One Beacon Street
Suite 1320
Boston, MA 02108

T 617.598.6700
F 617.720.5092


One Richmond Sq.
Suite 165W
Providence, RI 02906
T 401.454.0400
F 401.454.0404

August 12, 2016

CMS cracks down on “abuse” of nursing home residents via social media


In a memorandum targeting nursing homes but which could impact all health care providers, the Centers for Medicare and Medicaid Services (CMS) instructed state survey agencies to begin examining nursing home activities and policies concerning staff disclosure of confidential patient information, and possible mental abuse of residents, through postings and sharing on social media. Although this CMS initiative specifically targets nursing facilities, its focus on patient privacy and confidentiality, as well as the general concept of what it means to “abuse” a patient in today’s social media world, have implications for all health care organizations and personnel, including termination, loss of license to practice, and even criminal charges.

On Friday, August 5, 2016, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum instructing state survey agencies to begin requesting and examining nursing home policies concerning social media as they relate to prohibition against resident abuse, staff training on abuse prevention, and appropriate facility responses to reports of abuse. State survey agencies are further authorized to investigate and report any on-site instances of noncompliance with federal requirements related to the inappropriate use of social media. This additional scrutiny was prompted by a ProPublica report detailing nearly fifty instances of inappropriate use of social media by nursing home workers. These incidents included photographs and video recordings of vulnerable nursing home residents that demeaned or humiliated residents and that were uploaded to Facebook, Instagram, and Snapchat.

In its memorandum, CMS outlines the federal requirements implicated by such incidents, including nursing home residents’ rights to privacy and confidentiality under 42 C.F.R. § 483.10(e). Under this provision, taking unauthorized photographs or recordings of nursing home residents to keep or distribute on social media is a violation of federal law. For example, a resident with Alzheimer’s disease may be incapable of granting permission for a photograph to be taken, let alone posted on social media, even if it depicts the resident positively. More broadly, HIPAA prohibits the use or disclosure of individually identifiable information – that is, information about the individual’s condition, and provision of or payment for health care that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. See 45 C.F.R. § 160.103. Social media posts that omit the resident’s name or direct identifiers may still reasonably identify the resident based on other indicators or information, which, when taken together, would identify the resident to certain individuals (e.g., other staff members, residents, or family members). And health care workers must remember that HIPAA requires written authorization to disclose a resident’s protected health information. Only obtaining a resident’s verbal consent to having their picture taken and sent to others electronically or posted on social media would technically violate HIPAA.

CMS also states that photographing or recording a nursing home resident in a manner that demeans or humiliates the resident may constitute mental abuse under 42 C.F.R. § 483.13(b),(c). CMS interprets mental abuse to include humiliation, harassment, threats of punishment or deprivation, intimidation, fear, shame, agitation, or degradation as experienced from the perspective of a reasonable person. Under this interpretation, social media posts depicting residents in a certain manner, even those residents with no actual physical harm or with cognitive impairments, may constitute mental abuse, if a reasonable person would experience mental abuse under the same circumstances.

In addition to having policies and procedures prohibiting such abuse and violations of residents’ rights, nursing homes must also ensure that staff training is sufficient to educate all staff members, particularly with respect to staff responsibilities to report allegations of resident abuse. Staff members who observe social media posts involving residents must report these instances. Nursing home management must ensure that these allegations are reported, investigated, and that appropriate corrective action is taken. Therefore, policies and procedures must be adequately implemented to achieve the goals of abuse prevention and abuse reporting.

The CMS memorandum and directive to state survey agencies to curb patient abuse via social media is best understood within the context of the pending proposed update that would overhaul the regulations governing long-term care facilities, including nursing homes. See Medicare and Medicaid Programs; Reform of Requirements for Long Term Care Facilities, 80 Fed. Reg. 42,168 (July 16, 2015) (to be codified at 42 C.F.R. pts. 405, 431, 447, 482, 483, 485, and 488). Among other things, the proposed updated regulations would define “abuse” to include mental abuse “facilitated or enabled through the use of technology,” which would presumptively implicate posting to social media, in accordance with the CMS memorandum. 80 Fed. Reg. at 42,246. Furthermore, under the proposed update to the regulations, facilities are still required to develop and implement policies and procedures to prohibit, as well as prevent, such abuse. See 80 Fed. Reg. 42,253. The final rule is set to be promulgated no later than September 30, 2016.


While nursing facilities certainly need to address this pending scrutiny, all health care organizations and professionals would be well advised to review their policies and practices in light of the concerns raised in the CMS memorandum to ensure that they adequately address the impact of technology, particularly social media, on patient and resident abuse, as well as how technology and social media can result in violations of patient and resident privacy and confidentiality. Management should consider developing a dedicated social media policy, if the organization does not already have one, in furtherance of these federal requirements. Employers should also train or retrain their staffs on their institutional privacy policies, including existing technology or social media policies and the responsibility of staff to report policy violations.

Other Resources

Dept. Health & Human Servs., Ctrs. for Medicaid & Medicare Servs., Memorandum: S&C: 16-33-NH, Protecting Resident Privacy and Prohibiting Mental Abuse Related to Photographs and Audio/Video Recordings by Nursing Home Staff (August 5, 2016),

Medicare and Medicaid Programs; Reform of Requirements for Long Term Care Facilities, 80 Fed. Reg. 42,168 (July 16, 2015) (to be codified at 42 C.F.R. pts. 405, 431, 447, 482, 483, 485, and 488),

Charles Ornstein & Jessica Huseman, Inappropriate Social Media Posts by Nursing Home Workers, Detailed, (Dec. 21, 2015, 8 a.m.),

American Health Care Association (AHCA), Best Practices for Social Media at Your Skilled Nursing Center or Assisted Living Community,

American Health Care Association (AHCA), Memorandum, Social Media Guidance for Nursing Care Centers and Assisted Living Communities (June 10, 2016),

Dept. Health & Human Servs., Office of Inspector General (OIG), Letter to Senator Charles E. Grassley (March 15, 2016), (responding to Senator Grassley’s six questions about the quality of elder care and preventing abuse).

Kyna Veatch, A Checklist For Avoiding HIPAA Violations On Social Media, (January 7, 2016, 11:01 AM),

National Council of State Boards of Nursing (NCSBN), The Nurse’s Guide to the Use of Social Media (2011),

About the Author

Robert Blaisdell

Robert Blaisdell is Managing Partner and Chair of the Firm's Health Law group. He provides general business and corporate legal services to healthcare clients. You can find him on LinkedIn.

Donoghue Barrett & Singal clerk Yelena Greenberg contributed to this post.


Health Law



Research Misconduct


This website presents general information about Summit Health Law Partners and is not intended as legal advice nor should you consider it as such. You should not act upon this information without seeking professional counsel.

Please note that contacting Summit Health Law Partners by email, telephone or facsimile will not establish an attorney-client relationship, obligate us to act as your attorney or impose an obligation on either the law firm or the receiving lawyer to keep the transmitted information confidential. Completion of Summit Health Law Partners' new client intake protocol, including without limitation the firm’s conflicts checking process and an engagement letter, is necessary to establish an attorney-client relationship. Absent a current attorney-client relationship with Summit Health Law Partners, any information or documents communicated or transmitted by you to Summit Health Law Partners will not be treated as confidential, secret or protected in any way. If you are not a current client of Summit Health Law Partners, please do not send any confidential information to us through this website or otherwise concerning any potential or actual legal matter you have. Before providing any confidential information to us, you must obtain permission to do so from one of the firm’s lawyers. By clicking "Accept," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client.

If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed with the firm attorney before such information is submitted. Thank you for your interest in Summit Health Law Partners.