Does this violate HIPAA?
A primary care physician would like to share a post on her practice’s Facebook business page about a patient she saw earlier in the day. Which of the following posts does not violate HIPAA?
“A patient came in to see me recently because their thumb and wrist were causing a great deal of pain. I determined the pain was likely caused by overuse of a large smartphone. Repetitive scrolling and handling of these devices, although fun, is unnatural. The patient required a cortisone shot and might require a cast or brace soon. I urged this patient to try using a stylus pen or a desktop computer whenever possible.”
“Earlier today, a 26-year-old who is on her phone all day for work as a social media coordinator came to me because her wrist and thumb were causing her a great deal of pain. I gave her a cortisone shot and suggested she do her work on a desktop computer rather than her phone. I believe repetitive scrolling on social media sites is causing inflammation of her tendon.”
The PCP should choose Option 1, as there is no mention of information that can help identify the patient. It is vague, but it still describes the situation.
Option 2 violates HIPAA. The post reveals exactly when the patient saw the doctor, her gender, her age, and her occupation. Option 1 tells the same story, but protects the patient’s identity. There is no mention of her age, her gender, her occupation, or when she saw her provider.