Social Media HIPAA Violations by Nurses

Social media is nearly ubiquitous in modern life, and many of us use these platforms to talk about our jobs. However, if you are a nurse or other medical professional, you must be particularly cautious when talking about work online. Disclosure of a patient’s private information on social media can lead to serious repercussions – from loss of your job to disciplinary action from the California Board of Registered Nursing (BRN).

Both state and federal laws protect patient information from disclosure by healthcare professionals and organizations. Posting about patients – whether accidentally or on purpose – on social media may violate these laws. A HIPAA violation can lead to life-changing consequences, including the possibility of criminal sanction.

If you committed a HIPAA breach by talking about a patient on Facebook, Twitter, Instagram, Snapchat, TikTok, or any other social media platform, a San Diego professional license defense attorney can work with you to help you mitigate or even avoid some of these harsh penalties.

How Does HIPAA Relate to Social Media?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect patient health information (PHI) when it was transmitted electronically between healthcare providers, insurance companies, and other covered entities. It now covers patient privacy more broadly as well as patient access to PHI. 

The HIPAA Privacy Rule regulates the use and disclosure of an individual’s health information. Under this Privacy Rule, only those with a legitimate need to know an individual’s medical history are legally permitted to access it. If a nurse shares a photograph of a patient on social media or otherwise discloses information about a patient online, it may violate HIPAA as it constitutes a disclosure of an individual’s protected health information.

For purposes of HIPAA, nurses are “covered entities.” As such, nurses cannot disclose PHI – even if they do not post a picture of a patient or their name. An inadvertent disclosure (such as posting a picture that has PHI in the background) may also violate HIPAA.

For example, in a case that received national attention, a Texas nurse was fired in 2018 after commenting on a news story about a patient at a local hospital who was fighting measles. In these comments, the nurse talked about how seeing him suffer from the illness made her understand better why parents choose to vaccinate. Because the nurse disclosed protected health information online, she was terminated from her job – even after she deleted the comments. 

Social media HIPAA violations have become so commonplace that the National Council of State Boards of Nursing (NCSBN) has released guidelines for nurses on the use of social media. These guidelines lay out, in practical terms, what nurses should avoid in order to ensure HIPAA compliance, from not taking photos or videos of patients on personal devices to not disparaging patients online.

What Are the Consequences of a HIPAA Breach?

A disclosure of PHI – on social media or elsewhere – can lead to disciplinary action by the BRN. Specifically, the BRN has stated that violations of patient confidentiality or privacy may result in disciplinary action, civil or criminal penalties, and/or employment consequences.

Violations of HIPAA are investigated by the California Department of Health Care Services (DHCS)’ Privacy Office and Breach Reporting Unit. This agency may file a complaint with the Board if a nurse is found to have violated a patient’s privacy. Alternatively, a patient, family member, co-worker, or another person may file a complaint with the Board for HIPAA violations.

If a nurse is found to have violated HIPAA through the use of social media, then they may be facing an Accusation of unprofessional conduct. If the complaint is substantiated at a hearing before an administrative law judge (ALJ), this may result in a minimum disciplinary sanction of revocation, stayed with 3 years of probation. 

In addition to action by the BRN, a nurse who violates HIPAA may face substantial fines through the federal Department of Health and Human Services, Office of Civil Rights. These fines are based on the severity of the offense, from Tier 1 (least serious) to Tier 4 (most serious). The penalties for HIPAA violations through the OCR are as follows:

  • Tier 1: Minimum fine of $100 per violation, up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation, up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation, up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation

Nurses who knowingly obtain or disclose individually identifiable protected health information may also face federal and/or state criminal charges. Under federal law, a criminal violation of HIPAA may result in imprisonment for up to 1 year. If the offense was committed under false pretenses or with the intent to sell or use patient information for personal gain, the potential penalty substantially increases. 

Because the potential consequences of a social media HIPAA violation are so severe, it is vital to reach out to a skilled professional license defense attorney in California as soon as possible after you are aware that you may have violated HIPAA. In many cases, your lawyer may be able to put together a strategy that allows you to avoid or minimize many of the more serious penalties (like jail time and revocation of your nursing license). 

What Types of Behaviors Violate HIPAA on Social Media?

Any revelation of protected health information can violate HIPAA. This may include talking about specific patients, posting images or videos that could result in a patient being identified, or gossiping, complaining about patients, or even defending a negative review on yelp or other platforms. A HIPAA breach may occur whether the information is shared publicly or in private chat messages.

The best way to avoid a HIPAA violation is to never talk about or post pictures or videos of your patients online. If you are being investigated for a violation of the HIPAA Privacy Rule, reach out to a California nurse license defense lawyer as soon as possible.

Will I Lose My Nursing License If I Violate HIPAA?

Possibly. Depending on the facts of your case, the Board of Registered Nursing may impose discipline for violating HIPAA through social media or in another way. This may include revocation or suspension of your nursing license.

The best way to protect your license and your livelihood is to work with a professional license defense attorney. Your lawyer can put together a multi-pronged strategy to defend your license and protect you from other potential consequences.

Compassionate Defense for Nurses

With so many social media platforms available at our fingertips, it is little wonder that social media HIPAA violations are on the rise. It is all too easy to violate the law with your social media posts – even if you did not intend to disclose any patient information. If you find yourself facing disciplinary action or other sanctions for a social media issue, you may be feeling scared and overwhelmed. We can help.

At the Law Offices of Nicole Irmer, we are dedicated to helping nurses and other healthcare providers who are facing investigations by the state licensing boards. With substantial experience handling all phases of these cases, we work with our clients to help achieve the best possible outcome. To learn more or to schedule a consultation with a San Diego nursing license defense attorney, call us at 619-237-6130 or fill out our online contact form.