Perhaps the last health data breach to make the news in 2011 involves a temporary employee at Providence Holy Cross Medical Center who posted a picture of someone’s medical record to his Facebook page — and made fun of the patient’s condition.
Details of the health data breach provided by the Los Angeles Daily News indicate that the temporary employee, who was provided by a staffing agency, shared a photo on his Facebook page of a medical record displaying a patient’s full name and date of admission. The temp appeared to be completely ignorant of HIPAA laws.
Even after being told by other posters that he was violating the patient’s privacy, the temp argued: “People, it’s just Facebook…Not reality. Hello? Again…It’s just a name out of millions and millions of names. If some people can’t appreciate my humor than tough. And if you don’t like it too bad because it’s my wall and I’ll post what I want to. Cheers!”
Providence officials told the Daily News they are investigating the report and will work with the staffing agency to continue to provide privacy compliance training for temporary contractors.
Apparently that training did not make much of an impression on the temporary employee who thought it would be funny — and legal — to post someone’s medical record on Facebook. Even if the privacy training went in one ear and out the other, one would think the lack of a “share” button in the patient’s electronic record would have tipped him off.
One security expert believes the social media abuser “should not only lose a job but also should get a tough penalty for violating HIPAA as well as any applicable state regulations.”
In the era of Facebook, Twitter and YouTube, health care organizations and their business associates cannot underestimate the importance of training employees and contractors on how to properly handle patient information. Experts on the use of health care social media recommend showing employees how to exercise good judgment with social media.