Who is liable for PHI disclosure on social media if an employee of a healthcare provider uploads a photo of a medical record to a Facebook account? Can the healthcare provider be sued for the improper disclosure? Where does liability for PHI disclosure lie?
According to a Hamilton County Common Pleas Court judge, the healthcare provider is not liable. The plaintiff must seek damages from the individual responsible for exposing Protected Health Information.
The recent ruling was made after a patient of University of Cincinnati Medical Center had her privacy violated by a former employee of the medical center in September 2013. The patient in question had contracted syphilis, and was pregnant at the time of her visit. Her medical records were updated with her diagnosis – maternal syphilis – and this attracted the attention of a young member of staff of the billing department.
That employee took a photo of the woman’s medical records and posted the image to a Facebook group called “Team No Hoes”. She also emailed the photo to members of the group. The employee may have had a legitimate reason for accessing the patient’s medical records, but this was a clear violation of patient privacy, and a breach of HIPAA Rules. HIPAA does not permit the sharing of PHI without consent of the patient first being obtained.
University of Cincinnati Medical Center staff were alerted to the privacy violation and took action. The billing department employee, who was in her early 20s, was fired for the privacy breach a week later. However, the patient filed a lawsuit seeking damages from UCMC for the mental distress that the incident caused. According to the patient’s attorney, this disclosure resulted in the patient becoming depressed. A condition she still suffers from.
In this case, UCMC was cleared of liability for PHI disclosure which may seem perfectly reasonable. UCMC did not sanction the posting of PHI, policies at the hospital forbade such actions, and at no point was the employee instructed to use social media websites for her job. The judge ruled that the employee had not been acting “within the scope of her employment.” The employee personally took the decision to post the information to her Facebook account.
In cases such as this, employers may not necessarily escape liability for PHI disclosure. Whether an employer is liable will depend on the specifics of each case. The law does allow cases to be filed against employers for the actions of one of their employees. If social media policies had not been put in place, if an employee had not received training on HIPAA Rules, or had not been instructed on hospital policies prior to such an action taking place, liability for PHI disclosure may lie with the employer.
To protect against liability for PHI disclosure by employees, HIPAA covered entities should make sure that social media policies are issued to members of staff informing them of the permissible uses of the websites. They must also receive training on HIPAA Rules, including the penalties that can be applied for improper disclosure. Under HIPAA Rules, an employee could be issued with a stiff financial penalty in addition to a prison sentence. Being informed of those penalties may deter employees from inappropriately sharing confidential data and prevent such privacy breaches from occurring.