After an orthodontist blogged about an emergency visit where his patient broke her retainer after watching Michael B. Jordan in the blockbuster hit, the Black Panther, the young woman identified herself as the anonymous patient after learning about the story via Twitter. Though she was initially quite embarrassed, she was ultimately good-natured about all of the unexpected publicity. The natural question for many health care providers was whether there was a violation of patient privacy or HIPAA? If there was, was there any harm? If there was a violation of patient privacy or HIPAA, what should the consequences be if any?
HIPAA violation? Protecting PHI alone may not be enough
What we know is that the orthodontist in question feels that this blog post was not a HIPAA violation. This much is clear on his blog.
He might be correct on first glance.
Classically, health care providers and other entities covered under HIPAA are responsible for ensuring patient privacy by taking steps to minimize the use and exposure of protected health information (PHI). PHI includes demographic information, age, gender, name of the individual, social security number, among other specific details. PHI alone, (i.e., name of a person and a phone number without any health information, condition, etc.), would be useless if found on the street. If a patient found her information on the street, she would also be unable to tell how it got there, who exposed that information, or if there was a patient privacy or HIPAA violation. To a stranger or even a loved one, that information alone also does not reveal any medical information or condition, which in many ways is the reason for HIPAA and patient privacy. There are medical conditions and situations that a patient simply does not want spouses, loved ones, or colleagues to know about. This is why patients should feel comfortable in telling health care providers their concerns in extreme confidence as it is this trusting relationship that is so vital in helping patients with their concerns and ailments.
Unlike the past, protecting PHI alone may not be enough to ensure patient privacy.
In the world of social media, the standard may be whether a patient or others could reasonably figure out an individual patient case given the information provided. Even without revealing PHI, it’s possible that despite the succinctness of this blog post, patient privacy was violated.
The details of the blog post both through text and images are quite specific, an orthodontist had an emergency visit and mentioned that his patient had a broken retainer after watching a specific movie when the actor took off his shirt.
Shortly afterwards, the patient figured it out after learning from others who saw the viral blog post.
The internet is the public space
The fact that it didn’t take long for the patient to figure out she was the one in question suggests that there was a patient privacy violation. Medical students are warned when starting third-year rotation to be mindful and respectful when communicating patient care to other medical staff and particularly in public places like the elevators or cafeteria. One never knows if a patient’s loved one or friend is within earshot and standing next to the medical team in the elevator. With social media, this public space has gotten a lot larger. There have been cases of health care providers being terminated from their jobs even though no PHI was revealed but the patient, family, or employer learned about the patient situation via tweets or Facebook posts.
The next question becomes was there any harm?
Initially, based on her tweets, the answer might have been yes. However, despite this unexpected fame, it appears she is enjoying her moment in the spotlight. Will she have any regrets years from now? The media buzz and attention will soon disappear but all of the filed stories won’t. The internet has a long memory.
This story reminds all of us in health care that our duty to protect privacy, particularly in the world of social media, means we need to be extra vigilant in what we say and in what settings or forums we say it in.
A doctor-patient relationship is one of the most sacred. Trust in that relationship relies on patient privacy. It appears this may be one situation where that privacy was violated. Perhaps the most professional thing to do is never to post anything about patient care.
What do you think?
Share this Post