They posted discussions about patients on Facebook. A hospital in California will fire five of its employees and initiate disciplinary proceedings against another because they used social media to post personal discussions about the hospital's patients, according to a post on www.healthcareinfosecurity.com. An ongoing investigation at the hospital -- Tri-City Medical Center in Oceanside -- "has not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees," according to a statement from Larry Anderson, CEO. "But our investigation yielded sufficient information to warrant disciplinary action," it said on the post. When asked, a hospital spokesman declined to provide any further details. Under the new HIPAA privacy rule, which was further toughened by the HITECH Act, it is now mandatory to obtain patients' permission before disclosing their private information. At the time when the news was posted on the website, The California Department of Public Health was still conducting an investigation of the incident, according to a spokesman of the department who declined to provide any further details. To help prevent similar incidents in the future, Anderson said the hospital is "re-emphasizing, through employee training and education, the hospital's and the employees' ongoing commitment and obligation to protect our patients' privacy." Nationwide, a number of healthcare organizations are developing specific security policies for the use of social media by their employees. For example, Adventist Health System recently spent six months crafting a detailed social media usage policy, says Sharon Finney, corporate data security officer at Adventist. (Editor's note: Read the complete post at: www.healthcareinfosecurity.com/articles.php?art_id=2622.)