social media and hipaa violations

Think twice

Social media is a great way to connect personally and professionally. But remember that online posts live forever and that social media misfires could negatively affect your license and ability to practice. To protect yourself, think twice before you post content that could be judged as unprofessional.

The very uncertain nature of the online relationship creates risk for physicians and nurses. According to the FSMB, “online interactions” can “constitute the beginning of a relationship,” regardless of whether the physician or nurse has met the patient in person and the fact that the they cannot necessarily verify who is on the other side of the electronic communication. Physicians and nurses who use social media may also create unintended consequences, which reflect poorly on the profession and cause potential discipline from the Medical Board of California (MBC) or California Board of Registered Nursing (BRN).

Breaches of patient privacy and confidentiality (HIPAA)

Patient privacy and confidentiality should be protected at all times, and physicians should never use information that could be used to identify patients. Physicians must reveal any existing conflicts and be honest about their credentials.

Whether intentional or inadvertent, social media posts that breach patient privacy and confidentiality are the most egregious and invite Board investigation. These types of posts include patient photos, negative comments about patients, or details that might identify them, the healthcare setting, or specific departments. Even when posted with the best intentions, such as trying to get professional advice from colleagues about patient care, these posts are discoverable and can lead to legal problems, with potential fines and jail time for Health Insurance Portability and Accountability Act (HIPAA) violations, termination or other discipline from your employer, action taken against your license by MBC or BRN, civil litigation, or professional liability claims.

A high-risk area are posts that could be considered unprofessional or reflect unethical conduct—anything defined as unbecoming of the profession. Some examples include:

  • Negative comments about the workplace
  • Complaints about coworkers and employers
  • Threatening or harassing comments
  • Used disrespectful language about patients on their blogs
  • Accepted “friend” requests from patients (so as not to be rude but were unclear as to how that affected their professional relationship)
  • Posted photographs of alcohol intoxication

Physicians and nurses should use separate personal and professional social networking sites, report any witnessed unprofessional behavior, and always adhere to the same principles of professionalism as they would offline. Other specific examples of misconduct include:

  • The highly publicized firing in 2013 of an emergency department nurse demonstrates the risks connected with posting workplace photos. The nurse shared a photo on Instagram depicting an empty trauma room where a patient had been treated after getting hit by a subway train. Although the post didn’t violate HIPAA rules or the hospital’s social media policy, she was terminated for being insensitive.
  • A 2012 decision by the California Supreme Court, which left intact an appellate ruling (Sulla v Board of Registered Nursing) that allowed a state board to discipline a nurse who was caught driving drunk, even though his arrest had nothing to do with his job. The BRN placed the nurse on 3 years’ probation after his arrest. The appeals court ruled that state laws authorize disciplinary action against a nurse who uses alcohol, on or off the job, in a way that endangers others. The result is that nurses in California who are convicted of DUIs will have their nursing license suspended by the BRN. 
  • While at work, a nurse posted information on her Facebook about her patients. While she did not mention any patient names specifically, she posted her place of employment, the unit she worked on, and enough particulars so that the patients could be identified. The Board also received complaints about the licensed nurse while off-duty. The BRN charged her with unprofessional conduct in her failure to respect or safeguard the patient’s dignity, right to privacy, and confidential health information.

Posts about your personal life also can negatively affect your professional life. Posting photos or comments about alcohol or drug use, domestic violence (even comments about arguing with a spouse) and use of profanity, or sexually explicit or racially derogatory comments could lead to charges of unprofessional behavior by BRN. And keep in mind that complaints can come from anywhere, including employers and coworkers, family and friends, and intimate partners, so the privacy setting on the social media platform won’t protect you.

The California licensing boards routinely discipline doctors, nurses, pharmacists, dentists and other licensed professionals for any behavior that involves criminal charges. Remember, social media is publicly accessible.

When an Investigation is Triggered

With the prevalence of the internet in everyone’s life, even innocent offhanded comments can be reported easily to the Board as most everyone has a smart phone. If someone complains about you to a healthcare board, there will be an investigation – even if the conduct occurs outside the scope of your job.

If you are a licensed professional arrested for any criminal charge, or contacted by a professional licensing board regarding unprofessional conduct, contact us before you speak with their investigator or agent. Hire Attorney Lucy McAllister — she specializes in licensing law and procedure. Decisions about a complaint can take several months to more than a year, and outcomes can range from case dismissal for lack of merit or insufficient evidence to referral to the state’s Attorney General office for prosecution. Contact us today at (877) 280-9944.

Protected Activities and Disparaging the Employer

Employees can be subject to disciplinary action for posting content unfavorable to their employer. However, the law provides some protection to employees who post about the workplace or disparage their employer if those employees are engaged in protected activity.

The National Labor Relations Act (NLRA) makes it unlawful for an employer to interfere with, coerce or restrain an employee’s right to self-organize or engage in “concerted activity,” which includes acting with coworkers or colleagues to address work-related issues such as wages benefits, and working conditions. Employees do not always have to organize as a group in order to be engaged in concerted activity; a single employee may also engage in concerted activity if they are acting on the authority of other employees, bringing group complaints to an employer’s attention, trying to induce group action or seeking to prepare for group action. If an employee is engaging in concerted activity on social media, that activity falls under the protections of the NLRA. Here are a few examples of conduct that are likely protected:

  • An employee posts a video on Instagram describing how uncomfortable it is to work with a supervisor who sends her sexually suggestive text messages.
  • Employees in a public chat discuss how their employer does not adequately compensate them for overtime.
  • An employee makes a Facebook post regarding insufficient social distancing and safety precautions in the workplace after returning to work.
  • Employees tweet about their employer’s code of conduct being racially discriminatory.

However, protections under the NLRA will not absolve employees of posting social media content that is egregiously offensive, knowingly and maliciously false, or that publicly disparages an employer’s products or services if that content is not made in relation to group activity among employees.  For example, an employee who shares several tweets about his manager lying to employees about the amount of vacation time available and then adds a false statement such as “I’m not surprised since the company lies to its customers about using child labor in its manufacturing facilities,” will not be protected. In this scenario, since the claim about lying to customers about using child labor is false and unrelated to the group’s complaints, it is unprotected and could subject the employee to disciplinary action.

Whistle-blowing is another form of protected activity. An employee engages in whistle-blowing when they expose an employer’s improper activity such as fraud, discrimination, bribery or other deceitful or improper conduct. Similarly, employees who expose an employer’s improper activity via social media will likely be protected. Going back to the example above, if the claim about using child labor in the employer’s manufacturing facilities was true, the employee would likely be protected for exposing the employer’s possible violations of child labor laws.

Violation of Employer Policies

Employers generally set workplace parameters with an employee handbook that have specific policies regarding social media that prohibit the type of information that can be shared, such as confidential client matters, internal communications or proprietary information. Some companies also have a code of conduct regarding employee behavior within and outside of the scope of the employment relationship. The purpose of a code of conduct is to maintain a standard of behavior that is acceptable to the employer and aligns with its mission and values. These policies may also police what employees can speak about on behalf of the employer to avoid sharing misleading, inaccurate or private information on the employer’s behalf. It is a reminder to employees that their personal actions can be attributed to their employer and that a violation of those policies can lead to disciplinary action, including termination.

An employee’s conduct on social media can very well violate their employer’s policies. If an employer’s code of conduct states that it strictly prohibits bullying, an employee’s post or comments taunting a coworker because of their sexual orientation could amount to bullying and a violation of the code. However, conduct subject to discipline does not always have to be related to social media interactions between colleagues. If that same employee was taunting a stranger about their sexual orientation via social media, that too could lead to a violation of the code of conduct if the employer becomes aware of it.

Using Company Property

Many companies provide their employees with products and technology to carry out their responsibilities, including cell phones, desktop and laptop computers and tablets. Employers generally have the right and ability to access that property and the software embedded within that property (i.e., email and instant messaging). Some employers have policies against using company property for personal use such as engaging in social media. Because employers own the property and can access its content, employees do not have a reasonable expectation of privacy when using employer-provided property.

Ultimately, employees are free to use their social media platforms to post as they please, but that does not mean they are free from disciplinary action by their employer.


This is not just a concern for the future. Currently, medical boards are both obtaining reports and meting out professional discipline related to online professionalism violations. A study in JAMA Physician Violations of Online Professionalism and Disciplinary Actions: A National Survey of State Medical Boards, involved the survey of executive directors of all medical and osteopathic boards in the United States and territories regarding online professionalism violations and disciplinary action.  The vast majority, 92%, of the respondents stated that they had received at least one report of a potential violation, and 71% of the respondent boards had instituted disciplinary proceedings.  Outcomes varied, but over half, 56%, of the respondents had issued at least one serious disciplinary action such as license restriction, suspension or revocation.

If you receive a letter from the BRN or MBC about an investigation, don’t represent yourself. Hire Lucy — she specializes in licensing law and procedure. Decisions about a complaint can take several months to more than a year, and outcomes can range from case dismissal for lack of merit or insufficient evidence to referral to the state’s Attorney General office for prosecution. Contact us today at (877) 280-9944.

Other serious repercussions are possible. If disciplined, you also could receive a letter from the U.S. Department of Justice restricting your ability to work in any facility that receives reimbursement from Medicare and Medicaid. In addition, disciplinary action in California may affect your license in another. In addition to hiring Lucy McAllister to protect yourself, carry your own malpractice/disciplinary insurance (don’t rely on the insurance carrier for your hospital or private practice). This is especially important with the anticipated increase in medical professional liability claims associated with social media use.


Although there is little doubt social media can have many benefits for physicians and nurses, these guidelines should be followed because the risk of professional sanctions is very real. Physicians and nurses should critically examine their current social media practices and ensure they are doing everything reasonable to minimize the risk of inadvertently creating a professional discipline issue.

  • For nurses and physicians, social media use has daily applications in their personal and professional lives, facilitating conversations with colleagues about best practices and advancing healthcare.
  • However, inappropriate use of social media can create legal problems, including job termination, malpractice claims, and disciplinary action from MBC or BRN, which could negatively impact your professional license and career.