Facebook Misstep Costs RI Physician Fine, Job

In recent years many health care providers and managers have told me, time and again, that the health care world is accustomed to managing confidential patient information, and therefore doesn’t need much in the way of social media training and policy development.  This week brings news that should make those folks sit up and take notice.  A physician in Rhode Island, who was fired for a Facebook faux pas, has now been fined by the state medical board as well.  The physician posted a little too much information on Facebook — information about a patient that, combined with other publicly available information, allowed third parties to identify the patient.  The details of the story are available here and here.

The key takeaway from this story — and the Johnny-come-lately approach to health care social media taken by the Rhode Island hospital in question and the Boston teaching hospital that the Boston Globe turned to for comment — is that prevention is the best medicine.

Facebook and other social media are a fact of life, and cannot be ignored by health care providers and organizations.  They can even be used as a force for good.  As one example, take note of the recently-announced initiative by my colleague, Dr. Val, to start up a peer-reviewed tweetstream, @HealthyRT.  At he very least, health care providers and organizations should be monitoring social media for mentions so that they can reach out, as may be necessary, to address health care and public relations issues.

HIPAA issues in the Rhode Island case led to sanctions — not by the federales or the state AG enforcing HIPAA — but by the medical board and the physician’s employer.  These sanctions, and the harm they are ineffectually seeking to remedy, may have been avoided entirely by some preventive medicine: health care social media policy and procedures development through an inclusive process that would create a broad sense of ownership and responsibility, combined with greater understanding and sensitization, across clinical and non-clinical staff.  Here’s hoping that health care provider organizations who are learning about these issues through the missteps of others are able to take proactive steps to avoid receiving this same kind of negative publicity themselves.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior to entering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

11 replies »

  1. Just desire to say your article is as astonishing. The clearness in your post is simply nice and i can assume you’re an expert on this subject. Well with your permission allow me to grab your feed to keep up to date with forthcoming post. Thanks a million and please carry on the enjoyable work.

  2. No matter if some one searches for his required thing,
    therefore he/she wishes to be available that in detail, so that
    thing is maintained over here.

  3. The use of social media has become a very active part of our lives. Much good can result from many health care facilities participating in facebook and tweeting to improve the community’s health through further education. But organizations need to be proactive in developing policies and procedures in using social networking in the professional arena. The problem often comes in the personal side of social networking. It is often here that as staff vent about the stresses that occur during the course of the day that unintended breeches in confidentiality of the patients can happen. Again organizations must be proactive and raise awareness through education. We have continuous HIPAA updates through the course of the year and need to include education of how to use social networking appropriately for the health care worker even for personal use. Unfortunately the doctor from RI is not the only person to have lost their job because of something posted on facebook. We need to keep this in the forefront of all health care workers in order to keep patient information confiential.

  4. The doc in this case probably complied with the HIPAA “safe harbor” of removing the 18 identifiers noted in the rule, but removing these worked as de-identification, if at all, only in a brief period following the promulgation of the rule. The rule also provides that de-identification in this manner works only if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” 42 CFR 164.514(b)(2)(ii). These days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The RI case is only the latest.

    The policy question raised by all this is whether we collectively care enough about privacy and security to ratchet up the regulatory and technical protections, or whether, instead, we are OK with lowered privacy and security standards because they can enable information-sharing leading to improved health outcomes, and disclosures such as the one affecting the RI patient are acceptable “collateral damage.”

  5. That’s pretty interesting.

    None of this is exactly news (beyond the perils of yacking too much on social media). Google “Latanya Sweeney,” the ONC HIT Policy Committee PhD from MIT. She’s famous for her published assertion (in Scientific American, no less, IIRC) that all she needs is your DoB, ZIP code, and gender to have about an 80% chance of ID’ing you (I don’t totally buy that).

    Back in the early 1990’s when I was first working for HealthInsight, doing outcomes analyses using mostly Medicare Part-A claims data, we were cautioned even then about the potential for “re-identifying” ostensibly de-identified data, particularly in rural areas. e.g., publish something relating to “a 49 yr old divorced mother of two with HTN and DM residing in Nye County NV” and someone can quickly figure out exactly who that is.

  6. Social media can be enjoyable for healthcare, physicians and the like. HealthTrain Express has been writing a series of articles, guidelines and sources for those interested in social media. There are 3 parts thus far;




    Included are some health institution social media sites and also an article on social media guidelines.