Several patients are suing Jay Hospital in Florida and its parent system, Baptist Health Care, alleging staff members took unauthorized photographs of them while they were asleep or heavily medicated and then shared those images on Snapchat. 

The patients say they only learned of the incident months later when hospital representatives informed them that "horrible" images had been taken and offered payments reportedly up to $50,000 in exchange for signing releases with nondisclosure provisions, but the patients were never allowed to see the photos or told exactly what they depicted. 

The lawsuit, filed on behalf of multiple patients, contains allegations of invasion of privacy and other claims. The allegations describe the images as degrading. The individuals were photographed without consent while incapacitated and unclothed or partially unclothed. 

Jay Hospital stated that, once administrators became aware of the allegations, they conducted a preliminary investigation, notified authorities and affected patients, and terminated the employees involved. They declined to share further details, citing ongoing investigations and privacy concerns. 

Source: https://healthexec.com/topics/healthcare-management/legal-news/hospital-sued-after-employees-post-horrible-photos-patients-snapchat

Commentary

The above is just one example of the growing liability exposure healthcare organizations are facing from unauthorized image capture and posting by staff. 

Governance starts with a clear policy that any non-clinically necessary photography, audio, or video of patients, visitors, or coworkers is strictly prohibited without documented, informed consent consistent with HIPAA and state law. 

Policies should define what constitutes an image, including screenshots and messaging apps, and it should expressly forbid sharing, storing, or posting work-related images on personal platforms. 

Employers should restrict use of personal devices in patient-care areas, configure technical safeguards on organization?owned devices, and coordinate policy language with BYOD, confidentiality, and social media policies so there are no gaps. 

Training should include concrete examples of prohibited conduct, the dignity and privacy interests at stake, and the discipline that may follow violations, up to, and including termination and reporting to licensing boards. Incident response plans need to address prompt investigation, preservation of evidence, notification to privacy officers and regulators when required, and support for affected patients. 

Finally, regular audits, leadership reinforcement, and swift, consistent enforcement demonstrate a culture of respect for privacy and significantly reduce the risk of reputation damage, regulatory penalties, and civil litigation.