How social media can lead to a HIPAA violation

When can a physician disclose protected health care information? Dr. David J. Goldberg addresses this question in this month's Legal Eagle column.

Dr. Goldberg

Dr. Derm is a well-known specialist in the use of biologic agents for psoriasis. He has many happy patients. One of them described in detail on her social media site her course of treatment and the great results she had seen. Dr. Derm sees this as a great chance to promote himself and uses these accolades on his own social media sites and website. He assumed that he did not need her permission. The patient finds out about this and sues Dr. Derm for a HIPAA violation and demands $500,000.

Dr. Derm is beyond upset. He reaches out to his attorney to ask how something placed on the public domain by a patient, then used by him can be a violation of health care privacy? 

When can a physician disclose protected health care information?

What is clear is that a covered entity, such as a physician’s practice or health system can disclose protected health information (PHI) in a couple of different scenarios:

1) The patient provides his/her formal written authorization, and/or
2) there is a statutory exception to requiring formal written authorization.

An appropriate compliant HIPAA authorization has a number of requisite details. The requirements include a description of who is authorized to make the disclosure and receive the PHI, a specific and meaningful description of the PHI, a description of the purpose of the disclosure, an expiration date or event, signature of the individual authorizing the use or disclosure of her/ his own PHI and the date, information concerning the individual’s right to revoke the authorization, and information about the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

Conversely, there are situations when a physician does not need a patient’s written authorization for every disclosure. These invariably are where there is a statutory basis for the exception.

For example, the broadest exceptions are known as Treatment and Payment Operations. Within those categories, a dermatologist does not need a patient’s authorization to disclose PHI to get paid or to send information to another treating doctor to take care of a patient. These exceptions are clearly spelled out in the HIPAA statute.

Thus, if a patient has described her healthcare journey with Dr. Derm on his or her Facebook page, can he say thanks? Or can Dr. Derm even “correct the record” if the posting is incorrect?

The reality is that unless Dr. Derm has the patient’s authorization, the answer is no.

In fact, physicians are forbidden from even acknowledging that person was a patient. It can be argued that it is absurd that a patient might publish every detail about his or her care and, yet, Dr. Derm must remain silent - even if the record is full of inaccuracies.

It’s doubly absurd because Dr. Derm may not be disclosing any more than the patient already disclosed on his or her own. But, the regulations on this are clear.

A recent Connecticut case highlights this issue:

In 2015 a patient contacted a local TV station stating a medical practice turned her away because she had a service animal. The reporter called the practice for its side of the story. The physician’s office, in defending themselves, disclosed PHI.

A subsequent Office of Civil Rights investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights, and that the disclosure occurred after the doctor was instructed by the practice’s own privacy officer to either not respond to the media or to respond with no comment.

Additionally, the Office of Civil Rights’ investigation revealed that the medical practice failed to take any disciplinary action against the doctor or to take any corrective action following the impermissible disclosure to the media, the statement notes.

The medical practice was found liable and forced to pay $125,000 for this violation.

There are now documented million dollar fines to hospitals for similar violations.

What appeared to be a simple benign action by Dr. Derm may in fact be a HIPAA violation.