Home Health & Hospice Week

Will you be on the hook if one of your employees posts PHI on Facebook? It depends on your existing HIPAA policies and procedures, a recent court decision suggests.

An Ohio court judge ruled that the University of Cincinnati Medical Center is not liable for a former employee’s HIPAAviolation in divulging a patient’s protected health information on Facebook, according to a Nixon Peabody blog posting by partner attorney Rebecca Simone.

While working for the UCMC’s financial services department, the employee allegedly accessed patient medical records for personal viewing and posted a screenshot of the records on the social media site. The screenshot revealed that a certain patient had a sexually transmitted disease.

As a result, UCMC fired the employee and the patient pressed charges against both the former employee and UCMC. In the case against UCMC, however, the court decided that “the hospital is not liable for employee actions outside the scope of their job duties,” Simone noted. “The court reasoned that a hospital cannot be responsible when [it] had a privacy policy in place and an employee individually chose to disregard and violate that policy.”

Impact: “This is a big win,” noted attorney Mary Beth Gettins of Gettins’ Law in a recent blog posting. Because UCMC had proper employee training, policies, and disciplinary code/sanctions, the court found UCMC not liable.

“Having the right things in place and doing the right things made all the difference,” Gettins said. “Employees were given the education about what was okay and not okay under HIPAAand other privacy laws.”

Heads up: Be sure to warn employees that if they divulge PHI, they may be personally liable in a lawsuit.