Mandatory that we report hippa violations?

Nurses HIPAA

Published

As I was on Facebook recently and a person posted a photo if her and her patient which also included the patient's first name.

I am just curious if we are mandated to report HIPPA violations. I unfortunately do not want to be the " whistle blower" when it comes to this but I also know that it is against our hippa regulations.

Specializes in ER, ICU.

No, reporting violations is not required. Why don't you send the poster an email pointing out the problem? That way they could remove the photo and solve the problem.

Specializes in Trauma Surgical ICU.

Do you work peds or the NICU ?? I see a lot of pictures from that area. Mostly parents are proud of the staff and want pictures of them with their lil ones and they post them to FB and tag the nurse. Parents are allowed to do this. I know several NICU nurses that are "friends" with the parents on FB. Tough spot because it is the parents that "friend" request the nurses. My friend had a baby in the NICU for 3 months, I have seen several pic of her lil girl with the staff..

Now if the nurse is taking and posting pic, yes, that is a violation and she needs to know this.

The question is - is this PHI? You said a person posted a photo of her and her patient. If the healthcare provider's photo indicates what that healthcare provider does, i.e., the provider's specialty, then it may be PHI.

Remember - to be regulated the data must be Individually Identifiable Health Information or "PHI" - and that type of information consists of two parts, generally speaking - (1) - past, present or future physical or mental health information, (2) - about a person - (i.e., that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual).

If as indicated the two photo's provide health information about an individual, then you may have a breach on your hands. If so - that breach needs to be recorded and reported to DHHS in the year it occured, as a breach under 500 individuals.

This person is a physical therapy assistant who took a photo with a special needs child and posted it with her name included on the photo. She also openly posts information on what facility she works for on her Facebook page. I just wanted to clarify that it was indeed a hippa violation, and she had taken it off her Facebook a few hours later when two people had made comments about hippa.

So my question is, if it was unintentional and she took it down, do I still need to report it?.... And I'm pretty sure I already know the answer :-/

To be a breach - there has to be damages - risk to reputational and financial harm etc...thus a risk analysis would have to be performed, (before reporting it as a breach - according to the regulations).

however, as you indicated many health care providers are still unaware of the risks associated with using facebook and twitter in relation to disclosing PHI...

again - this reply is offered for informational purposes only and not intended as legal advice - thus consult with an expert before relying on any information contained herein.

not exactly, to prove malpractice there has to be a duty to care (caregiver or institution /patient relationship), a breach of that duty, damages, and the damages must have been caused by the breach.

but we take your point. she never knows who may have seen that picture and it is a breach of duty (duty to maintain confidentiality) to have posted it. she might get lucky, but maybe not.

as to reporting, in many situations if you know of a hipaa violation and do not report it, you can be assumed by your institution to be complicit, and be open to sanctions. not all, and i'm not a lawyer either, but you did the right thing by telling her to take it down stat.

Specializes in PICU, Sedation/Radiology, PACU.
The question is - is this PHI? You said a person posted a photo of her and her patient. If the healthcare provider's photo indicates what that healthcare provider does, i.e., the provider's specialty, then it may be PHI.

Remember - to be regulated the data must be Individually Identifiable Health Information or "PHI" - and that type of information consists of two parts, generally speaking - (1) - past, present or future physical or mental health information, (2) - about a person - (i.e., that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual).

If as indicated the two photo's provide health information about an individual, then you may have a breach on your hands. If so - that breach needs to be recorded and reported to DHHS in the year it occured, as a breach under 500 individuals.

This is not accurate. A full face photograph is considered by HIPAA to be protected health information. UCSF Human Research Protection Program - CHR - HIPAA - PHI Identifiers & Definition

^ See number 17.

It doesn't matter if the photo revealed any other health information about the patient. The photo itself is considered PHI and posting it on the internet is a HIPAA violation.

In regard to the OP's original question, you are not mandated by any law to report a HIPAA violation. However, many facilities are of the idea that if you knew about a violation and don't report it, you are also guilty of the violation. Since you never commented on the picture, and it wasn't on your facebook page, that would be difficult to prove. It also doesn't appear that you even work with this person, so policing her facebook page is certainly not something you should be held responsible for.

This is not accurate. A full face photograph is considered by HIPAA to be protected health information. UCSF Human Research Protection Program - CHR - HIPAA - PHI Identifiers & Definition

^ See number 17.

It doesn't matter if the photo revealed any other health information about the patient. The photo itself is considered PHI and posting it on the internet is a HIPAA violation.

In regard to the OP's original question, you are not mandated by any law to report a HIPAA violation. However, many facilities are of the idea that if you knew about a violation and don't report it, you are also guilty of the violation. Since you never commented on the picture, and it wasn't on your facebook page, that would be difficult to prove. It also doesn't appear that you even work with this person, so policing her facebook page is certainly not something you should be held responsible for.

What if the patient gives permission?

I've just always wondered about that.

I kind of feel uneasy whenever I see comercials for the LTC facility I use to work in, they have a video of the place and they show identifiable footage of residents in it. I always wonder if its a HIPAA violation, and if they actually got permission to use that video.

Don't assume....

I have several pictures on my Facebook profile of me and former patients (babies)...they were also sent to me by the parents.

If as indicated the two photo's provide health information about an individual, then you may have a breach on your hands. If so - that breach needs to be recorded and reported to DHHS in the year it occured, as a breach under 500 individuals.

You are talking about regs requiring organizations to inform individuals when data breaches occur. This has to do with IT security & use of EHRs, which is not really applicable here.

+ Add a Comment