Patients Medical Record Posted to Facebook – HIPAA Violation

I’ve generally been writing more about the EMR side of EMR and HIPAA lately. For the most part, it seems readers are more interested in EMR and EHR than they are in the details of HIPAA. Although, one of my top posts ever is from back in 2006 about HIPAA Privacy Examples and HIPAA Lawsuits. It seems that people are most interested in HIPAA when it has something to do with a HIPAA violation or lawsuit.

Today’s HIPAA violation could very likely become a HIPAA lawsuit. Plus, it is a word of caution to those about training your staff on HIPAA requirements and also on proper use of social media in healthcare.

Anne Steciw posted about the violation on Search Health IT. Here’s an excerpt from her post:

Details of the health data breach provided by the Los Angeles Daily News indicate that the employee, who was provided by a staffing agency, shared a photo on his Facebook page of a medical record displaying a patient’s full name and date of admission. The employee appeared to be completely ignorant of HIPAA laws.

I’m sure every hospital and healthcare administrator is cringing at this. I’m sure many could share stories of HIPAA issues related with staffing agencies as well. Although, it’s really hard for me to understand how someone even from a staffing agency could be so ignorant to the HIPAA laws. I’m not overstating how ignorant this person was in this situation. The above article explains something even more outrageous and unbelievable:

Even after being told by other posters that he was violating the patient’s privacy, the employee argued: “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”

To me this is totally mind boggling. I’m sure many will argue that this person was exhibiting many of the characteristics of the Facebook generation of users. That’s a cop out and an excuse, but does make a larger point that many of the next generation have these outlandish views of what’s theirs and what’s ok and reasonable. Sadly, far too many people think when it’s humor it’s ok to do anything. It’s not and I’m sure those dealing with HIPAA violations won’t find it a reasonable excuse either.

One thing I really hate about stories like this is that they give a bad name to use of social media in healthcare. Social media is like most things which can be used for good or bad. It’s a shame if incidents like this discourage people from accessing the benefits of social media.

This is another good example of how our biggest HIPAA privacy vulnerability is people.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • “Social media is like most things which can be used for good or bad. It’s a shame if incidents like this discourage people from accessing the benefits of social media.”

    Unfortunate, is it just about what you post? The lack of knowledge abounds, and the notion that any use of public social networking in healthcare is not in itself a HIPAA violation is gross ignorance…here’s a couple kibbles for thought!
    – Who do you think is accessing your posts?
    Ah, patients? Correct!
    – And can they be uniquely identified by accessing your social site?
    Ah, maybe? Well, the answer is they can…
    So go ahead, set your practice up with a Facebook, Twitter, or a Google+ account, just don’t post any PHI and you’ll be alright because you’re different! Right…

  • I read Anne’s post about the violation on Search Health IT and find the violation almost too absurd to be real. Maybe it’s not. Providence said they are investigating. Be aware that organizations generally have non-PRODUCTION versions of their EMR s/w which are used for training, testing upgrades, etc… I could present a photo of my TEST system that would appear to be a legitimate patient record even though all the content was generated for training purposes.

    This does bring to mind things to consider. What about photos that “accidentally” depict PHI in the background? We took photos last spring when we opened our new Prenatal department. Occasionally staff take photos of one another in the hallway. Does your organization have a policy that regulates the taking of photos? Is there a central person or individual that is accountable to ensure that photos taken within the facility do NOT contain accidental PHI that the photographer did not even intend to capture?

  • Here’s an article showing what the state wants to see:
    “The draft search warrants are particularly interesting because they show the full extent of data the government regularly requests on a person it’s investigating. This includes not just your full profile information but also who you “poke” (and presumably who “pokes” you), who rejects your friend requests, which apps you use, what music you listen to, your privacy settings, all photos you upload as well as any photos you’re tagged in (whether or not you upload them), who’s in each of your Facebook groups, and IP logs that can show if and when you viewed a specific profile and from what IP address you did so.”

  • Good grief! I realize that this article is a year old, but wow! Reminds me of the woman who worked in a hospital who posted a photo of a patient and got fired for it. It’s unbelievable that someone who works in a medical environment wouldn’t know that posting such things on a social network would be illegal. I know it, and I’ve never worked in the medical field. But I am an informed citizen who enjoys understanding her rights & responsibilities.

    You made an excellent point at the end. Such violations cause healthcare facilities to over-react to social media and avoid it instead of embracing it for the good it can do for their practices. We see it all the time, but thankfully many have started to embrace it more with the publication of the AMA guidelines for social media published earlier this year.

Click here to post a comment