Privacy Officer's Roundtable

  • 1.  Facebook Messenger & Patient Privacy

    Posted 03-13-2023 10:03 AM

    I would like your thoughts on the following scenario please. <o:p></o:p>

    The CE has a Facebook page and utilizes messenger as an avenue for individuals to communicate with the CE. A statement is populated before the individuals sends a message that notifies the individuals that messenger is not monitored 24/7 and that the individuals should not provide medical information in the message. <o:p></o:p>

    The CE will respond back to the individual and provide some generalized contact information for a specific medical office or provide generalized information related to the individuals ask. The CE is advocating that this is a important customer service and patient experience tool. 

    Would you consider the message PHI once the CE engages with the individual on the messenger platform even if the CE is only providing a phone number or generalized information related to the individuals ask and not discussing medical content? <o:p></o:p>

    What other considerations should be taking into account for the use of Facebook messenger or other social media communications platforms? <o:p></o:p>

    George Merix, MHA, CHPC
    Compliance Manager, Privacy
    Carilion Clinic
    Roanoke, VA
    SCCE Membership

  • 2.  RE: Facebook Messenger & Patient Privacy

    Posted 03-13-2023 11:04 AM

    Hi George:

    I remembered we previously discussed this and found a response by Natalie Roehlk (thank you Natalie!).  I discussed with our Marketing team, and we no longer include patient names in our responses, etc.




    Feb 11, 2022 5:57 PM

    Natalie Roehlk

    Hi Wendy,

    I've counseled our marketing folks on this as well, that even an acknowledgement of an individual as a patient would be a HIPAA violation.  It's difficult in the social media context as of course we want to defend our organizations, but I've instructed our staff to respond only with a very generic, "We are happy to address any concerns directly.  Please feel free to contact our patient advocate at"

    I provide these cases to explain my position:

    Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients' Protected Health Information

    Elite Dental Associates, Dallas ("Elite") has agreed to pay $10,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  Elite is a privately-owned dental practice located in Dallas, Texas, providing general, implant, and cosmetic dentistry.

    On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient's last name and details of the patient's health condition.  OCR's investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.  Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite's size, financial circumstances, and cooperation with OCR's investigation.

    "Social media is not the place for providers to discuss a patient's care," said OCR Director, Roger Severino.  "Doctors and dentists must think carefully about patient privacy before responding to online reviews."

    In addition to the monetary settlement, Elite will undertake a corrective action plan that includes two years of monitoring by OCR for compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at:

    News Release

    Shasta Regional Medical Center (SRMC) has agreed to a comprehensive corrective action plan to settle a U.S. Department of Health and Human Services (HHS) investigation concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

    The HHS Office for Civil Rights (OCR) opened a compliance review of SRMC following a Los Angeles Times article which indicated two SRMC senior leaders had met with media to discuss medical services provided to a patient.  OCR's investigation indicated that SRMC failed to safeguard the patient's protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. OCR's review indicated that senior management at SRMC impermissibly shared details about the patient's medical condition, diagnosis and treatment in an email to the entire workforce.  In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient's records pursuant to its internal sanctions policy.

    "When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," said OCR Director Leon Rodriguez. "Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients' rights are fully protected."

    In addition to a $275,000 monetary settlement, a corrective action plan (CAP) requires SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members.  The CAP also requires fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.

    Physical therapy provider settles violations that it impermissibly disclosed patient information

    Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area.  The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one year period. 

    On August 8, 2012, OCR received a complaint alleging that Complete P.T. had impermissibly disclosed numerous individuals' protected health information (PHI), when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.  OCR's investigation revealed that Complete P.T.:

    • Failed to reasonably safeguard PHI;
    • Impermissibly disclosed PHI without an authorization; and
    • Failed to implement policies and procedures with respect to PHI that were designed to comply with HIPAA's requirements with regard to authorization.

    "The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual's written authorization before a use or disclosure of his or her protected health information can be made for marketing." said OCR Director Jocelyn Samuels.  "All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual's authorization for such purposes, including for posting on a website and/or social media pages, and a valid authorization form."

    Natalie Roehlk, CHC, CHPC
    Privacy Officer
    Summit Healthcare
    Show Low, Arizona
    The opinions expressed herein are my own, and do not necessarily represent those of my employer.

      Reply to Group Online   Reply to Sender Online   View Thread   Recommend   Forward  


    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

    SCCE Membership

  • 3.  RE: Facebook Messenger & Patient Privacy

    Posted 03-14-2023 05:53 AM

    It is my understanding that Meta has been rolling out the application of end-to-end encryption on its FB messenger application. Zuckerberg posted this on January 23, 2023, "

    We've also started gradually expanding testing default end-to-end encryption for Messenger. We know people want a space to connect and they want to know that those conversations are private, safe and secure. That is why we've spent time building a team of talented engineers, cryptologists, designers and policy experts who are all committed to rolling out default end-to-end encryption on Messenger. 

    Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by end-to-end encryption. We will notify people in these individual chat threads as they are upgraded. We know people will have questions about how we select and upgrade individual threads, so we wanted to make clear that this is a random process. It's designed to be random so that there isn't a negative impact on our infrastructure and people's chat experience. This also ensures our new end-to-end encrypted threads continue to give people the fast, reliable and rich experience on Messenger.

    Building a secure and resilient end-to-end encrypted service for the billions of messages that are sent on Messenger every day requires careful testing. We'll provide updates as we continue to make progress towards this goal over the course of 2023 "

    It would therefore seem that, as of today, Messenger is not secure. Given this I would say that risking communication by a CE with a patient is a risk not worth taking.

    Freda Driscoll-Sbar, M.Ed.
    Vice President of Quality and Compliance
    Center for Human Development
    Springfield, MA.

    SCCE Membership

  • 4.  RE: Facebook Messenger & Patient Privacy

    Posted 03-15-2023 08:52 PM

    Thank you for sharing, Freda.

    Nancy O'Neill, RN, CHC, CHPC
    Sr. Director, Corporate Compliance/Privacy Officer
    Tampa General Hospital
    Tampa, FL
    Responses are my own and not the view of my organization.

    SCCE Membership

  • 5.  RE: Facebook Messenger & Patient Privacy

    Posted 03-14-2023 07:47 AM

    I may be mistaken but it seems that the enforcement actions include disclosure on public sites whereas FB messenger is a 1:1 communication. I would agree that it would not be the optimal way to communicate. I might add something to the statement that this form of communication "may not be secure" or if the individual is a patient they are encouraged to communicate through their patient portal account but, if the individuals send their message anyway, I think it would be OK to refer them to a general contact for them to follow up.

    I am interested to hear others' thoughts.

    Thank you


    Nancy O'Neill, RN, CHC, CHPC
    Sr. Director, Corporate Compliance/Privacy Officer
    Tampa General Hospital
    Tampa, FL
    Responses are my own and not the view of my organization.

    SCCE Membership