Case Study: HIPAA and Social Media Disclosures of PHI

Social media is everywhere. It has made communicating with each other a lot easier and more convenient. However, this ease of use also makes violating HIPAA easier as well. Posting or sharing protected health information (PHI) online without approval of the patient is a HIPAA violation. In this case study, we show how a single Twitter post will end up costing one medical group a lot of money in both fines and a pending lawsuit. HIPAA and social media don’t mix very well. This case will also illustrate why those who have no need to access a patient’s records are not allowed to do so.

What happened?

Gina Graziano, a patient of Northwestern Medicine Regional Medical Group (NMRMG), is suing for a breach of privacy of her medical records. She has alleged that a hospital employee, Jessica Wagner, accessed Graziano’s medical records. Wagner then posted on Twitter about the procedures and treatments that Graziano had received at NMRMG.

The records contained sensitive information such as the reason for a recent visit to the emergency room, lab results, medications, medical history, imaging results, and other information.

“I was humiliated,” Graziano said. “Embarrassed.”

Jessica Wagner, as it was later discovered, is the girlfriend of Graziano’s ex-boyfriend, David Worth. Wagner reviewed the records for 37 minutes on March 5 and 6 of 2018. She later provided the information to Worth.

What was the result?

NMRMG invested internally and sent Graziano a letter acknowledging that inappropriate access to her records by an employee had occurred on March 5 and 6.

According to a police report, Wagner was fired for the incident.

Graziano then filed a lawsuit against NMRMG.

Attorney for Graziano, Ted Diamantopoulos said, “It’s a complete invasion of my client’s privacy. When a patient goes to a hospital, they expect to have their medical records private.”

“They were treating me for something I didn’t want anybody to know about,” Graziano said. “Northwestern needs better policies in place for their staff to understand what HIPAA really means.”

The following statement was released by NMRMG:

“Protecting the confidentiality of patient information is essential to our mission. Employees are trained to comply with privacy laws and face disciplinary action in accordance with our privacy policy for any violation. Regarding this specific incident, we do not comment on pending litigation.”

The Department of Health and Human Services (HHS) has also been notified of the breach. This would likely trigger an investigation in this high profile case.

What is the best way to handle HIPAA and social media?

This case shows two major issues when protecting patient data. The first is the issue of unauthorized access. Practices must have policies in place for employees accessing medical data. In addition, employees must be trained on these policies.

The next step is regular auditing of access logs to ensure that no one is accessing the records of those that they have no medical need to do so.

For social media, it is best to avoid all types of patient interaction. If a patient were to post that they will see the office staff on a specific day for their appointment, do not reply. This would confirm that the patient was a patient of the practice resulting in a HIPAA violation.

Social media should be used for advertising services of the practice. If a patient gives written permission to post data, such as success stories, then it would be permissible. But written patient permission would be required beforehand.

Don’t let a simple mistake cost your practice in the form of lawsuits and fines.