HIPAA Slip Leads To PHI Being Posted on Facebook

HHS has begun investigating a HIPAA breach at the University of Cincinnati Medical Center which ended with a patient’s STD status being posted on Facebook.

The disaster — for both the hospital and the patient — happened when a financial services employee shared detailed medical information with father of the patient’s then-unborn baby.  The father took the information, which included an STD diagnosis, and posted it publicly on Facebook, ridiculing the patient in the process.

The hospital fired the employee in question once it learned about the incident (and a related lawsuit) but there’s some question as to whether it reported the breach to HHS. The hospital says that it informed HHS about the breach in a timely manner, and has proof that it did so, but according to HealthcareITNews, the HHS Office of Civil Rights hadn’t heard about the breach when questioned by a reporter lastweek.

While the public posting of data and personal attacks on the patient weren’t done by the (ex) employee, that may or may not play a factor in how HHS sees the case. Given HHS’ increasingly low tolerance for breaches of any kind, I’d be surprised if the hospital didn’t end up facing a million-dollar OCR fine in addition to whatever liabilities it incurs from the privacy lawsuit.

HHS may be losing its patience because the pace of HIPAA violations doesn’t seem to be slowing.  Sometimes, breaches are taking place due to a lack of the most basic security protocols. (See this piece on last year’s wackiest HIPAA violations for a taste of what I’m talking about.)

Ultimately, some breaches will occur because a criminal outsmarted the hospital or medical practice. But sadly, far more seem to take place because providers have failed to give their staff an adequate education on why security measures matter. Experts note that staffers need to know not just what to do, but why they should do it, if you want them to act appropriately in unexpected situations.

While we’ll never know for sure, the financial staffer who gave the vengeful father his girlfriend’s PHI may not have known he was  up to no good. But the truth is, he should have.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • I’m not trying to defend the hospital worker, but let’s see if I understand the situation:
    1) “The father of the patient’s unborn child”. Hmm, so were they married? I’m guessing not.
    2) Did the hospital worker know they weren’t married?
    3) In a situation where a married couple has different last names, what does your office do to establish the actual relationship?

    I think it is easy to see that can occur.

    I don’t see it being the medical facilities responsibility of what someone does with information.

    Now…when and how to report a breach…and what proof should you keep on hand? Ah, that’s fun one, and there is a solution.

  • Female nurses violate patients hipaa privacy and physical privacy all the time. Just ask most male patients.

  • A breach is a breach is a breach. When you work in an industry where you handle other people’s information (i.e. health, wealth, etc.) you can not under any circumstances share that information with anyone other than the person. And if you are not directly involved with the person you just happen to get into the system because it is a friend or family member it is still a violation.

  • HIPAA rules and its related penalties needs to be posted on the walls of the hospitals and medical facilities so that the employees would know whatever they are sharing is in accordance with HIPAA rules or not.

Click here to post a comment