The trusted source for
healthcare information and
Social media is again creating problems in healthcare, this time with an emergency physician who was fired for making a comment on Facebook about a patient after a nurse posted a picture of the woman’s buttocks. The health system promptly dismissed the contract physician, but she is now suing.
Catherine Puetz, MD, the former associate medical director of emergency services with Spectrum Health Hospitals in Grand Rapids, MI, was dismissed because of a comment she posted on Facebook. She was responding to a picture of a patient’s bottom on Facebook that was posted by an emergency department (ED) nurse. (See the story on p. 40 for more details on the incident.)
The lawsuit says President Kevin Splaine accused Puetz of "reprehensible behavior" and "a lack of integrity." The president told her the Facebook comment violated the Health Insurance Portability and Accountability Act (HIPAA) and that justified her dismissal, according to the lawsuit. Puetz contends in her lawsuit that the comment did not violate HIPAA and that Spectrum used the incident as an excuse to fire her because the two parties had disagreed over the copyright of materials she developed for evaluating patients in observational units. Spectrum claimed that it controlled any materials developed while Puetz worked at the hospital and could deny the doctor’s plans to use them in consulting with other facilities.
The lawsuit accuses Spectrum of defamation and breach of contract and seeks at least $75,000 from Spectrum Health, Splaine and Vice President Jeanne Roode, in addition to unspecified punitive damages. Puetz also is asking the court to declare that Puetz owns the copyright on materials developed for observation units.
The case illustrates how pervasive social media have become and how easily a hospital representative can cross the lines, says Jason Koors, JD, legal counsel with MemorialCare Health System in Fountain Valley, CA. The nurse who took the photo and posted it put herself and the hospital at risk for liability in a civil lawsuit, he notes. So far there has been no mention of lawsuits, but Koors says that is almost inevitable now that the incident has been made public.
Koors has no doubt that the physician and nurses should have known their actions were wrong. (See the story on p. 40 for questions about the chief medical officer’s actions.)
"If the subject of the photo was a Spectrum Health patient, then the Facebook post is likely a HIPAA violation," he says. "But at the very least, it is incredibly inappropriate. I would not be surprised if the ED nurse who posted the photo was terminated, especially if she was at-will. Such careless disregard for patient privacy likely violated the health center’s policies or code of conduct. As an MD, Puetz should have known better than to comment on the photo and add more potentially identifiable information. I think it is grounds for terminating her contract."
The doctor’s post included the patient’s initials, which elevates the doctor’s actions to a more serious offense and clearly a HIPAA violation, says Philip Becnel, managing partner of Dinolt Becnel & Wells Investigative Group in Arlington, VA. A private investigator who handles many healthcare cases, Becnel says the people might underestimate how much one can learn from just two initials. He and his fellow investigators often rely on small bits of data such as initials to track down individuals.
"The logic of firing the physician but not the nurse who made a comment makes sense to me," he says. "Saying you like big butts or whatever ridiculous comment that was doesn’t add any information to the situation, but the doctor added potential identifiers when she included the patient’s initials. The other comment was arguably more inappropriate, but it didn’t constitute a HIPAA violation." (See the story on p. 41 for more on using social media as a legal defense.)
Puetz’s lawsuit contends that Spectrum overstated the offense by declaring it a HIPAA violation, but others don’t see it that way. For a HIPAA violation, the doctor must have shared information about a patient that was protected, in an identifiable manner, and for reasons other than what is allowed under HIPAA, explains R. Stephen Trosty, JD, MHA, CPHRM, president of Risk Management Consulting in Haslett, MI, and a past president of the American Society for Healthcare Risk Management (ASHRM).
"It seems obvious that the sharing was not for protected purposes. It also seems to me that the provided information might enable people to identify the patient. Therefore, it seems to me that we have a HIPAA violation," he says. "I would argue that sharing on Facebook is, in theory, no different than sharing in a local newspaper or through word of mouth. It is a mechanism whereby others who read or hear the information can identify a patient who was in the hospital and was not for a protected purpose."
Remember: The HIPAA violation penalty would be against the hospital, and hospitals are required to enforce their own policies regarding patient privacy, Trosty says. The hospital also must show that it takes appropriate action in response to a HIPAA violation, and this action often includes dismissal, he says.
The appropriateness of the penalty depends in part on what policies the hospital had in place before the incident, Trosty says. If there was a policy clearly prohibiting such comments, the severe punishment of dismissal is more easily justified. If not, the lack of such a policy raises issues not only about the appropriateness of the punishment but also about HIPAA compliance by the hospital, he says. Physician training in HIPAA policies also should be questioned. Was there a requirement in the contract the doctor had with the emergency department group for HIPAA training? Did the hospital require such a clause in the contract between the doctors and the emergency department group?
If the answer is yes and the doctor attended, the punishment is justified because she violated rules taught in the training, Trosty says. Even if it was a requirement and she did not attend, the punishment might stand, he says. Trosty emphasizes that Spectrum was risking severe penalties if it did not respond in a way that the federal government would consider sufficiently aggressive.
"I think it has to be recognized that the federal government is being even stricter when it comes to HIPAA compliance, enforcement, and training by hospitals and to appropriate action taken for violation," he says. "I do think this should be considered when you’re looking at whether dismissal was justified."
Regrettable social media posts are not always HIPAA violations or even an actionable offense by an employee, Koors notes. For example, Section 7 of the National Labor Relations Act (governing union and non-union employees) gives employees the right to engage in protected concerted activities for the purpose of collective bargaining. Recently, this statutory right has been extended to protect Facebook posts in which employees comment on the conditions of their employment, such as discussing wages, complaining about management, and criticizing working conditions, he explains. The Spectrum Health incident probably would not be covered by Section 7, Koors says, because the photo did not touch on conditions of employment. And even if Section 7 did apply to the post, the protection might not protect Puetz’s comment because she is a contractor rather than an employee.
The health system probably should have taken more time to consider its response, suggests says Jane McCaffrey, DFASHRM, MHSA, director of compliance and risk management at The Blood Connection in Greenville, SC, and a past president of ASHRM. Less than a month passed before Spectrum dismissed the doctor.
Healthcare providers should have a social media policy now because the risk of privacy breaches is higher than ever before, partly because such a large percentage of employees use social media, and their familiarity can lead to a casual approach, McCaffrey says. (For more on social media risks, see Healthcare Risk Management, March 2012, pp. 25-30.) She also notes that the chief medical officer (CMO) comment might indicate a lack of guidance from administration.
"When there is a suspected violation by employed or contracted personnel, there should be a systematic evaluation that goes beyond the CMO providing what sounds like informal feedback," she says.
Was the compliance office or privacy officer involved in the incident, and was the doctor properly trained in HIPAA compliance, asks Leilani Kicklighter, RN, ARM, MBA, CPHRM, LHRM, a patient safety and risk management consultant with The Kicklighter Group in Tamarac, FL, and a past president of ASHRM?
Rather than posting a comment when Puetz saw the post, she should have personally contacted the nurse who made the post and advised it be taken down and explained why, Kicklighter says. "The next step is to make a report to the hospital compliance officer to take any next steps necessary," she said.