Doctor Sanctioned Over Social Media HIPAA Violations

A San Antonio, TX-based doctor has been sanctioned by the Texas Medical Board for social media HIPAA compliance violations after retaliating against a patient by posting a video testimonial of the patient on Facebook and YouTube.

The video of the patient in her underwear clearly showed the patient’s face, allowing her to be identified. However, prior permission to use the video had not obtained from the patient.

Dr. Tinuade Olusegun-Gbadehan from the Dr. O Medical and Wellness Center had been given authorization to record the video and use it for “the purposes of medical audit, education, and promotion,” but only anonymously. Use of the video without first deidentifying the patient was a breach of HIPAA Rules.

The patient, Clara Aragon-Delk, filed a complaint with the Texas Medical Board against the doctor claiming Olusegun-Gbadehan disseminated the video without her consent. The patient alleges the video was shared on social media sites and also with a third party.

According to the complaint, the patient had a billing dispute with the Dr. O Medical and Wellness Center and contacted the merchant processing company – Stripe – about the charges. In response to the complaint, Olusegun-Gbadehan is alleged to have sent Stripe documentation relating to the treatment provided and also a link to the video, a further violation of HIPAA Rules.

Dr. Tinuade Olusegun-Gbadehan has not denied nor admitted the social media HIPAA violations, nor any unauthorized use of the patient’s PHI. However, Olusegun-Gbadehan has entered into a mediated agreed order with the Texas Medical Board and has agreed to the sanctions imposed. The decision was allegedly taken to avoid a time-consuming and expensive hearing process.

The Texas Medical Board concurred with the patient that the use of the video without authorization was a breach of HIPAA Rules and was unprofessional. The Medical Board also said a breach of privacy occurred when the video was shared with the merchant processing company.

The sanctions involve Olusegun-Gbadehan retaking the Texas Medical Jurisprudence Examination, which covers amongst other things, HIPAA Rules and patient privacy.

Doctors should be aware that HIPAA Rules apply to the use of identifiable protected health information on social media websites, which includes photographs and videos. The information and images cannot be posted without prior patient consent. Even in the absence of any names or other text, face shots of patients are classed as personally identifiable information and cannot be used for promotion.

Social media HIPAA violations can carry stiff penalties. If a doctor is discovered to have shared PHI without consent, OCR and state attorneys general could impose financial penalties. Willful neglect of HIPAA Rules can carry a fine in excess of $50,000.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news