Social Media HIPAA Violation: Healthcare Provider Not Liable

by | Nov 14, 2015

This week a case against University of Cincinnati Medical Center (UCMC) was presided over by Judge Jody Luebbers in the Hamilton County Common Pleas Court in relation to the posting of Protected Health Information of a patient on social media.

The incident that lead to the lawsuit concerned the posting of a patient’s medical history by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of the medical records and uploaded the image to her personal Facebook account. The image was then shared with the members of a Facebook group. The same image was also sent via email to the same individuals. The group in question is called “Team No Hoes.” The patient in question had contracted syphilis and was expecting a baby at the time.

The naming and shaming of the patient on social media was reviewed by the hospital as soon as the privacy violation was discovered. The employee was fired as a result of thee investigation.

Cases involving vicarious liability are often taken by co-workers who have experienced sexual harassment in the workplace, or have otherwise come to harm as a consequence of actions or omissions of another person. However, typically an employer can only be found liable for the actions of a staff member if it can be demonstrated that the actions or omissions occurred during the course of employment while furthering the purpose of an employer. Judge Jody Luebbers found that under Ohio law there were no grounds to support the claim against the hospital.

While there is no doubt HIPAA Rules were breached by the hospital worker, the hospital was not found liable because the employee was not acting “within the scope of her employment.”

Healthcare providers have a duty of care to provide training on HIPAA Privacy and Security Rules to all members of staff to come into contact with PHI. Employees must be advised of the circumstances under which patient data can be accessed, used, and disclosed.

They should also be aware of the penalties for violating HIPAA Rules, as well as for violations of the organization’s privacy policies. The possible penalties for willful and accidental disclosure of protected data should also be outlined. Staff members should be told that the penalties can be severe, and may involve heavy fines and lengthy prison terms.

The rise in popularity of social media, and the ease at which posts can be broadcast, has inevitably led to the publication of some patients’ PHI by hospital employees. There isn’t much a healthcare provider can do to prevent this other than by providing training. However, it is vital to explain that the sharing of PHI via social media is also forbidden and is a violation of HIPAA Rules. This may seem obvious, but for some people – especially those in their early twenties or late teens – it may not be.

Some individuals may not view Facebook posts as constituting a violation of HIPAA Rules, especially if PHI is only shared between a closed group of friends.

Back in 2011, a similar incident happened when a temporary worker at the Providence Holy Cross Medical Center published a photograph of a patient on Facebook and made fun of her condition in the post. When asked about his actions, the member of staff said “People, it’s just Facebook…Not reality. Hello?” The Daily News reported that the person also said,” if you don’t like it too bad because it’s my wall and I’ll post what I want to.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy