Okay, here’s a perfect real incident to use for a case study to argue discuss whether or not this is a HIPAA violation!
“Nurses Fired Over Cell Phone Photos Of Patient: Case Referred To FBI For Possible HIPAA Violations”
So, was this a HIPAA violation?
Here are the reported facts:
- Someone from the medical center made an anonymous call to…?…to report a nurse took photos of a patient with her cell phone and posted the photos to her Facebook page. The report does not say to whom this was reported, but it is implied it was to the Walworth County sheriff’s office.
- The accused nurse admitted she took a photo, but that she never posted the photo to her Facebook page. However, she did admit to discussing the incident on her Facebook page.
- Two nurses actually each took a photo of an x-ray of a patient that was admitted to the emergency room with “an object lodged in his rectum.”
- The investigators can find no one who actually saw photos of the x-ray posted on Facebook.
- The nurse removed her Facebook page last week.
- The two nurses who took photos were fired; so the hospital appears to be enforcing policies and sanctions, as HIPAA requires.
So, is this a HIPAA violation?
The hospital is a covered entity (CE) responsible for ensuring only those with a job responsibility need has access to patient information.
The x-ray certainly is a type of protected health information (PHI).
The answer will depend upon:
- Did the hospital have policies against taking photos of patient information, and did they provide training for this policy? Better yet, did they have policies against using cell phones, including photo capabilities, within the patient care areas?
- Have the nurses shown or given the photo to anyone else? Or made it available where someone else may see it?
- Did the nurse include PHI within the description she wrote on Facebook?
- Did the hospital apply sanctions against the nurses for violating patient privacy? Yes, they were both fired.
- And, if the HITECH Act were in effect right now, did the hospital report this to the patient? (I know this is not yet required, but it is good to start asking the questions now as CEs get their policies and procedures changed in preparation to be in compliance)
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient information, PHI, policies and procedures, privacy training, risk management, security training