Alleged health data disclosure via Facebook raises legal and policy issues

Reports of potential breaches of patient privacy at Tri-City Medical Center in Oceanside, California have garnered the HIPAA-related attention you would expect, but are also raising questions about the availability and use of social networking sites from hospitals and other health care facilities. It seems some Tri-City employees posted personal details about patients on Facebook, calling into question the extent to which medical facilities have policies in place about accessing social media and, if access is allowed, about appropriate use to avoid privacy violations under HIPAA. The California Department of Public Health confirmed this week that it has opened its own investigation in to the alleged disclosures; the focus of the state-level inquiry appears to be compliance with or violation of the HIPAA Privacy Rule. This recent incident is far from an isolated occurrence, and as more hospitals move to enact social media policies, the examples set by policies published by major health industry companies like Kaiser Permanente suggest that health care organizations would be wise to err on the side of conservativeness when it comes to patient information. Specifically, while many policy definitions of protected health information that is the focus of HIPAA regulations enumerate specific attributes like name and date of birth, the Privacy Rule applies to all individually identifiable health information (45 CFR §160.103) and specific details about a patient communicated orally or in writing, even without referencing name, may fall under this category. Simply put, this means even a casual conversation by two hospital employees about a patient, if done in earshot of others not involved in the patient’s care, likely constitute a HIPAA violation, and the same logic certainly applies to holding such a discussion online.