Patient info on Facebook traced to temp staff, raises questions
Poster mocked patient: 'It's just Facebook ... not reality'
One hospital's experience with a temporary employee who posted a patient's information on online making fun of her condition and showing no remorse when challenged is raising questions about how hospitals can ensure temporary staffing agencies provide adequate compliance training.
The temp employee of Providence Holy Cross Medical Center in Los Angeles posted a photo of a woman's medical record, which clearly showed the woman's name and admission date, according to a report by the Los Angeles Daily News, which obtained a printout of the Facebook page before it was deleted. The photo was accompanied by the comment, "Funny but this patient came in to cure her VD and get birth control."
When others posted on the page with comments scolding the employee for violating the woman's privacy, the employee responded with "People, it's just Facebook ... Not reality" and "It's just a name out of millions and millions." He refused to take down the information, but it eventually was deleted when hospital officials were notified.
Providence immediately released a statement saying that the employee had been supplied by a temporary staffing agency and would no longer be allowed to work in any Providence facility. The staffing agency was supposed to have trained the employee in compliance with the Health Insurance Portability and Accountability Act (HIPAA), a hospital spokesman told Healthcare Risk Management.
The hospital's potential liability from the privacy breach might depend on the quality and effectiveness of its HIPAA compliance polices and training, says Philip
D. Mitchell, JD, an attorney with the law firm of Epstein Becker Green in Newark, NJ. Providence reports that its contract with the temporary staffing agency requires such training, but Mitchell says a lawsuit could hinge on whether that was just boilerplate language or the hospital actually backed it up by confirming that the agency trained people properly.
"It all depends on their existing policies and procedures," Mitchell says. "How did they hire this person, and how did they train him? If all they can say is that the contract required he be trained by the temp agency, but they didn't do any due diligence to see how that agency complies, that could be problematic. You could argue that they had a responsibility to know how these people were trained before you accept them as an employee."
Could plead willful misconduct
Mitchell notes, however, that the egregious nature of the violation could give the hospital a valid defense of willful misconduct by a rogue employee. Unlike a more nuanced violation of HIPAA, a defense attorney could argue that any reasonable person would know the posting of a medical record on Facebook was wrong, he says.
"It's such a deliberate act and out of the norm that it could be hard to hold the hospital responsible for that," Mitchell says. "This person clearly has no regard for confidentiality, and unless the hospital had some way of knowing that, they can say this was someone purposefully breaking the law regardless of what training was or wasn't provided."
Any legal action taken by the patient most likely would result in only a modest settlement, Mitchell surmises, but he notes that the hospital is taking a bigger hit in the court of public opinion. The negative publicity attached to the hospital's name could be the worst result, he says.
Not easy to escape blame
Another attorney with experience in HIPAA enforcement says the hospital's response that the staffing agency was responsible for training the employee might be shortsighted. The employee's comments indicated he had no understanding of HIPAA, much less any respect for it, and the hospital has to take some responsibility for that lack of understanding, says Joseph P. Paranac Jr., JD, an attorney with the law firm of LeClairRyan in Newark, NJ.
"Everyone may maintain the fiction that those temporary staffers are employed only by the staffing agency," Paranac says. "But in reality, those temporary staffers are probably joint employees of the staffing agency and the hospital. I suspect that on a daily basis, these temps are taking direction from hospital supervisors, so I would make sure that everyone who comes in to the hospital as an employee, and who has access to information, receives a two-hour training course on HIPAA."
Paranac notes that HIPAA puts the onus on healthcare providers to make sure employees are trained, and that responsibility cannot be casually passed on to another party such as a staffing agency. "If you want to hold to the idea these are not your employees and so you don't want to train them, then I would send someone to the staffing agency's training class and document what you see there," he suggests. "If their training is not sufficient, you can offer to help them improve it and not accept any more employees until they do."
Policies must be in sync
In addition to the negative publicity from a privacy breach, the potential ramifications are significant. Healthcare providers and individuals such as directors, employees, or officers of the covered entity, who "knowingly" obtain or disclose individually identifiable health information in violation of the regulations, face a fine of up to $50,000 as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use such information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment for up to 10 years.
The "knowingly" element requires only knowledge to the actions that constitute an offense, Paranac explains. Specific knowledge of an action being in violation of the HIPAA statute is not required.
Another potential problem is that hospitals often have separate policies on HIPAA compliance and social media, and the two don't always mesh well, Mitchell says. In many cases, they are drawn up by different people with different purposes, rather than having one comprehensive policy. (See the story on p. 28 for more on social media and healthcare.)
"Often, the social media policies are set up by marketing or the IT folks, whereas the confidentiality policy usually comes from compliance, risk management, or the general counsel's office," Mitchell says. "If they don't sync up, you have potential gaps that will be a problem when you have to show your training was adequate, and there can be ambiguities that allow employees to make mistakes."
D. Mitchell, JD, Epstein Becker Green, Newark, NJ. Telephone: (973) 639-8297. E-mail: email@example.com.
Joseph P. Paranac Jr., JD, LeClairRyan, Newark, NJ. Telephone: (973) 491-3570. E-mail: firstname.lastname@example.org.