How an Innocent Social Media Post Can Turn Into a HIPAA Violation

A Texas nurse recently learned that you don’t have to identify a patient by name to violate Health Insurance Portability and Accountability Act (HIPAA) rules.

According to a number of published reports, the unidentified woman, who worked as an ICU/ER  nurse, was fired from her job with Texas Children’s Hospital in Houston after posting about a boy who was being treated for a suspected case of the measles.

The nurse, an anti-vaccine proponent, posted about her experience treating the child, whom she identified only as between the age of 1 and 3 years old, on a Facebook site called “Proud Parents of Unvaccinated Children – Texas.” The hospital became aware of her post when another Facebook user notified them.

The nurse wrote that while seeing the child suffer did not change her stance on vaccinations, it was rough having to treat the youngster, who was sick enough to have to be admitted to the ICU.

At first, the hospital suspended the nurse, at which point she deleted the posts. However, she later was fired for violating HIPAA rules. The hospital confirmed she was fired for that HIPAA violation and not for her anti-vaxxing views.

HIPAA was designed to protect the privacy and security of certain health information. As this incident shows, a patient does not need to be identified by name for there to be a violation of the Privacy Rule. In this instance, the hospital determined that because she was identified in her profile, along with the hospital where she worked, it was enough information to make it possible to identify the child being treated.

As social media evolves, healthcare organizations need to have guidelines in place to ensure that staff understands what is acceptable and what is not. HIPAA rules apply not only to posts on your own social media, but also on the sites of others. For example, if someone tweets about how great their care was at a specific facility and that facility’s social media manager in turn responds with something as simple as a thank you, that can be seen as having acknowledged a provider/patient relationship.

Oftentimes, violations come in the form of innocent posts. An example might be if someone posts pictures of a hospital employee gathering, like a birthday, and there are patients or identifiable patient information unwittingly included in the photo. That could constitute a violation.

If you have not done so, it is imperative to have written rules in place that outline what employees can and cannot post and what the penalties are if those rules are violated.

Violating HIPAA rules comes with a price tag in the form of both civil and criminal penalties. The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Department of Justice handles criminal investigations.

The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to and let’s discuss how we might be able to assist you.

Material presented on the Health Law Offices of Anthony C. Vitale's website is intended for information purposes only.

It is not intended as professional advice and should not be construed as such.