Assault case puts hospitals' social-media policies at issue
Abington Health requires its employees to complete computer-based training on patient-privacy regulations and responsible use of social media when they are hired. Then, there are annual reviews.
/arc-anglerfish-arc2-prod-pmn.s3.amazonaws.com/public/37LGB6Y2XVDTDD3GUCSDVNGH3M.jpg)
Abington Health requires its employees to complete computer-based training on patient-privacy regulations and responsible use of social media when they are hired. Then, there are annual reviews.
These apparently were not enough to protect it from humiliation when outsiders checked out the Twitter account of an emergency-room tech after she was arrested in an attack on a gay couple in Center City.
In 140-character increments, Kathryn Knott showed herself as a hard-drinking, homophobic mean girl. She also posted pictures of patient X-rays and of two severed fingers, described seeing her first gunshot wound as "#awesome," and wrote, "Another patient with scabies. I CAN'T," according to published reports, expressing her revulsion for the itchy skin condition caused by mites.
Knott was fired from her job at Lansdale Hospital, part of the Abington Health system, on Sept. 25. The system did not say why. The day before, it had released a statement saying it had suspended her "because of the nature of the charges against her." The system also said it was investigating whether she violated "patient privacy and our organization's social media policy."
The case raises questions about how hospitals are protecting themselves and their customers in an age when many younger employees and some older ones are practically fused to their smartphones. The issue is particularly important in health care, where the federal Health Insurance Portability and Accountability Act (HIPAA) sets a high standard for sharing any patient information.
"Any story like this needs to be a reminder to everybody working in the field . . . about the importance of protecting patient information," said Lauren Steinfeld, chief privacy officer for Penn Medicine.
The case also seems to have spooked many people who might know enough about the law to know whether Knott, whose tweets did not include patient names, did in fact violate HIPAA or just the standards of common sense and decency. Or even what's in a typical social media policy.
Citing tangential connections to the case, three lawyers declined to discuss it, while a fourth insisted that her name not be used. The Delaware Valley Healthcare Council, a trade group for area hospitals, would say only that based on a poll of its members, most hospitals in Southeastern Pennsylvania have social-media policies.
Calls seeking interviews with officials at Thomas Jefferson University Hospital, Einstein Medical Center, and Main Line Health proved fruitless.
So this appears to be a touchy issue, perhaps because it is obvious that no business with thousands of employees can police all of their Twitter, Instagram, and Facebook accounts.
Linda Millevoi, an Abington Health spokeswoman, said she could not say specifically why Knott was fired.
Knott worked in a low-level hospital position that required a minimum of four weeks' training.
Millevoi said Abington's social media policy prohibits posting "any content about patients or their personal health information including patient images." The hospital will notify patients it can identify about the tweets, she said.
Philip Miles, a Pennsylvania State University law professor and employment lawyer, said companies usually don't have to have a reason to fire a non-union employee in an "at-will" employment state like Pennsylvania. "The employer can terminate the employee at any time for any reason. Or no reason," he said.
Lawyers disagreed about whether Knott's tweets were clear violations of HIPAA. The law prohibits public release of obvious things like names and facial pictures, as well as addresses, dates, insurance-policy numbers, e-mail addresses, and several other numbers. There's also a catch-all phrase that includes any information that someone could use to figure out who a patient is.
Lawyers weren't sure whether the dated tweets in this case would provide enough information for outsiders to identify patients.
"That's where it's a slippery slope," said a Philadelphia lawyer who asked to remain anonymous because her firm represents clients with similar issues.
She said HIPAA is not just about privacy, but dignity. "If I'm representing the hospital, you don't let them take pictures, ever," she said.
While the legal issues are the same for what you say on Twitter or in the elevator, social media's permanence and potential reach make it a bigger headache.
Steinfeld said privacy is a challenge in institutions that need so much personal information. Her job is to try to create a "culture" of privacy that reaches employees at all levels.
"It's a very good idea in the world of HIPAA to err on the side of caution," she said.
Her simplest description of the law: "You use patient information as necessary to do your job. If you stick to that, you're going to be in good shape."
215-854-4944 @StaceyABurling