This week a case against University of Cincinnati Medical Center (UCMC) was presided over by Judge Jody Luebbers in the Hamilton County Common Pleas Court in relation to the posting of Protected Health Information of a patient on social media.
The incident that lead to the lawsuit concerned the posting of a patient’s medical history by a woman employed in the financial services department at UCMC. The employee had accessed the medical records of the patient, taken a screenshot of the medical records and uploaded the image to her personal Facebook account. The image was then shared with the members of a Facebook group. The same image was also sent via email to the same individuals. The group in question is called “Team No Hoes.” The patient in question had contracted syphilis and was expecting a baby at the time.
The naming and shaming of the patient on social media was reviewed by the hospital as soon as the privacy violation was discovered. The employee was fired as a result of thee investigation.
Cases involving vicarious liability are often taken by co-workers who have experienced sexual harassment in the workplace, or have otherwise come to harm as a consequence of actions or omissions of another person. However, typically an employer can only be found liable for the actions of a staff member if it can be demonstrated that the actions or omissions occurred during the course of employment while furthering the purpose of an employer. Judge Jody Luebbers found that under Ohio law there were no grounds to support the claim against the hospital.
While there is no doubt HIPAA Rules were breached by the hospital worker, the hospital was not found liable because the employee was not acting “within the scope of her employment.”
Healthcare providers have a duty of care to provide training on HIPAA Privacy and Security Rules to all members of staff to come into contact with PHI. Employees must be advised of the circumstances under which patient data can be accessed, used, and disclosed.
They should also be aware of the penalties for violating HIPAA Rules, as well as for violations of the organization’s privacy policies. The possible penalties for willful and accidental disclosure of protected data should also be outlined. Staff members should be told that the penalties can be severe, and may involve heavy fines and lengthy prison terms.
The rise in popularity of social media, and the ease at which posts can be broadcast, has inevitably led to the publication of some patients’ PHI by hospital employees. There isn’t much a healthcare provider can do to prevent this other than by providing training. However, it is vital to explain that the sharing of PHI via social media is also forbidden and is a violation of HIPAA Rules. This may seem obvious, but for some people – especially those in their early twenties or late teens – it may not be.
Some individuals may not view Facebook posts as constituting a violation of HIPAA Rules, especially if PHI is only shared between a closed group of friends.
Back in 2011, a similar incident happened when a temporary worker at the Providence Holy Cross Medical Center published a photograph of a patient on Facebook and made fun of her condition in the post. When asked about his actions, the member of staff said “People, it’s just Facebook…Not reality. Hello?” The Daily News reported that the person also said,” if you don’t like it too bad because it’s my wall and I’ll post what I want to.”