I’ve reported a number of instances where employees have been disciplined or terminated for imprudent postings on Facebook or MySpace, but a series of tweets I saw on Twitter yesterday demonstrate how to simultaneously diminish the public’s confidence in HIPAA while risking your own future, 140 characters at a time.
It started with a twitterer sharing that her car had been broken into:
They got me http://plixi.com/p/49518579
Later, she tweeted:
@KiraNthaCity Im good…They broke into my car again..And we was just talkin about that happening..Im gonna get a new car soon
Note the “again” as we’ll get back to that. But here’s the first really stunning tweet:
@KiraNthaCity All they took was my clients Info…Just a Bunch of HIV Paperwork…HIPPA is gonna Sue my Ass!
Apart from the fact that she calls it “HIPPA” and not “HIPAA” – a mistake that often makes me wonder whether some people have really paid attention to the law – what does this tweet reveal about concern for privacy when she seemingly minimizes data loss as “All they took” and “clients Info…Just a Bunch of HIV Paperwork?”
Would her clients agree that it was not a big deal that their information was stolen? Does the tweet reflect any concern for the affected clients? When another twitterer offered commiseration, she responded:
@Mr_Steal_UrGirl Its all Good Bro…Grain of Salt. Good Luck with your event today..WIsh I were there!
Having confidential data you were responsible for stolen is a “Grain of Salt?”
All I see in her tweets is concern for her car (I’m sure that we’re all very relieved that she got the window repaired promptly) and some possible concern for herself because of HHS/HIPAA “suing her ass.”
How can these types of tweets possibly be good for engendering trust in the public that HIPAA-covered entities take our responsibilities seriously?
Given that this was not the first time her car was broken into and she was clearly well aware of the risk (her broken into “again” tweet), why did she leave PHI in her car? From the picture she uploaded, it appears that the papers may not have even been in the trunk, but in the main compartment of the car. No HIPAA-covered entity should ever be leaving unsecured PHI in their car (indeed, I would argue that leaving any PHI in a car automatically makes it unsecured), but to leave it in your car after your car has already been broken into once is just — what’s the word I’m looking for? Negligent? Of course, this is all just my opinion, based on her tweets, but they really do create an awful impression.
I do not know whether she has, or will, report the breach to her clients, HHS and to the state of California, whose laws would now seemingly require her to report this breach. I’m basing my guess that it’s a reportable breach on her statement that the incident falls under HIPAA. If it does, in fact, require reporting and she doesn’t report it, it wouldn’t be difficult for HHS or the state of California to determine who she is should they so desire.
In today’s world of sharing too much, it’s helpful to remember that some things are still best left unshared. Having sensitive data stolen because you were lazy or sloppy with security is not the kind of thing that is advisable to share all over social media. Demonstrating that you think so little of the security and privacy of clients’ HIV info or the possible impact of the breach on your clients is also best left unshared.
HIV private information will have a bigger impact in “the clients” and is hardly punished by HSS because not only potential identity theft but the reputation of the “Client”
To bad for this lady her rear end could be in real fire