Get A Free Legal Consultation
- We fight to maximize your results
- No out-of-pocket costs
- Over $9.6 billion recovered for families
Patients who exchange information about their medical condition, treatment, and finances with their healthcare entities and providers have a reasonable expectation that this information will be kept private.
However, as the result of a recent major breach, hundreds of prominent hospitals and healthcare facilities violated their patients’ privacy by sharing personally identifiable information with third parties, including Facebook, in violation of state privacy laws. The affected facilities are located in the following states:
HIPAA violations related to social media are not new. In 2017, a 24-year-old North Carolina medical technologist posted about a patient killed in a car crash, using the words, “Should have worn her seatbelt…” Although the employee said the purpose of her post was to remind people to wear their seatbelts, the post went viral and was considered to have disclosed private health information (PHI) about the patient. As a result of the breach, the employee was fired.
HIPAA, (Health Insurance Portability and Accountability Act of 1996) not only gives patients rights over their health information, but also sets rules and limitations on who can look at and receive this information, whether it is electronic, written, or oral. Prior to HIPAA, no rules existed to protect patient health information, but with the emergence of new technologies to improve the quality and efficiency of patient care, the number and severity of potential security risks also increased.
Most health care providers, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists, must follow HIPAA’s privacy regulations, which apply to the following:
Under HIPAA’s Privacy Rule, covered entities and their business associates must put safeguards in place that will protect patients’ private health information (PHI) to ensure that it is not used or disclosed improperly. These individuals and entities are required to reasonably limit the use and disclosure of this information to the minimum necessary to accomplish their intended purpose, and must implement procedures to limit those who can access and view patients’ protected health information. Training programs to instruct employees about how to protect patient health information must be implemented.
HIPAA also includes a Security Rule that establishes a national set of security standards for protecting electronic health information that is created, received used, or maintained by a covered entity, and requires the appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.
According to federal law, a breach of protected health information occurs through the “acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA which poses a significant risk of financial, reputational, or other harm to the affected individual.”
Some common examples of social media HIPAA violations include:
Social media violations of HIPAA are becoming increasingly common, and although difficult to predict or prevent, their consequences can be severe. They can include civil lawsuits, loss of medical license, employee termination, civil fines ranging from $100 to $1,500,000, and criminal penalties of as much as $250,000 in fines and up to 10 years in prison.
A privacy breach is a very serious matter. You may be able to recover damages by filing a lawsuit if you: