Reporting a hipaa violation

Published

I have a question. How would I go about reporting a HIPPA violation? I have a relative that is in a nursing home that on of the staff members posted on Facebook that my relative was in the nursing home. She did not use my name but used my relatives name and picture. This relative of mine does not realize what this person did was wrong but me being a nurse puts me in a position that I feel like it needs to be reported regardless. I hold my patients privacy sacred. I only discuss my patients on a need to know basis. Where do I start with this? I need some advice and information.

I would google "how to report a HIPAA violation in xxx state" and see what you get. Or call your Department of Health.

Just an FYI, I would screen snap the information on your relative just in case it is removed.

Sorry this happened, in my eye's this is clearly an invasion of privacy.

http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

Here is the link on how to report a violation, but this escalates it to a serious place. There is another option, too. Most facilities have a privacy officer or an entity that fills this role. That's their only job- to make sure that they are compliant with HIPAA. If it's a facility that's part of a chain, this person may be at their main office or main facility (hospital). They'll list them on their website, most likely. If it were me, I would go to that privacy officer (not an administrator or nurse manager or anyone at the responsible facility). They may reprimand the party responsible without someone having major career consequences. Suspension, administrative leave, transfer, etc. I'm just not sure of your situation and if this facility is a repeat offender, or if the post was harmful in nature.... But, if the person posted something where their heart was maybe in the right place, but made a mistake, taking it to the Dept. of Health and Human Services may have serious career consequences for that person. I'm definitely not giving you advice to go either way, but you have options. I would also consider talking to a lawyer, too.

Wow. That is nuts. For what purpose would anyone put a name and picture of a resident on a social media page? And name the nursing home? REALLY!?!?!?!?!

I would speak with the ombudsman of the facility. I would also contact the parent company's risk managment person. There may be a website of the parent company listing contact numbers.

Even something as "innocent" as "fun times at Shady Pines with Mrs. kjnsweets grandmother" showing your gram playing bingo--can and does have some consequences.

Additionally, and much depends on the nature of the photograph, if Gram (or whomever the relative of yours is) can make her own decisions, I would talk with the omsbudsman. IF you, your parents, your auntie, whomever is POA for your relative makes decisions, then perhaps it is something along the lines of "please take down the picture of Gram. We prefer not to have her picture on the website".

Curious how did you end up seeing the photo?

Specializes in Psych ICU, addictions.

I'm sorry this happened to you and your family. However, we can not offer legal advice at AN.

Keep in mind that this may or may not be a HIPAA violation: many facilities will ask patients/families for consent to use the patient's image and/or story in promotional pieces such as advertising, presentations, websites and such. What you are seeing may be perfectly legal.

Or it may not be.

You've already received some good tips to start with. I would suggest contacting a lawyer to talk to the agency and determine exactly what the situation, is and what your options are.

Best of luck.

Specializes in Gerontological, cardiac, med-surg, peds.

You may find this helpful, from the NCSBN (National Council of State Boards of Nursing). It is a white paper that was drafted to provide guidelines for nurses regarding the use of social media. Possible HIPAA violations are extensively discussed in the document. (Especially refer to Scenario 2, on page 4.)

https://www.ncsbn.org/Social_Media.pdf

"Promptly report any identified breach of confidentiality or privacy" (p. 3). According to the NCSBN, it is our duty as nurses to report.

+ Join the Discussion