Do you think I have a case? HIPAA

  1. Hi, fellow nurses. I am in quite the pickle here. To start, I had a rough night at work the other night. Being a young nurse, social media is a big part of my life. I made a post after the long night I endured, more so to describe my night. Earlier this week, I was called into a meeting with the ethics team, HR and my managers. I was told that even by the date of the tweet, it is a violation. I was told that in my new associate education, I was educated on the 18 identifiers of HIPAA. I have since gone back to verify that I was not educated on these. I also had never received a formal class regarding HIPAA and what exactly it is. During the interview I was asked what I thought it was, my answer being "name, MR#, ssn." I was asked to write a statement regarding this situation, and made sure to include that I do not feel I was properly educated on what HIPAA is or this never would have occurred. Does anyone here think I have a case? I am not sure what the outcome of the situation will be, but I intend to fight it however I can. Please, I already know how stupid this was (hindsight is always 20/20) but I truly did not believe I was breaking HIPAA or nothing would have EVER been posted.
  2. Visit msoncnurse17 profile page

    About msoncnurse17

    Joined: Nov '17; Posts: 1


  3. by   JKL33
    You never need to post anything about work. Just do not do it. Even before HIPAA and social media we did not stand on street corners shouting about work for whomever passed by to hear, which is a fair analogy to what these social media actions are.

    The thing is, some of these posts are not actually HIPAA violations, but that doesn't matter. I repeat: That does not matter. Employers love to mix up their own "privacy practices" with HIPAA and even further tangle things by throwing a good measure of public relations control into their policies about communication practices. In the end, it doesn't so much matter what they call it because if you violate any of these it you will likely be fired. You may get by this time with your charge about not having HIPAA training during orientation (although it's almost unbelievable that they would omit that) combined with the fact that (I suspect) you didn't really violate HIPAA but rather their privacy practices or related policies. But even if they do let you slide, I'm guessing it is your last chance.

    I know I sound harsh but I suggest you get it out of your head that social media is the appropriate place for this. There is no need for it. No one ever needed to share their rough night at work with "all my friends" (and my friends' friends and their friends and anyone else who may be "following" or looking over the friend-of-a-friend's shoulder).

    Since you say you actually don't know about HIPAA, perhaps you could ask to do a research paper or presentation as a disciplinary measure and in order to prove that you have become educated about the topic. You certainly do need to know about it. You should review all of your employer's related policies, too. Maybe taking a positive and proactive approach will save your job. You probably don't have a lot of realistic options with regard to "fighting it."

    Take care ~
  4. by   Castiela
    Even posting items not about your employer but that show "questionable moral turpitude" can get you fired. I've just given up on posting in social media. It's easier and I never have to second Gus's if something I posted will get me fired
  5. by   blondenurse12
    They have to educate you on HIPAA if they are accredited by the Joint Commission. If they didn't, that's a big problem. Will it serve you well to make a stink? Probably not.

    Obviously I don't know what you posted and it might not have truly been a HIPAA violation. Companies now believe they own us and have the right to police everything we do. Isn't late stage capitalism grand?
  6. by   JustBeachyNurse
    Ignorance of the law is not a defense.

    Did you complain about your employer or did you post about specific patient(s)? Either can be grounds for termination. The employee handbook most likely has information about the corporate social media policy.
  7. by   jodispamodi
    Sorry about your situation but I think it comes down to common sense re: HIPAA, I mean if you have your employer listed on your social media, and have friends that know where you work I can see how an employer would feel it was a violation. Some places take HIPAA to the Nth degree, and people have been fired for having their place of work listed and venting in a post and saying something to the effect of this hospital sucks. Its sad that we live in a big brother world but thats how it is these days.
  8. by   hppygr8ful
    While I have the highest privacy settings on Face Book. I make it a priority to never say ANYTHING even remotely related to work or my employer on my feed, I once joked that I post recipes, cat videos and "I love Jesus" on my page.

  9. by   Meriwhen
    HIPAA isn't necessarily just posting name, MRN and/or SSN. A HIPAA violation can occur if you share enough of ANY information about a patient, that someone could use it to identify said patient. And not knowing exactly what you posted as you didn't share it, it could be very possible that you DID violate HIPAA with your post.

    If you had a case--and IMO, you don't--it would be a very poor one. HIPAA and patient privacy is part of almost any nursing school curriculum, both in the classroom and clinical settings. Plus, almost every hospital on the face of this earth gives their hires both initial and annual training in privacy laws. I don't work at your facility, but I find it incredibly hard to believe that you didn't receive any privacy training. Perhaps they may not have had the list "18 specific HIPAA identifiers", but you WOULD have had an understanding of what HIPAA is and what you can and can't share.

    I don't believe you had bad intentions...unfortunately, lack of ill intent doesn't mean you get off the legal hook. And to fight by insisting that you know nothing about HIPAA would make you look even worse, especially since this is something that you (should) have learned both in school and new hire training. They may start to see you as a liability, especially since those HIPAA fines can be in the hundreds of thousands of dollars.

    IMO, I'd tell them mea culpa, cheerfully complete any remedial training they may require, and promise them you will never make this mistake again. It could have been worse: you could have been fired and/or reported and face paying fines.

    If you are insistent on claiming that they really didn't train you...well, you may want to rethink employment there, as the government will not buy the "but the hospital never trained me!" excuse. Don't think it's just hospitals that violate and get fined for violating HIPAA: individuals can and have been fined for violating privacy laws. And the hospital certainly won't lift a finger to save you if that happens...they'd cut their losses (read: you) and focus on saving themselves.

    But again, almost no hospital would neglect to train their employees in patient privacy laws. Not when possibly having to pay fines--and taking hits to their reputation--is on the line.

    All the HIPAA info you could want is here: Health Information Privacy |

    And take some time to rethink your social media habits. Remember the Internet is forever: once you post something, that post is out of your control. Even if you delete it right away, whose to say that someone didn't copy it/forward it/screen shot it?

    Sorry if this isn't what you wanted to hear. Best of luck in sorting this out.
    Last edit by Meriwhen on Nov 25, '17 : Reason: added link
  10. by   Meriwhen
    Also, as others have mentioned, review your facility's policies on social media. Some are fairly lenient about what their employees post online, while others like to keep a tighter reign. None of them care about your right to free speech. If you want to remain an employee of this hospital, then you need to abide by their social media policy regardless of whether you personally agree with it. If you choose not to abide by it, then you'll have to deal with any consequences.

    IMO, it's wisest not to post about work at all, or to post basic things that are complementary or at least neutral (e.g., "had a great shift," "what a tough night but I made it," etc.). Use privacy settings to control who can see your content. If you want to get more detailed, even if it's a "private" post, do so at your own risk.

    If you truly want to talk about your work online, create an anonymous blog and do it there. But also remember that it's very hard, if not impossible, to be 100% anonymous online. People can be pretty good at reading what you post here, there, and anywhere, and then drawing accurate conclusions about who you are. Case in point: a couple of years ago, a popular ER blog was closed because the hospital eventually figured out who the author was, even though the author was as careful as possible when posting. The hospital confronted the author about their blog, and the author decided it'd be in their (the author) best interest to cease blogging.
    Last edit by Meriwhen on Nov 25, '17
  11. by   hppygr8ful
    Quote from Meriwhen
    IMO, I'd tell them mea culpa, cheerfully complete any remedial training they may require, and promise them you will never make this mistake again. It could have been worse: you could have been fired and/or reported and face paying fines.
    I might also add violators can also face jail time!
  12. by   Orca
    Quote from JKL33
    You never need to post anything about work. Just do not do it. Even before HIPAA and social media we did not stand on street corners shouting about work for whomever passed by to hear, which is a fair analogy to what these social media actions are.
    You could not be given more solid advice than this. Once you put something in writing online, it is there for perpetuity. I never, ever discuss work matters on social media. My employer has a clause in the employee conduct code that mentions "words or actions deemed detrimental to the agency." Depending upon who is doing the interpreting, that could be a whole laundry basket full of unrelated things. If you say nothing, you can't really be called on it.