Ads 468x60px

Visit Julie's other blog Municipal Minute

Thursday, August 22, 2013

Social Media and the HIPAA Privacy Rule

Now might be a good time to reacquaint yourself and your employees about potential HIPAA privacy violations through social media.
A former Northwestern student is suing Dr. Vinaya Puppala, Northwestern Memorial Hospital, and the Feinberg School of Medicine for invasion of privacy and infliction of emotional distress, alleging that Dr. Puppala took pictures of her in the ER while she was being treated for "overconsumption of alcohol." At the time of the incident, Puppala was a fellow in the Multidisciplinary Pain Medicine Fellowship Program at Feinberg which is associated with Northwestern Memorial. Puppala came to see the plaintiff after a mutual friend told him she had been admitted into the ER. Puppala requested access to her medical records and then returned several hours later to take photos of the plaintiff "while she was on the hospital bed, crying, and attached to an IV." Security saw Puppala taking pictures and asked him to delete them immediately, but Puppala refused. Later, he uploaded the photos with comments to Facebook and Instagram. Four individuals recognized the plaintiff in Puppala’s photos. Plaintiff is suing for $1.5 million in compensatory and punitive damages. 
A civil tort suit may be just the beginning. The hospital and physician could potentially be subject to possible HIPAA sanctions. Unlike common tort claims for the invasion of privacy, a HIPAA claim does not require proof that a patient sustained actual harm or damage; evidence of a violation is enough to impose fines and corrective action. Thus, a HIPAA claim could prevail even if the plaintiff's suit proves unsuccessful.
The HIPAA Privacy Rule protects any information that can identify a patient which is related to the patient’s past, present, or future physical or mental health condition –including health services provided. The rule applies to physicians and hospitals alike. Full face photographs and images constitute protected patient information. Furthermore, health care professionals may only access patient information if he is directly involved in the patient’s care. A violation occurs if the information is communicated or sent to others with no official need. HIPAA penalties include sanctions, orders for corrective action, and monetary damages. Civil penalties range from $100 to $50,000 or more per violation, capping out at $1.5 million per calendar year for multiple violations of the same requirement. Criminal penalties for intentional violations where the individual willingly knows, obtains, and discloses protected patient information include a minimum $50,000 fee and up to one-year imprisonment.
The Office of Civil Rights (OCR), within the Department of Health and Human Services, officially enforces the HIPAA Privacy Rule. However, HITECH (the Health Information Technology for Economic and Clinical Health Act) authorizes the State Attorney General Offices to bring civil actions and obtain monetary damages on behalf of its residents for violations of the privacy rules. Thus, the Illinois Attorney’s General Office could file a complaint with the OCR against Dr. Puppala and Northwestern Memorial even if the plaintiff in this case elects not to. 
Currently, there’s been no mention of administrative action against the defendants, but the potential is there. Assuming the facts are true, sharing photos of a patient to whom Puppula was not medically responsible for over a social networking site could arguably constitute a HIPAA privacy violation. Additionally, a case could be made to impose criminal penalties on Puppula since he willingly and knowingly disclosed protected patient information.
So what’s the big take away? Besides the painfully obvious – but it bears repeating anyway, clinicians shouldn't take pictures of their patients and post them on social media sites – compliance officers should incorporate social media issues into HIPAA training. A good number of today’s rising health care professionals are members of the Facebook generation where the oversharing of information is the norm. Thus, a key component to HIPAA instruction should include a discussion on privacy violations that can be made through social media, texting, and other online platforms like personal and professional blogs. Additionally, compliance officers need to emphasize why social media-HIPAA compliance is critical not only for patient care but to protect one’s professional livelihood.
Post Authored by Joy Austria and Julie Tappendorf, Ancel Glink

1 comment:

  1. This comment has been removed by a blog administrator.




Blog comments do not reflect the views or opinions of the Author or Ancel Glink. Some of the content of this blog may be considered attorney advertising material under the applicable rules of certain states. Prior results do not guarantee a similar outcome. Please read our full disclaimer.