Following a seven-month-long investigation of a security breach at St Joseph’s/Candler Health System, Savannah, Georgia, eight hospital employees were disciplined for photographing an x-ray taken of a male patient’s pelvic area, transmitting the image by cell phone, and posting it to Facebook.
After the incident first occurred in May, 2010, a hospital investigation concluded that the image contained no personal patient information, and the incident was deemed a violation of hospital policy but not a violation of HIPAA laws, according to an article in the Savannah Morning News. One employee who later left the hospital was disciplined.
But the investigation was reopened after the newspaper received copies of two images of the x-ray, one of which contained the first name and middle initial of the patient. Disciplinary actions taken against eight employees included dismissal and suspension without pay.
The incident underscores the need for health care organizations to have clearly articulated social media policies that are understood by all employees, particularly in light of the ubiquitous smart phones and other portable electronic devices capable of transmitting image data.
“Assuming every organization has one jerk working in it ... the opportunities for poor judgment have grown along with the abundance of data,” Hans Klein, associate professor, school of public policy, Georgia Institute of Technology, told the Savannah paper. “Unfortunately, we'll probably always face the issue.”
HIPAA requires that a health care provider that discovers a breach involving fewer than 500 patients must report the incident by March 1.