it is unclear if criminal charges will result. But it IS likely the Compliance Officer has work to do with the employees and the institution to assure the safety of future patients’ privacy as well as the integrity of medical records.
These are a few of the bold violations that have been in the news. HIPAA violations, however, may fall into any of these common categories:
- Stolen/lost laptop
- Stolen/lost smartphone
- Stolen/lost USB device
- Malware incident
- Ransomware attack
- Business associate breach
- EHR breach
- Office break-in
- Sending PHI (protected health information) to the wrong person/contact
- Discussing PHI outside of the office or in public spaces
- Social media posts1
Whenever PHI is breached, a report of the incident must be filed with the Department of Health and Human Services (HHS) on the Breach Reporting Portal. Fines may be involved, and a compliance report must be filed by the Compliance Officer. Information about breaches will then be posted and available to the public on HIPAA Breach News.3
An excellent source for nurses to follow to become savvier about HIPAA is hipaajournal.com, where specific cases are reviewed. One such case is that of a Texas nurse, who wanted to confront her feelings about a Pediatric patient with measles, the first she had encountered in her lifetime. The nurse, a diehard anti-vaxxer, knew she wouldn’t change her beliefs about vaccination, but she wanted to vent about the boy’s illness, and her feelings of sadness about a “preventable” illness, the first she had witnessed. She probably realized her mistake once she had relaxed at home, because she deleted the post. Unfortunately, the damage had been done.4
A few days elapsed, and she was terminated by her employer. Why? Not for her anti-vaxxer beliefs, but because she had posted enough PHI about the patient that the boy, even though his name had not been mentioned, could have been tracked. After all, her colleagues knew which patient had been treated for measles that shift, and even though the post had been deleted, it had been up long enough to have been seen, copied, shared, and sent on its way to numerous “likes” or posts around the globe.
In an era of social media, we still have much to learn about HIPAA. We know not to share passwords, and to stay out of patient rooms if a neighbor or an old college classmate has been admitted. We should be immune to snooping through a celebrity’s PHI or getting goosebumps by staring at a name on a computer screen, but it appears many are not, as recent events have shown. And, as hospital employees, we should be aware of what policies institutions demand of their employees (e.g. looking up your own health records on the job may be an infraction of the rules). 2
HIPAA was enacted to protect patient privacy and the integrity of medical records. Has the world gotten more complex since 2003? Absolutely. As a result, we must become more vigilant, more dynamic, ever more fluid. In a sentence, we need to get with the times.
Hipaajournal.com. Read it. It may save your job.
- Compliancygroup.com “What are some common HIPAA violations?” firstname.lastname@example.org
- Hhs.gov US Department of Health and Human Services “Summary of the HIPAA security rule.”
- Hipaajournal.com Business Associate Choice for HIPAA compliance, including HIPAA Breach News.
- Hipaajournal.com “Texas nurse fired for Social media HIPAA violation.” Posted in hipaajournal.com Sept. 13, 2018.
- Medicine.net “Medical definition of HIPAA.” Shiel, Jr., W.
- Nbcchicago.com “At least 50 Northwestern Hospital employees fired for accessing Smollett’s profile, records: sources.” Quraishi, A. March 7, 2019, updated March 8,2019.
- Nurse.org “Jussie Smollett case: 50 hospital workers fired for alleged HIPAA violations.” March 18, 2019, Wofford, P.
- Reliasmedia.com “Thirteen hospital workers fired for snooping in Britney Spears medical records.” May 1, 2008.