Nurse Fired for Posting Details of Child’s Measles Diagnosis Online

A paediatric nurse at Texas Children’s Hospital has been fired after she posted details about a toddler’s measles diagnosis on an anti-vaxxer Facebook page.

Posting information about a patient’s diagnosis online is a violation of the privacy and security rules outlined in the Health Insurance Portability and Accountability Act (HIPAA).

The pediatric intensive care unit/emergency room nurse had been part of an anti-vaxxer (anti-vacination) Facebook group “Proud Parents of Unvaccinated Children-Texas”. After encountering a young boy with a rare case of measles, a disease that can easily be prevented through vaccinations, at the hospital the nurse posted about the experience online. She wrote of seeing the boy suffering, and but that the whole experience hadn’t change her mind about the “dangers” of vaccinations.

Her comments explained how the disease was “much worse” than she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also said that the boy had recently travelled to an area where “measles is very common”, and postulated that he caught the disease overseas.

She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear.”

Due to a high rate of vaccination (94.5%) in Houston, a measles case is very rare. Over the past ten years there have fewer than 10 confirmed cases in the city. However, due to the spread of misinformation online, the “anti-vaxxer” movement has caught momentum, and there has been a recent spike in the number of children being admitted to hospital with easily preventable diseases in recent years.

Although the nurse had kept the name of the child and his parents private, her job was listed on her profile, along with the hospital where she worked. This, combined with the information she had detailed about the boy and his measles, it is possible that the child could have been identified. Therefore, the post was deemed to be in violation of the boy’s right to privacy, and was considered a breach of HIPAA.

Texas Children’s Hospital suspended the nurse when officials found out about her social media posts and an investigation was launched. After receiving the suspension, the nurse deleted several of her posts. Shortly afterwards, the Hospital announced that it had fired her due to the nature of her HIPAA violation.

In a statement, a spokesperson for the hospital said “We were made aware that one of our nurses posted protected health information regarding a patient on social media….We take these matters very seriously as the privacy and well-being of our patients is always a top priority. After an internal investigation, this individual is no longer with the organization.”

An official from Texas Children’s Hospital confirmed the nurse lost her job as a result of violating hospital policies and federal laws by posting protected health information on a social media website, and not for her anti-vaxxing views. In a another statement online, they emphasised that the views of the employee regarding vaccination did not reflect that of the organisation.

The HIPAA Privacy Rule places restrictions on the allowable uses and disclosures of protected health information. Most healthcare professionals will be well aware that the posting of any protected health information on a social media website constitutes a HIPAA violation.

However, as this incident shows, the patient does not need to be mentioned by name in order for them to potentially be identified. If any personally identifiable protected health information is posted on social media without consent first being obtained from the patient, it constitutes a violation of the HIPAA Privacy Rule. This case was particularly delicate as it was a child’s information that was at risk when the nurse made her posts online.

At HIMSS 2017, the former deputy director of health information privacy at the HHS’ Office for Civil Rights (OCR) explained that OCR plans to issue guidance on HIPAA and social media and what is and is not acceptable.