Senior Symposium Editor
Loyola University Chicago School of Law, J.D. 2018
On September 25th, a former Okaloosa County, Florida paramedic, Christopher Wimmer, was sentenced to six months jail time and three years’ probation for taking “selfies” with incapacitated victims in ambulances last year and sending them to a co-worker. He and his co-worker, Kaylee Renee Dubois, were engaged in a “selfie war” with each other and snapped images and videos of patients in ambulances who were unconscious, sedated, intoxicated, or incapacitated. In total, 101 photos, 64 videos, and 41 patients were photographed or recorded during the so-called war, and a mere three patients consented to photographs being taken of them. Employees’ missteps with the privacy rights of patients have a negative lasting effect on their employer, their own career, and their patients.
Aftermath of a “Selfie War”
Dubois and Wimmer were caught after other EMS coworkers caught wind of Wimmer sharing “unprofessional and compromising selfies of patients.” The arrest report stated Wimmer was “often laughing and smiling” in the images, which were all retained on his phone. Dubois’ phone was password protected and despite investigators not being given access, they had evidence of her participation via the images on Wimmer’s phone. Dubois was fired from her paramedic position on May 20, and Wimmer resigned the same day.
The images and videos were later found to have been circulated to three other Okaloosa County Public Safety Department employees, and although none of the images or videos were thankfully shared on social media sites, it has negatively impacted their employer, their own careers, and the lives of the patients. All 41 Okaloosa County victims refused to speak in court as a result of being humiliated from the ordeal, and wrote letters describing the nightmares they now have.
Violating patient privacy can mean multifarious penalties. For starters, the federal government can impose civil and criminal sanctions under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) on a healthcare professional and their employer. States may impose their own penalties, and the patient themselves may sue the healthcare professional and their employer for privacy violations if their state allows it. State medical boards may impose penalties such as suspension or termination of medical licensure. Dubois was charged with two counts of interception and disclosure of oral communications, a third-degree felony, while Wimmer was charged with seven counts of interception and disclosure of oral communications, a third-degree felony, and one count of misdemeanor battery. The situation has caused Okaloosa County to make substantial changes to its policies, including banning the use of personal cell phones in the rear of an ambulance.
Social Media Blunders
The mess in Okaloosa County is hardly the only of its kind. Two Navy corpsmen in Jacksonville, Florida were recently outed for their image posted on Snapchat that showed them flashing the finger at a newborn child, referring to infants as “mini Satans.” They were also under scrutiny for a video which showed them forcing a baby to dance to 50 Cent’s In Da Club. The naval hospital where they worked removed them from patient care, and announced they would be subjected to the military justice system.
In a separate situation, a nursing student posted a photo of a three year-old patient who had leukemia on her Facebook wall with a description of how brave he was; he consented, but it was not adequate consent. She was not only expelled from the nursing program, but the nursing program itself was forbidden to return to the children’s hospital for pediatric clinical experiences and faced violations under HIPAA.
Incidents like these will continue until health care organizations implement policies and guidelines that clearly establish the expectations and consequences of misuse of social media and messaging. Setting standards for professional behavior online will help healthcare professionals achieve compliance with laws, such as HIPAA. By improperly posting comments or images regarding patients on social media sites, or by sharing them with others, healthcare professionals, undermine privacy. It is easy to mistakenly believe that there is anonymity on social media sites or that images and videos shared with people won’t see the light of day, but this perception is the downfall of many healthcare professionals—and not just younger millennials. Doctor-patient confidentiality extends to social media so normal consent procedures apply.
Training workforce members on social media policies and procedures to help ensure compliance can be done by implementing monthly or quarterly social media audits, team trainings, and assigning social media managers. It is important for employers to not only have social media policies in place, but intermittently provide policy reminders. Moreover, to help create a culture of compliance, organizations should establish a process to implement said policies and a tracking mechanism to track process results. Although an organization may not be able to control what their employees post or send via text, they can actively discourage them from improperly disclosing information without the proper consent.
OCR has announced it will be issuing guidance on the use of social media platforms, as well as on explanations on when prior authorization from a patient is necessary. Considering all of this, it would beneficial for there to be a requirement for covered entities to address social media in their privacy training programs, as it is a growing threat to the privacy of patients. Improper use of social media can be mitigated with a compliance program that incorporates social media training. Social media is notorious for showcasing poor judgment—healthcare professionals must prove themselves the exception to the rule.