Ads 468x60px

Visit Julie's other blog Municipal Minute

Thursday, August 22, 2013

Social Media and the HIPAA Privacy Rule


Now might be a good time to reacquaint yourself and your employees about potential HIPAA privacy violations through social media.
A former Northwestern student is suing Dr. Vinaya Puppala, Northwestern Memorial Hospital, and the Feinberg School of Medicine for invasion of privacy and infliction of emotional distress, alleging that Dr. Puppala took pictures of her in the ER while she was being treated for "overconsumption of alcohol." At the time of the incident, Puppala was a fellow in the Multidisciplinary Pain Medicine Fellowship Program at Feinberg which is associated with Northwestern Memorial. Puppala came to see the plaintiff after a mutual friend told him she had been admitted into the ER. Puppala requested access to her medical records and then returned several hours later to take photos of the plaintiff "while she was on the hospital bed, crying, and attached to an IV." Security saw Puppala taking pictures and asked him to delete them immediately, but Puppala refused. Later, he uploaded the photos with comments to Facebook and Instagram. Four individuals recognized the plaintiff in Puppala’s photos. Plaintiff is suing for $1.5 million in compensatory and punitive damages. 
A civil tort suit may be just the beginning. The hospital and physician could potentially be subject to possible HIPAA sanctions. Unlike common tort claims for the invasion of privacy, a HIPAA claim does not require proof that a patient sustained actual harm or damage; evidence of a violation is enough to impose fines and corrective action. Thus, a HIPAA claim could prevail even if the plaintiff's suit proves unsuccessful.
 
The HIPAA Privacy Rule protects any information that can identify a patient which is related to the patient’s past, present, or future physical or mental health condition –including health services provided. The rule applies to physicians and hospitals alike. Full face photographs and images constitute protected patient information. Furthermore, health care professionals may only access patient information if he is directly involved in the patient’s care. A violation occurs if the information is communicated or sent to others with no official need. HIPAA penalties include sanctions, orders for corrective action, and monetary damages. Civil penalties range from $100 to $50,000 or more per violation, capping out at $1.5 million per calendar year for multiple violations of the same requirement. Criminal penalties for intentional violations where the individual willingly knows, obtains, and discloses protected patient information include a minimum $50,000 fee and up to one-year imprisonment.
 
The Office of Civil Rights (OCR), within the Department of Health and Human Services, officially enforces the HIPAA Privacy Rule. However, HITECH (the Health Information Technology for Economic and Clinical Health Act) authorizes the State Attorney General Offices to bring civil actions and obtain monetary damages on behalf of its residents for violations of the privacy rules. Thus, the Illinois Attorney’s General Office could file a complaint with the OCR against Dr. Puppala and Northwestern Memorial even if the plaintiff in this case elects not to. 
 
Currently, there’s been no mention of administrative action against the defendants, but the potential is there. Assuming the facts are true, sharing photos of a patient to whom Puppula was not medically responsible for over a social networking site could arguably constitute a HIPAA privacy violation. Additionally, a case could be made to impose criminal penalties on Puppula since he willingly and knowingly disclosed protected patient information.
 
So what’s the big take away? Besides the painfully obvious – but it bears repeating anyway, clinicians shouldn't take pictures of their patients and post them on social media sites – compliance officers should incorporate social media issues into HIPAA training. A good number of today’s rising health care professionals are members of the Facebook generation where the oversharing of information is the norm. Thus, a key component to HIPAA instruction should include a discussion on privacy violations that can be made through social media, texting, and other online platforms like personal and professional blogs. Additionally, compliance officers need to emphasize why social media-HIPAA compliance is critical not only for patient care but to protect one’s professional livelihood.
 
Post Authored by Joy Austria and Julie Tappendorf, Ancel Glink

Tuesday, August 13, 2013

Lawyer Disciplined for Advising Client to Clean up Facebook Page

A lawyer in Virginia had his law license suspended last month for five years after he advised his client to clean up his Facebook page.  The lawyer was representing a plaintiff in a lawsuit brought against a driver who allegedly caused the death of his wife.  Shortly after the defense filed discovery requests for screen shots and other information from the plaintiff's Facebook page, the Virginia lawyer instructed his paralegal to tell the client to delete certain photos.  The defense lawyers recovered the deleted photos before trial, and the lawyer was brought before the state bar disciplinary board for violation of ethical rules governing candor toward the tribunal, fairness to opposing party and counsel, and misconduct.  

Thursday, August 8, 2013

Teen's Conviction of Harassment for Facebook Post is Upheld

A Pennsylvania court recently upheld a teen's conviction for the crime of harassment after she appealed the jury verdict against her. Commonwealth v. Cox.  The 18 year old had posted a comment on her Facebook page that the 15 year old victim "has herpes, Ew, that's gross. She should stop spreading her legs like her mother." The post received several "likes" from Cox's friends before it was deleted. The victim's mother reported the post to police, and the 18 year old was charged with the crime of harassment, which makes it illegal to communicate "to or about such other person any lewd, lascivious, threatening or obscene words, language, drawings or caricatures" with the intent to harass, annoy, or alarm the other person.  A jury found the teen guilty of harassment, and sentenced her to 6 months probation.
 
The teen appealed, and the appellate court upheld the conviction, finding that the evidence was sufficient to support the verdict and that the defense provided no evidence that the posting was for any other purpose than harassment of the victim.  “Contrary to Cox’s view and in light of the totality of the evidence, her misuse of the internet and social media was criminal,” the appellate court ruled.
 

Disclaimer

Blog comments do not reflect the views or opinions of the Author or Ancel Glink. Some of the content of this blog may be considered attorney advertising material under the applicable rules of certain states. Prior results do not guarantee a similar outcome. Please read our full disclaimer.