Tri-City Medical Center in Oceanside, CA, last week said it has moved to terminate five employees and has disciplined a sixth for using "social media to post their personal discussions concerning hospital patients."
Hospital officials became suspicious earlier this year that a breach of patient privacy may have occurred on Facebook and launched an investigation but said that as yet it has found no evidence that patient names, photographs, or other information was posted on the site. Tri-City also has not specified the information these six employees allegedly shared on the website.
Nevertheless, Larry Anderson, CEO of Tri-City released a statement saying the hospital will pursue termination of the employees who "used social media to post their personal discussions concerning hospital patients." Representatives from Tri-City have not released what positions the employees at the hospital hold, but Anderson said in the statement, "we do not tolerate violation of our privacy policies."
A story in last week's North County Times quoted Max Carbuccia, a labor representative for the California Nurses Association, saying that six Tri-City nurses were put on administrative leave about three weeks ago. He said the nurses had not seen the evidence against them, and that all deny posting specific information about specific patients online.
Some nursing organizations noted that the termination seems like inappropriate disciplinary action in light of these circumstances.
"I find it curious that the hospital would pursue termination if no HIPAA violations were made such as posting patient names or pictures," says Debi Savage, RN, MSN, BSN, CNO, of Sacred Heart Hospital in Chicago, IL. "However, if the nurses have on their Facebook page the name of the hospital and possibly the unit they work on and then discuss 'hypothetical scenarios' that could be traced back to patients in that hospital and unit, then I believe this is inappropriate."
"The article (reported by North County Times in CA) clearly states that the discussion on Facebook was hypothetical and didn't include patient information (thereby excluding a HIPPA violation), says Tonya Barrere. "It sounds more like a blog where nurses can bounce their questions/ideas about disease processes or situations they encounter in their profession. In my opinion it's the nurses' rights who have been violated--not the patient's."
Savage does argue, however, that if she were in this situation, and the nurses only posted or shared information on the types of patients the nurses dealt with, she would not be concerned or terminate them.
Carbuccia says the nurses may have responded to hypothetical questions on how to treat different types of patients.
Lisette Cintron, RN, MSN, CHCQM, CNL, Clinical Nurse Educator/NICHE Program Co-Coordinator of Juniper, FL, says that many of these social networking sites are platforms where nurses "gather together to discuss and obtain information on how to handle specific conditions, what options are available, and how to better help their patients."
However, Cintron believes that using Facebook to discuss this information may not be the best route for nurses to take. "We are unsure exactly of what the nurses at Tri-City Medical Center shared on Facebook, but depending on what exactly was shared, should determine whether the firing of the nurses is justified."
Savage believes that based on this particular case, hospitals should expand their HIPAA policy to include posting patient information or hospital information on social media sites, whether that be on Facebook or one's personal blog.
"All employees should participate in a HIPAA policy review with details on what not to do especially regarding social media," says Savage. "Once it is clear to the employees how even the most hypothetical information can be perceived coming from nurses at a specific hospital and/or unit, the staff can be held accountable."
Under California laws for public hospital districts, Tri-City employees are entitled to a hearing, before they can be fired. It is unclear whether such hearings have been scheduled or held.
"The outcome of this case may set a precedent as social media is so popular," says Savage. "Most healthcare workers know not to list patient names, pictures, or details on a website nor discuss specific patients or details of their cases in public. But hypothetical situations are sticky because they could apply to a particular patient who believes they have been written about even if the person writing it truly made up the situation."
"We will take further action to prevent similar incidents, including re-emphasizing through employee training and education, the hospital's and its employees' ongoing commitment and obligation to protect our patients' privacy," Anderson said.
The disclosure came the same week that state health officials announced it has fined five hospitals a total of $675,000 in penalties for six instances of privacy breaches of confidential medical information. Tri-City was not named among those hospitals, but Tri-City officials said that they reported the incidents to the state as required by law.
A Tri-City spokeswoman said the hospital is not aware that the state has imposed a fine against the hospital for the breach. However state fines could amount to $25,000 for the first violation, with subsequent breaches costing $17,500 each.
Anderson said that at Tri-City, a 397-bed district hospital in Oceanside, 30 miles north of San Diego, "our top priority is ensuring the health and wellbeing of our patients, which includes protecting their privacy. As a fundamental part of that commitment, we provider our employees privacy and confidentiality training when they are hired and later on an ongoing basis."
A hospital spokeswoman said further details, such as when the breaches occurred, were unavailable.
Cheryl Clark is a senior editor and California correspondent for HealthLeaders Media Online. She can be reached at cclark@healthleadersmedia.com.
Follow Cheryl Clark on Twitter.
Sarah Kearns is an editor for HCPro in the Quality and Patient Safety Group. Contact Sarah at skearns@hcpro.com