# HIPAA & Facebook



## hnroberts (Aug 22, 2012)

I would like some input in regards to a situation that came up recently at my office.  An employee had posted on Facebook about a patient who had died earlier that same day.  This employee used the patient's full name, but didn't state that the person was a patient or a diagnosis.  The employee does have the office listed as the employer.  

I brought the situation to management's attention, but it seems - according to management, that because the post was done after work hours and the newly deceased patient was a friend of a friend, it's somehow acceptable. 

My interpretation of HIPAA is that a patient's name is NEVER to be disclosed like this, especially on Facebook.  Is my interpretation incorrect?  Is it not a breach of patient confidentiality to post the patient's full name like this?  

I know what I believe to be correct, but I would like some other perspectives.  Thanks!


----------



## chasarmil (Aug 22, 2012)

I think it depends on how she knew about the death.  Did she find out because of something at work or did she find out because a friend told her?
If was because of something at work, then it would be a HIPAA issue.


----------



## hnroberts (Aug 22, 2012)

The employee found out at work.  There had been no confirmation that the family had been contacted and made aware of the patient's death yet when the post was made.  Even if the employee had found out through a friend of a friend, how does that make it right to post the patient's full name on Facebook?


----------



## Donna T (Aug 22, 2012)

Sounds like a HIPAA violation to me.  How is that any different than if I see a relative of mine was in the hospital and when I get home I post a get well on Facebook?!  I found out at work and wouldn't have known if I didn't see it in the course of doing my job so I'd be in violation of HIPAA.  I'd definitely pursue this.


----------



## mitchellde (Aug 22, 2012)

If you recall there was a HIPAA case like this a few years back when a celebrity was in the hospital and a hospital employee put the information on facebook.  It was a HIPAA violation then and this is no different.


----------



## hnroberts (Aug 22, 2012)

First I would like to thank everyone for the input.  I'm glad to see that my feelings about this situation are not unwarranted and are vaild concerns.  Does anyone know of specific documentation that I can take to my higer-ups and express how serious this is and that is has to be adressed?  I'm finding it a little difficult to find specifics.  Thanks again!


----------



## cingram (Aug 22, 2012)

I think that if the employee knew the patient then there is no violation. but putting something on facebook before the family knows is just uneithcial. This is why in the military if someone dies they cut off all the phone lines or any access the communication until the family is notified. The family has the RIGHT to be the first to know


----------



## hnroberts (Aug 22, 2012)

The employee met the patient through the office setting. It wasn't until later that it was discovered there was a "friend of a friend" connection between the employee and the patient.


----------



## mitchellde (Aug 22, 2012)

cingram said:


> I think that if the employee knew the patient then there is no violation. but putting something on facebook before the family knows is just uneithcial. This is why in the military if someone dies they cut off all the phone lines or any access the communication until the family is notified. The family has the RIGHT to be the first to know



Knowing the patient still does not make it right.  Information gained thru your position in a medical office may not be communicated except as it relates to  your official job capacity.  Posting on facebook in no way relates to her job.  A person that knew me talked to a radio person regarding my sons injuries when he was hospitalize with life threatening injuries.  The radio person then put it out on the air.  She was fired for a violation of HIPAA.  Did I mind that she did this ... YES!  Did it bother me that she was fired for this... not really!
You cannot use your position for personal knowledge.


----------



## cingram (Aug 22, 2012)

mitchellde said:


> Knowing the patient still does not make it right.  Information gained thru your position in a medical office may not be communicated except as it relates to  your official job capacity.  Posting on facebook in no way relates to her job.  A person that knew me talked to a radio person regarding my sons injuries when he was hospitalize with life threatening injuries.  The radio person then put it out on the air.  She was fired for a violation of HIPAA.  Did I mind that she did this ... YES!  Did it bother me that she was fired for this... not really!
> You cannot use your position for personal knowledge.



so you mean to tell me if your grandma was a patient at the office you work at passes away you cant post it on facebook? Its the same scenerio.


----------



## mitchellde (Aug 22, 2012)

Thats what I am saying.  It would not be allowable for you to be the one to post this information.


----------



## hnroberts (Aug 22, 2012)

cingram said:


> so you mean to tell me if your grandma was a patient at the office you work at passes away you cant post it on facebook? Its the same scenerio.



It's not the same scenario.  This employee was not related to the patient, and had no direct personal connection to the patient except for a professional one in the office.  Had the employee posted something about the death and only used the patient's first name, or even the initials, this wouldn't be such a concern to me.  The employee used the patient's ENTIRE name.  The only reason the employee knew about the patient's death was because the office was notified by the hospital nurses who were on when the patient passed.  Working in the medical field, I feel we are held to different standards.  I don't care if my mother were a patient in my office, I wouldn't post her name saying I saw her at work.  Those are the ethical standards I hold myself to.  Perhaps it's too much to expect others to hold themselves to the same or even similar standards.
Whatever the relationship was or wasn't between the employee and the patient, I feel like it was not only a breach of confidentiality to use the patient's entire name in a post on facebook, but it was in bad taste to do so before there was verification that the family had been notified.  Had the obituary been published, at least then it would have been public knowledge, but even at that point in time I don't think the patient's name should have been used.


----------



## cingram (Aug 22, 2012)

I guess it really depends on who is the one that is going to be reviewing this. It was only a name that was put out not diagnosis or medical history. Im not trying to defend what was done Im just trying to give another point of view. I do agree that is was not right what was done. Remember HIPAA just went though some changes which makes it easier to obtain medical records. When I went to the seminar in oct now as long as you are related you can obtain medical records unless the patient specifically says they dont want you to have them. At least thats what the lecturer said and he is a HIPAA lawyer. So in the end it depends on who you reviewing this.


----------



## Pam Brooks (Aug 23, 2012)

cingram said:


> I guess it really depends on who is the one that is going to be reviewing this. It was only a name that was put out not diagnosis or medical history. Im not trying to defend what was done Im just trying to give another point of view. I do agree that is was not right what was done. Remember HIPAA just went though some changes which makes it easier to obtain medical records. When I went to the seminar in oct now as long as you are related you can obtain medical records unless the patient specifically says they dont want you to have them. At least thats what the lecturer said and he is a HIPAA lawyer. So in the end it depends on who you reviewing this.


 
I can't believe an attorney said this. You cannot release records to anyone without prior written permission. I can't even get my husband's records without permission. I think you may have gotten bad advice.

To the other issue of facebook posting....the releasing of any information gained through employment in a medical setting, whether it be first name, initial or even through another method that could even suggest potential identification of a patient and their medical condition or demise is a breach of protected medical information. This employee should be terminated at once. And yes, if your grandma is a patient at your office, and she dies, and you take it upon yourself to be the one to post that information in public media...you are putting yourself at significant risk. Let someone else do the posting, because if your compliance officer got wind of it, you could lose your job, simply because of the patient connection. It's not worth the risk. 
As certified coders, we are held to a particularly high standard of ethics. To post work-related information on Facebook, Twitter or other public media is a foolish career move to say the least. If you have to gossip, pick another topic, but leave your patients out of it. 

I cannot believe anyone thinks this is OK.


----------



## Donna T (Aug 23, 2012)

*Facebook*



cingram said:


> so you mean to tell me if your grandma was a patient at the office you work at passes away you cant post it on facebook? Its the same scenerio.



You are talking about 2 different things.  In your scenario the fact that my grandmother comes to my office isn't relevant.  I'd know she passed away because she's my grandmother and not because she is a patient at my office.  This woman wouldn't have known the patient died if she didn't find out through the course of doing her job and therefore by posting on Facebook before her family even knew was a violation.


----------



## cingram (Aug 23, 2012)

The attourney that said this, said its perfectly legal by the new HIPAA laws going into place although most offices will require permission. but by HIPAA as long as your are an immediate family you can request it and they have to give it to you but you will have to provide proof of the law.


----------



## sdeaton (Aug 28, 2012)

I agree Pam Brooks... BIG BIG BIG VIOLATION of the HIPAA Privacy Rule!  If a person is a patient where you work, even if that patient is a relative, friend, neighbor or otherwise, publicizing their name or any other of the 18 PHI elements is a violation.  Compliance with the HIPAA rule does not change after hours.  Even when deceased!!  This is considered a serious privacy breach and if this were my employee, they would be FIRED on the spot!!  

We also have a policy that informs employees that they should have no expectation of privacy where personal and company electronics are concerned in the workplace, including but not limited to "public" conversations/posts (after hours) that violate office policies or that reflect badly on the employer and specifically if they reveal private or confidential or proprietary information about the employer or patients.  Being fired for this behavior also makes drawing unemployment virtually impossible!

The new HIPAA rules DO NOT change the current regulations regarding privacy.  In fact, they enhance the existing rules.  I suggest that anyone who believes otherwise should read them thoroughly.


----------



## JudyW (Aug 29, 2012)

I agree with Susan anyone who believes you can give PHI toa family member without the patients consent needs to go and read the rules.  I also agree that the posting on facebook was also a violation of HIPAA and if she worked for me she would be FIRED on the spot.  Just my 2 cents.


----------



## hnroberts (Aug 30, 2012)

Does anyone have a link to any specifics, in black and white, that I can have for my own records and possibly present to management to convince them that this really IS a big deal and a HUGE no no?  I've found quite a few things stating that the patient's name is PHI, but I'm trying to find something relating to similar scenarios with social media & PHI disclosures.

 I was told by my manager "During our investigation it was discovered that (the employee) learned about the patient's death through posts on Facebook by other people.  Since (the employee) was not the first person to post something about it on Facebook, and because it was done after hours, this is not a violation of HIPAA.  Also, the lawyer agreed that this was not a violation."  I am higly suspect of the suggestion that the lawyer was even consulted.  

Short of me filing a complaint with HHS, I don't think my management will do much more about this.


----------



## sdeaton (Aug 30, 2012)

hnroberts said:


> Does anyone have a link to any specifics, in black and white, that I can have for my own records and possibly present to management to convince them that this really IS a big deal and a HUGE no no?  I've found quite a few things stating that the patient's name is PHI, but I'm trying to find something relating to similar scenarios with social media & PHI disclosures.
> 
> I was told by my manager "During our investigation it was discovered that (the employee) learned about the patient's death through posts on Facebook by other people.  Since (the employee) was not the first person to post something about it on Facebook, and because it was done after hours, this is not a violation of HIPAA.  Also, the lawyer agreed that this was not a violation."  I am higly suspect of the suggestion that the lawyer was even consulted.
> 
> Short of me filing a complaint with HHS, I don't think my management will do much more about this.



You are not immune from HIPAA after hours.  And the employee would have to PROVE he/she wasn't the first to use the patient's name.  Even then, posting a patient's name or any other information related to patients or where you work on any social media is unwise and very unprofessional.

You can start here and work your way to the Federal Register through the additional links on this site.  http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

Hope this helps!


----------



## hnroberts (Aug 30, 2012)

Thanks so much Susan!  You took the words right out of my mouth!


----------



## rryder1963 (Aug 30, 2012)

*HIPPA Plain and Simple:   by Carolyn P. Hartley, MLA, CHP and Edward D. Jones III*

I am truly dumbfounded that some felt this facebook posting was acceptable including management of a healthcare facility!  As an employee of an healthcare provider the protection of PHI should be first and foremost, regardless if the employee knows the patient as a friend, "as a friend of a friend", or is related to the patient or if is it done outside of regular office hours or not.  

I would like to suggest if you're friended with your employer on Facebook, unfriend them right now!  The conflicts that can arise because of this particualr friending can be criminal.  It's simply not worth the risk--stop and think before you post ANYTHING on the Internet because once it's out there-it's there for good and often with consequences, ggod and bad.

In other words keep your private life private and separate from your professional life.  But if you must be linked vitrually to your employer and your relatives are patients of your employer, have another family member post news of health concerns or the death announcement.  

Check out the book I mentioned in the title of this post.  It is available from the AMA and should be a MUST have for those in the health care industry.


----------



## rryder1963 (Aug 30, 2012)

*Double Check your sources*

Regarding the advise of the lawyer about release of PHI, always, always, always check your sources.  Lawyers and vendors often give out "advice" that is outdated or not quite on the mark.  I've heard a lot of creative interpetations over the years. Oftentimes, the advise is given without complete knowledge of coding and billing guidelines such as NCCI edits as just one example. 

When attending a seminar or workshop, does the presenter offer his/her sources or back up documentation that supports their POV?  If not, can they get them for you?


----------



## sdeaton (Sep 11, 2012)

*HIPAA Plain & Simple*



rryder1963 said:


> I am truly dumbfounded that some felt this facebook posting was acceptable including management of a healthcare facility!  As an employee of an healthcare provider the protection of PHI should be first and foremost, regardless if the employee knows the patient as a friend, "as a friend of a friend", or is related to the patient or if is it done outside of regular office hours or not.
> 
> I would like to suggest if you're friended with your employer on Facebook, unfriend them right now!  The conflicts that can arise because of this particualr friending can be criminal.  It's simply not worth the risk--stop and think before you post ANYTHING on the Internet because once it's out there-it's there for good and often with consequences, ggod and bad.
> 
> ...



*rryder1963*.. I love this book... the first edition you mentioned in your post was my first HIPAA BIBLE.  Now, there is a second edition that includes HITECH legislation.  I highly recommend both books! 

HIPAA Plain & Simple: A Healthcare Professionals Guide to Achieve HIPAA and HITECH Compliance by Carolyn P. Hartley, Edward D., III Jones, Louis W. Sullivan and David J., M.D., Ph.D. Brailer (Sep 30, 2010)


----------



## Lashel (Sep 26, 2012)

I think the relationship with the patient/friend is key here. Like someone stated previously, if your good friend or relative is a patient in the office you work in, and dies, and you post something about it on Facebook, I don't think that is always a HIPAA violation. 

I feel it is a HIPAA violation when a person knows what they know because they got that information from the clinic they work in. Just because I post "poor granny has the flu" and she happens to be a patient where I work, does not mean that I only know that because she visited the clinic. If granny called to tell me she has the flu and I post "poor granny has the flu" that has nothing to do with my clinic. I would certainly suggest to folks that they be very careful with what they say about any friend or relative who also happens to be a patient where you work. 

Lashel
CPC, CPC-I, CEMC


----------

