Patient Privacy Laws (HIPAA), Social Media and the Law

Many of you have heard of the patient privacy law, called HIPPA (Health Insurance Portability and Acountability Act). It’s been around since 1996 and it’s something that we personal injury lawyers face every day in our practice. While it is a far reaching act, the way that you are most familiar with it is the aspect of the law that attempts to ensure your privacy as a health care patient, sometimes to absurd lengths.

It is why at a pharmacy they sometimes separate the “drop off” prescription section, from the “pick up” section. In effect, it is to insulate others from hearing you ask the pharmacist questions when you turn in a script. By having those who are picking up a script in a different area, they can’t hear your questions. It’s why some physicians have you sign in for your doctor visit, but then immediately blacken out your name once the staff is aware you’ve arrived. Silly precautions since when they take you back to see the doctor, they again call your name.

If you’re a personal injury patient of an attorney, it’s also why we’re always after you to sign new medical authorizations so we can get your ongoing medical records. The authorizations go stale after a period of time and must be renewed. Also, we must always have a batch of originally signed authorizations since the HIPAA laws demand originals be mailed and not reproduced copies.

But, to get to the topic at hand, nothing I’ve heard recently is quite as harsh as patient privacy laws as they interact with social media. Case-in-point, a highly skilled local surgeon, let’s say a plastic surgeon named “Dr. Tuck” did a particularly good job lifting and remaking a middle aged female patient. So pleased was she with the results, she asked the doc if he’d take a photo with her and he was only happy to oblige.

The next day, she posted on Facebook the proud photo of herself with her new look standing next to Dr. Tuck in his surgical garb and hat. That photo obviously was seen by all of her Facebook friends, and that’s her choice. No violation there.

However, Dr. Tuck, wanting to recognize his patient’s enthusiastic approval of his work, clicked “Like” on Facebook and added a “Thanks” to the comments section. This was a huge mistake. By doing this he took his patient’s photo and turned it into his own where it spread to all of his Facebook friends. And he had hundreds of them.  He hadn’t asked his patient for a Release to do this or authority from her to post it to his own Facebook page.

Funny thing is, his patient didn’t blow the HIPAA whistle. She could not have cared less Dr. Tuck spread the good photographic news. You see, HIPAA does not require a “victim”. A violation is a violation. It may have been seen by someone who knew he inadvertently posted something that wasn’t authorized. So, Dr. Tuck faced a sizeable fine through the state for his HIPAA violation. And this happens more often than you would think.

So, the lesson of unintended consequences strikes again. Or as I sometimes say, I love it when a well intentioned law goes awry. These are the results when technology expands exposing the ethical dilemmas in overly expansive laws.


Leave a Reply

Your email address will not be published. Required fields are marked *