Do not let the following examples be you.
Explore This IssueOctober 2014
Case Studies in Mistakes
An emergency department physician in Rhode Island was fired, lost her hospital medical staff privileges, and was reprimanded by the Rhode Island Board of Medical Licensure and Discipline for posting information about a trauma patient on her personal Facebook page. According to the Rhode Island Board of Medical Licensure and Discipline, “[She] did not use patient names and had no intention [of revealing] any confidential patient information. However, … the nature of one person’s injury was such that the patient was identified by unauthorized third parties. As soon as it was brought to [her] attention that this had occurred, [the physician] deleted her Facebook account.” Despite the physician omitting what she thought was identifiable information about the patient from her post, she apparently did not omit enough information.
An OB-GYN in St. Louis took to Facebook to complain about her frustration with a patient: “So I have a patient who has chosen to either no-show or be late (sometimes hours) for all of her prenatal visits, ultrasounds, and NSTs. She is now three hours late for her induction. May I show up late to her delivery?”
This post was then commented on by another physician: “If it’s elective, it’d be canceled!”
The OB-GYN at issue then responded: “[H]ere is the explanation why I have put up with it/not cancelled induction: prior stillbirth.” Although the OB-GYN did not reveal the patient’s name, controversy erupted after someone posted a screenshot of the post and response comments to the hospital’s Facebook page. The hospital issued a statement indicating that its privacy compliance staff did not find the post to be a breach of privacy, but the hospital added it would use this opportunity to educate its staff about the appropriate use of social media. Many believe this physician got off too easy.
Penalties for Privacy Breaches
The penalties for patient privacy violations (or even alleged patient privacy violations) are multifaceted. Not only can the federal government impose civil and criminal sanctions under HIPAA on the physician and affiliated parties (e.g., physician’s employer, hospital), but states can also impose penalties. State-imposed penalties for patient privacy violations vary by state.
Additionally, the violating physician and affiliated parties may also be sued by the patient for privacy violations. Although HIPAA does not afford patients the right to bring a private cause of action against a physician, state law may grant patients such a right.