An ongoing investigation at Tri-City Medical Center in Oceanside "has not yet identified any evidence that patient names, photographs, or similar identifying information was posted by these employees," according to a statement from Larry Anderson, CEO. "But our investigation yielded sufficient information to warrant disciplinary action."
A hospital spokesman declined to provide any further details. Under the HIPAA privacy rule, which was toughened by the HITECH Act, patients must give permission for their private information to be disclosed.
The California Department of Public Health is conducting an investigation of the incident, a spokesman confirmed June 8, declining to provide further details. The incident involved posting information on Facebook, according to a report by KNSD, the NBC TV affiliate in San Diego.
To help prevent similar incidents, Anderson said the hospital is "re-emphasizing, through employee training and education, the hospital's and the employees' ongoing commitment and obligation to protect our patients' privacy."
A number of healthcare organizations are developing specific security policies for the use of social media. For example, Adventist Health System recently spent six months crafting a detailed policy, says Sharon Finney, corporate data security officer.