In a tweet that went viral, an emergency room physician complained about a patient with COVID-19 who had Thanksgiving dinner with 22 family members. The doctor posted that the patient told her everyone at the gathering had “developed symptoms, some severe.” There was backlash against the physician on Twitter from other physicians and others for shaming her patient, and the event wound up in newspapers.
“It’s really important to educate employees and contractors about what is and isn’t OK,” said Margaret Scavotto, president of Management Performance Associates in Saint Louis, who told the story of the now-deleted tweet. “We see a lot of health care professionals with a lot of followers, and they are in a unique position working on the front line of COVID-19, but we have to be careful.”
The use of social media has implications for HIPAA and, in the case of nursing homes, could potentially result in allegations of patient abuse, Scavotto said at a webinar sponsored by her company. There’s also the risk of reputational harm. “I am seeing organizations using social media more” during the pandemic, she said. Hospitals and other covered entities are connecting with patients and families and providing information on COVID-19. But some employees may use social media sites, including Facebook, Twitter and TikTok, to share patient stories or vent about a range of things, including personal protective equipment (PPE). Their words and/or videos could violate HIPAA or social media policies.
Before covered entities post patient photos or any other protected health information (PHI), they must get a written authorization from the patient. The privacy rule is very specific about what must be included in the authorization. For example, the authorization must describe the PHI that will be used and disclosed and the person to whom the disclosure may be made. That’s different than a consent and liability waiver, which states something to the effect of, “I, John Smith, consent to Happy Holiday Nursing Home taking my picture and posting it to Facebook. I release Happy Holiday Nursing home from any liability involving said picture or posting”—and isn’t adequate for HIPAA compliance, Scavotto noted.
The privacy rule also requires covered entities to explain in the notice of privacy practices (NPPs) all the ways they use PHI, and that includes social media. For example, a dental practice that posts pictures of its patients should include that fact in the NPP, although a patient-specific authorization is still necessary, Scavotto said. She added that the use of social media should be included in your HIPAA security risk analysis.
Pictures of Nursing Home Residents May Be ‘Mental Abuse’
Nursing homes may find themselves in hot water for social media posts that are considered mental abuse, she said. According to a 2016 memo from the CMS Survey and Certification Group (16-33-NH), “Mental abuse may occur through either verbal or nonverbal conduct which causes or has the potential to cause the resident to experience humiliation, intimidation, fear, shame, agitation, or degradation. Examples of verbal or nonverbal conduct that can cause mental abuse, include but are not limited to, nursing home staff taking photographs or recordings of residents that are demeaning or humiliating using any type of equipment (e.g., cameras, smart phones, and other electronic devices) and keeping or distributing them through multimedia messages or on social media networks. Depending on what was photographed or recorded, physical and/or sexual abuse may also be identified,” the memo states.
CMS requires surveyors to investigate mental abuse and evaluate whether nursing homes have relevant policies, train their staff on mental abuse stemming from pictures or recordings, and monitor compliance with policies in this area.
Scavotto recounted the case of a nursing home that was fined $1,320 in connection with a nursing aide’s Snapchat post about a resident. The post showed a resident who was in a wheelchair and wearing a helmet, repeatedly asking for a grilled cheese sandwich. According to the CMS statement of deficiencies and plan of correction, “the video’s caption read All I want is a grilled cheese sandwich. The video was forwarded to the local authorities. During the investigation the facility found that [nursing aide] #4 had attended a nursing staff meeting on 8/28/19, the day before the incident that included reminding staff personal cell phones were not allowed at the nurse’s station and/or in resident care areas.” In terms of this incident, the nursing home was cited in connection with requirements about protecting patients from “all types of abuse” and keeping their records confidential.
An Educational Tool: Risky Posts and Videos
Scavotto walked through other actual social media posts and explained how they may run afoul of HIPAA or social media policies, cause reputational damage to the employee/organization, or reveal violations of policies on gifts:
On the same day in November that the Arizona governor announced there were more than 100 intensive care unit (ICU) beds available, an emergency room (ER) physician posted on Twitter that he was unable to transfer any patients to the ICU. The medical group that contracted with the ER physician suspended him for three weeks at the hospital’s request, Scavotto said. “That caused the physician to tweet about the suspension and go on the news. It turned into a big mess,” she said. The tweet went viral, and the physician received a call from then-President-elect Joe Biden, who thanked him for his advocacy, according to The Washington Post. It’s unclear if the hospital had a social media policy or whether the physician was put on leave because the hospital “felt he was speaking on its behalf without authorization,” Scavotto said. “It’s a good reminder to make sure you are communicating with providers and professionals about what is and isn’t OK” to post, and if anyone has concerns about hospital operations or compliance issues, they’re clarified “before it becomes a twitter rant.”
Nursing homes may have posts that are “fun, heart-warming, clever and creative,” but still could violate HIPAA or gift policies. She gave an example of a TikTok video of a nursing home resident in the United Kingdom that would have raised eyebrows if it were in the United States. The video is of a resident with dementia who is hugging a large stuffed animal, which was a gift from a caregiver. Another caregiver posted the video on TikTok. “People loved it. It went viral in the best way,” Scavotto said. But there are risks. Patients have to sign HIPAA authorizations before their pictures are posted by providers, and because she has dementia, “I would want to make sure the authorization was signed by the personal representative, if required, depending on the level of dementia.” Also, there’s a question of whether gifts adhere to the organization’s gift policy. “It is such a sweet video, but these are the kinds of videos that can get people in trouble,” Scavotto said.
An Oregon oncology nurse bragged on a TikTok video that she doesn’t wear a mask outside of work. Her then-employer put her on administrative leave, and she is no longer employed at the hospital. The nurse also entered into a consent order with the Oregon State Board of Nursing not to practice nursing there for an unspecified amount of time.
A California hospital nurse was suspended without pay in March after she was told she violated its social media policy and HIPAA when she complained on her Facebook page and on a Facebook group for nurses on her floor about problems getting PPE. “I have been buying my own supplies and stocking up on gear even though my hospital says I’m not allowed,” the nurse wrote. “I need everything I can get. Thank you to everyone praying for our staff and donating what they can to our nurses. Please do not contact the hospitals to donate they do not give us your donations. Give them directly to the nurses. Thank you!!!” The nurse included a selfie taken at the hospital and posted patient room numbers on her Facebook group, Scavotto said. “There are no patients in the background, but many providers have a policy prohibiting taking pictures at work without prior authorization because it is too hard to rule out PHI in the background,” such as a patient walking by. The nurse’s post and her suspension became a big news story. “You can see both sides,” Scavotto said. “Employees can rant, but they can’t violate HIPAA or your social media policies.”
She recommended using examples like this in HIPAA education, along with flyers and cartoon contests.
Contact Scavotto at firstname.lastname@example.org.