A nurse who was working at a Texas children’s hospital has been let go from her position after it was discovered that she had violated the Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website.
The pediatric ICU/ER nurse was employed at Texas Children’s Hospital and published a series of comments on Facebook about an unusual case of measles at the hospital. The nurse was an anti-vaxxer and wrote about seeing a boy at the hospital suffering from the disease – a disease that could have been avoided through vaccination.
Her comments outlined how the disease was much worse that she thought it to be, having not encountered anyone with the measles previously. She said that it was a “rough” experience seeing the boy going through the disease.
She also said in one of posts that she published: “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which included screenshots of her Facebook posts. She added: “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear.”
Due to a high rate of vaccination (94.5%) in Houston, a measles case is very unusual. In the last decade there have fewer than 10 confirmed cases in the city. While the nurse did not publish the child’s identity on Facebook, her job was included on her profile, along with the hospital where she was employed, and information about the boy and his condition. Due to the information included in the posts and the rarity of the disease, it is possible that the child could have been identified.
Texas Children’s Hospital suspended the nurse when officials discovered her social media posts and an investigation was begun. After receiving the suspension, the nurse appeared to realize that she had shared too many details and deleted many of her posts. Four days after the nurse was suspended the decision was taken to terminate her for the HIPAA breach. An official from Texas Children’s Hospital confirmed the nurse lost her job due to violating hospital policies and federal laws by posting protected health information on a social media website, and not for her anti-vaxxing views.
The HIPAA Privacy Rule places limits on the allowable uses and disclosures of protected health information. Most healthcare workers will be well aware that the posting of any protected health information on a social media website is a HIPAA violation.
However, as this incident shows, the patient does not need to be referred to by name in order for them to potentially be identified. If any personally identifiable protected health information is published on social media without consent first being obtained from the patient, it is a violation of the HIPAA Privacy Rule.
A working practice is to keep work and private lives separate, and never to post any details about patients on a social media platform, even if you do not believe that a patient could be identified from the post.