social media sharing of patient info gets doctor fired

A doctor has recently been fined $500 by the State medical board after posting personally identifiable information about a patient on Facebook, a number of months after the incident caused her to lose her employment. This is a HIPAA violation that all healthcare professionals should take note of. The doctor, Alexandra Thran, did not post the patient’s name in her post, which would be an immediate violation of HIPAA Rules, but she did post sufficient information to enable the person to be identified. Another individual who visited Thran’s Facebook page was able to determine the identity of the patient from the information she wrote on the page, even in the absence of the patient’s name.

The disclosure of Protected Health Information, which includes references to medical treatments as well as health records, along with Personally Identifiable Information (PII) can result in civil penalties being brought against the covered entity and any individual responsible for the HIPAA breach. The penalties can involve time in jail. This is not the first incident of its kind. Nurses and doctors have been fired by their employers in California and Wisconsin for having social media discussions about patients via social media.

One problem is that users of social media are encouraged to share all manner of information with friends and relatives, yet in a work setting the potential for HIPAA violations means extreme caution should be taken. In this case the incident involved an ER doctor, and the conversation was not had with the patient. Some doctors may be choosing social media channels to interact with patients but there is considerable potential for a HIPAA violation.


Increasingly hospitals and healthcare institutions are slowly beginning to  tackle the issue and  healthcare providers start to develop policies covering the use of social media, the sharing of PHI and communicating with patients through secure channels. Social media use is only likely to grow, and with it so will the risk of causing HIPAA violations.

It is essential  to train the staff on HIPAA compliant Privacy Rules and to set strict policies covering the use of Facebook and other platforms. Many hospitals have identified the risk and have taken action and put together policies for staff to make it clear on what is allowed and what is strictly forbidden. Children’s Hospital Boston, for example, has just developed a 6-page document detailing allowable uses of social media and do’s and don’ts, with many other hospitals now electing to do the same.