Is this a confidentiality breach?
July 30, 2014 4:16 PM   Subscribe

I work in corrections. On facebook, on my page, I posted something that might have been a breach of confidentiality. Snowflake details inside.

On FB, I posted that it was my last day working in a certain department within the correctional institution that I work at. A coworker posted a remark stating "[patient's last name] will miss you." I responded, with a complete lapse in judgement: "[patient's last name] can kiss my ass." Yet another coworker responded with "[patient's last name] would probably lick your ass if you wanted him to." Yes, rather tasteless, I know. Well, as tends to happen, this made it back to a supervisor at work and is going up the chain, as far as I know. I've admitted to the supervisor directly that it was a lapse in judgement on my part (which I can't believe I was stupid enough not to think of before, but there you go), and I quickly took down the post thereafter. My question is... in the eyes of state law (California), how screwed am I? I've heard things like "HIPAA violation" being thrown around, but then i'm not so sure. Obviously these things were not nice to say in the slightest, but how outside of the law are they? Only the person's last name was used.
posted by anonymous to Law & Government (18 answers total) 1 user marked this as a favorite
You should talk to a lawyer.
posted by PhoBWanKenobi at 4:23 PM on July 30, 2014 [10 favorites]

It is definitely a HIPAA violation. It is possible that it could have been even if you didn't use the patient's name -- using the patient's last name makes it pretty flagrant.
posted by telegraph at 4:24 PM on July 30, 2014 [3 favorites]

You can commit a HIPAA violation with way less identifying information than a name. That would definitely qualify.
posted by obfuscation at 4:26 PM on July 30, 2014

Whether or not it's a HIPAA violation depends on the nature of your work, and whether you were bound by HIPAA because of it-- that's something that you should know (did you have like a one-hour HIPAA training sometime when you started your job? No need to actually respond, just think about it). If you were bound by HIPAA, this is bad for you because it's bad for your employer.

If you weren't bound by HIPAA, that doesn't mean you're in the clear - there may have been other laws you violated that I don't know about
posted by brainmouse at 4:27 PM on July 30, 2014 [1 favorite]

I don't think this is a HIPAA violation, but you should talk to an employment lawyer.
posted by roomthreeseventeen at 4:37 PM on July 30, 2014

(Oh, sorry, missed the word patient as well. Lawyer.)
posted by roomthreeseventeen at 4:38 PM on July 30, 2014

IANAL. If you stand to lose your job or your license, you will want a real lawyer.

HIPPA protects people's medical information - including the fact they are a patient. So, the primary information being released is that you have a patient with this last name. How common is the last name? Would someone who didn't know that this person was at your facility be able to guess that it might refer to them. Would someone who knows that their friend/loved one is at your facility be able to guess who you are talking about?

Aside from confidentiality, you might have an issue of unprofessional conduct. Is expressing this type of derogatory attitude towards a patient grounds for the patient to claim that they are being mistreated by the system? A different but related can of worms to think about.
posted by metahawk at 4:39 PM on July 30, 2014 [4 favorites]

Both co-workers also need a lawyer, so maybe all of you can use the same one. Also tell co-workers to STFU until everyone gets representation.
To be justifiably paranoid, someone who is out to get you may be trying to make this into something much more than it should be.
posted by Sophont at 4:57 PM on July 30, 2014 [1 favorite]

Don't corrections officers typically have unions? Talk to your union rep, stat. They have a lawyer who already knows all this stuff without having to look it up, knows how the rules are applied in reality (not just on paper), and is already being paid to help you.
posted by If only I had a penguin... at 5:02 PM on July 30, 2014 [9 favorites]

It's absolutely a violation to my understanding of HIPAA. You don't even have to use the patient's name to breach HIPAA, if you use information that could possibly be used to identify them in other ways, but using their name is pretty clear cut. At most hospitals where I have worked, a violation like this would mean losing your job. I have no idea what the legal ramifications are though, or if it's the same at a corrections place as it would be at a major hospital.
posted by treehorn+bunny at 5:23 PM on July 30, 2014

Aside from confidentiality, you might have an issue of unprofessional conduct. Is expressing this type of derogatory attitude towards a patient grounds for the patient to claim that they are being mistreated by the system? A different but related can of worms to think about.

This. Multiple workers using patient names on social media in a derogatory manner. Your workplace is now open to several claims being made. Is your workplace a state/public facility? Even more. Get a lawyer. Get your own lawyer separate from your co-workers.
posted by beanie at 6:01 PM on July 30, 2014 [6 favorites]

I had HIPAA training annually for 5 years. It takes three pieces of personally identifiable information to confirm identification. If all you used was the last name in isolation, without stating that it was a patient at X facility, it's definitely unprofessional and a bad thing to do but might be a "HIPAA concern" rather than a "HIPAA violation." This is a less serious offense. If the information included that Last Name was a Patient at X Facility, that could hit the "3 pieces of information" mark. But the way you wrote it, it sounds to me like the last name was used in isolation and you are using "patient" in the context of writing your ask but that you didn't say that in the post.

It helps that you took it down. Yes, this can be a firing offense, I think in this case more because of how tasteless it is. This is not a clear cut HIPAA violation. It needs to be carefully reviewed by a HIPAA lawyer to make that determination.

Part of my old job involved referring potential HIPAA violations to the legal department for proper review and writing notification letters to clients when something like this happened. Based on that experience, as far as HIPAA goes, it looks to me like a "concern" and not a breach. (Though I do not have enough information to really clearly say for sure and I am also not a lawyer.) Yeah, it's a bad thing. But it's not necessarily hugely bad. HIPAA will likely want to slap your hand and tell you to definitely not do this again.

I think I would be personally much more concerned about the unprofessional conduct angle.
posted by Michele in California at 6:06 PM on July 30, 2014 [1 favorite]

Seconding call your union immediately. Not only should there be local representatives who can represent you in disciplinary meetings but they should also have a legal department available to their members for things like this. Beyond that they will likely have personnel who can evaluate what exactly you can be accused of within the department rules and legally. Good luck, hopefully things work out for you.
posted by mrdrummed at 6:39 PM on July 30, 2014

IANYL. But as others have pointed out, not only could you have potentially committed a HIPAA violation, but you are almost guaranteed to have severe disciplinary action because you have acted in a way that puts CDCR at a liability by making public statements that are derogatory toward an inmate. (I'm assuming you're a CDCR employee. If you're a private employee, all the following still applies.)

COs who create a situation where prejudice is suspected are nightmare for risk adjusters and for state attorneys that protect corrections departments. If the inmate in question (or other inmates) were to find out about this situation, it would be excellent lawsuit ammo. Even though you took it down, evidence that you made those statements likely still exists. Have you discussed the post you made using work email? In a lawsuit, discovery can dig that material up easily thanks to public information and document retention laws if you're a state employee.

To be blunt you have put CDCR at risk monetarily, potentially at a dollar figure that is a lot higher than the salary you get paid. You've also indicated that you don't understand fundamental job responsibilities. Even if your actions don't result in a claim this time around, it's a huge red flag for your employers. Talk to a lawyer and get in touch with your union (if you are a part of one).

I wish you the best and I don't mean to be too harsh- just want to make sure you understand why this was a major error in judgment.
posted by Old Man McKay at 6:56 PM on July 30, 2014 [1 favorite]

Do you have a union? If so, talk to your union rep ASAP.
posted by DarlingBri at 8:09 PM on July 30, 2014

Well, as tends to happen, this made it back to a supervisor at work...

This means someone else (probably at your workplace but maybe not if the statements were widely visible on social media) reported you and your co-workers. Which means, yes, you should assume direct evidence of your posts exists even though you deleted them. As do witnesses to your behavior.

Like Old Man McKay, I also don't mean to be too harsh, but also want to emphasize this is a major error in judgment that opens up your employer to some pretty serious liability and you should take it seriously and carefully as you proceed. Good luck.
posted by beanie at 8:32 PM on July 30, 2014 [1 favorite]

Yeah, it's pretty serious.
In public viewed space you and your co-workers identified a client, that you where a caregiver of some sort, the facility can be identified via your work history/job description either of yourself or the other people involved. Add on top the malicious nature of the exchange.
I think the only thing keeping people from ripping you a new one here is that you part of the community.
posted by edgeways at 6:02 AM on July 31, 2014

So, here's a question: Was the FB status public? Could anyone read it? Or do you use FB privacy tools to restrict who can see your posts to just a small group (say, just your co-workers for example)? In a similar situation in a former workplace, a co-worker was able to prove that only other employees of the facility were able to see her posts, and thus saved her job.
posted by anastasiav at 6:05 AM on July 31, 2014

« Older Can I register a car in NY and drive it into...   |   What substance is coming off my tomatoes? Newer »
This thread is closed to new comments.