A Roane County, Tennessee, EMS responder posted on her Facebook page, “well, we had a first…We worked a code in a chicken coop! Knee deep in chicken droppings.” according to HealthITSecurity.com.  Lessons from this incident can be useful for County DD Boards.

The EMS team was called to the scene because a man, Leon Raymond, had suffered a heart attack. When Mr. Raymond’s wife caught wind of the post, she was understandably upset. She is considering legal action against the county. While there is no private cause of action available for HIPAA violations, some states (such as Connecticut and New Jersey) recognize civil lawsuits under its invasion of privacy laws and negligence theory.

Roane County Executive Ron Woody said that the county’s attorney did not think the Facebook post was a HIPAA violation.

Covered Entities, such as a county EMS service, are prohibited from disclosing “Protected Health Information”.  The big question is, “Did the Facebook post contain “protected health information?”.

Protected health information is “individually identifiable health information” which relates to “the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual;” and (i) That identifies the individual; or (ii) there is a reasonable basis to believe the information can be used to identify the individual (45 CFR § 160.103).

Clearly the Facebook post related to the provision of health care to an individual (the Facebook post was about the EMS team’s response to a medical emergency). The question is — is there a “reasonable basis to believe the information can be used to identify the individual”, that is, deduce that this Facebook post was about Leon Raymond?

Only a court can answer that question. Perhaps, in this small town other residents would know that Mr. Raymond had a heart attack and was the only in the area who owns a chicken coop.  Perhaps there were news accounts and/or death notices about the incident? It is possible that someone with some other facts might reasonably deduce that Mr. Raymond was attended to by an EMS team from reading the Facebook post.

Here are some key takeaways for county boards:

  1. The definition of Protected Health Information is broader than you may have thought.
  2. Employee use of social media creates risk for the agency
  3. Clear policies for social media use, both while at work and away from work, are important
  4. Regular training for staff regarding policies is essential
  5. There can be legal ramifications for disclosures of health information besides enforcement actions from the federal government.

About Jacob Overdorff

Jacob Overdorff, Consultant for Eagle Consulting

Jacob is a consultant at Eagle Consulting with a legal background and strong focus on HIPAA-Compliance obligations.  He graduated from University of Akron School of Law in 2015, has worked as a law clerk for the International Institute of Akron, and brings research, client service, and management skills to the team.

Get Eagle Healthcare IT & HIPAA Alerts

Get Eagle Healthcare IT & HIPAA Alerts

Join our mailing list to receive the latest news and updates from the Eagle team.

You have Successfully Subscribed!

Pin It on Pinterest