If you’ve ever wondered what happens when “going viral” meets “losing your license,” this episode has the answer—courtesy of a nurse who took her TikTok dreams a little too far. From cringe-worthy compliance blunders to Oklahoma’s oddly refreshing legal update, we’re diving headfirst into the murky waters of healthcare privacy, social media madness, and why reasonable security might just be your get-out-of-court-free card. It’s like HIPAA meets reality TV—minus the roses and dramatic exits.
In this episode:
Reasonable Security That Holds Up in Court – Ep 515
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[01:30]Nurse Livestreams Med Pass on TikTok, Uses Teeth to Open Meds, Sparks Ethics Debate
A nurse named Yazz Scott livestreamed on TikTok while doing her med pass in a nursing home. The number of times we have seen social media used by caretakers of elderly patients is pretty disturbing. In this case, she was immediately getting chat posts saying she was going to lose her license and she was violating HIPAA. She blocked them, mocked them and even said everyone should just “relax”. All this while having conversations with the patients and even mentioned one’s name. As the article mentioned:
“If you see some patient information, just holla,” she said, laughing off the concerns and continuing to engage with her audience instead of focusing on her med pass.
Holla!!!!
She was not meeting any level of acceptable care for patient safety or privacy. Her online cred may have jumped with a viral post but her professional nursing creds tanked. She has since posted about being shocked when she woke up and the post had blown up online.
She has been suspended pending an investigation and saw her job posted online so isn’t expecting to get it back. The facility and the state nursing board apparently got over 50 calls about the viral post. She may even lose her license due not only to the privacy failures but also to the patient safety issues and making nurses look really, really bad. The board is doing their own investigation. And with over 50 complaints? Yeah, it’s serious.
In her TikTok update, she openly reflected on the situation: “I am well aware of how extreme and severe my actions were. You do things and don’t think it will go viral or even be seen. I woke up and was all over the internet, with thousands of comments holding me accountable.” She expressed gratitude for the feedback and d/escribed the experience as a hard lesson learned, hoping her story can serve as a cautionary example for others. “Be mindful of the content you put out, whether you’re a creator or a student,” Scott urged.
Brandy Pinkerton, who posted the article with updates, drives home that ‘HIPAA Isn’t Optional’—a point we agree with. But she included some outdated or inaccurate details about potential fines, and didn’t mention that individuals can be prosecuted for violations. Still, she’s right to spotlight the seriousness of patient privacy. But one thing was concerning how they, nurses, lack understanding and training relating to social media.
The truth is, a lot of us never got clear guidance on these boundaries before stepping into the profession. A 2024 Journal of Nursing Education study found that only 62% of nursing programs fully cover social media boundaries. That means plenty of new nurses are entering the field unsure of what’s okay-and what could seriously risk their license or a patient’s privacy.
Wow, that shows just how much we aren’t getting the message across. Use this real world story as a training moment with your entire team.
Reasonable Security That Holds Up in Court
[17:19]There are so many state laws passing these days that we can’t even keep up, which is why we encourage everyone to make sure they understand the states they operate within and are obligated to follow. That’s why we always remind folks: know the laws in your state and any states you operate in. We help clients keep tabs where we can, but honestly—HIPAA already gives us enough to juggle!
Occasionally though, one catches my attention that makes me dig a little deeper. That is the case with an update to the breach notification law in the state of OK. Substantial updates take effect Jan 1, 2026 – it has already been passed and signed into law.
OK New Data Breach Law Effective 2026 – CyberMaterial
This law has been around a few years but effective next year there are some important changes that all businesses should be aware of. First, some general information about the bill:
Who does it apply to?
If HIPAA or some other federal law requiring notification to individuals applies to you you simply have to add telling the State AG when you make a notification for over 500 individuals. If the breach is less than 500 you don’t have to notify. Credit bureaus get a break on that limit up to 1,000.
The changes did include adding HIPAA as an exemption to the notification requirements which is good. But here are the entities it does include:
“Entity” includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit;
The New “Safe Harbor” Twist
Why this thing got my attention is it added a new safe harbor type section to the bill. The state can apply a civil penalty up to $150K. But, after that it says this:
C. 1. An individual or entity that uses reasonable safeguards and provides notice as required by Section 163 or 164 of this title shall not be subject to civil penalties and may use such compliance ENR. S. B. NO. 626 Page 8 as an affirmative defense in a civil action filed under the Security Breach Notification Act.
2. An individual or entity that fails to use reasonable safeguards but provides notice as required by Section 163 or 164 of this title shall not be subject to the civil penalty set forth in subsection B of this section but shall be subject to actual damages and a civil penalty of Seventy-five Thousand Dollars ($75,000.00).
Now we have something that adds something that makes it interesting to evaluate. They give you the ability to use the affirmative defense to protect yourself from civil lawsuits if you can prove reasonable safeguards and make the proper notifications.
[24:59]So what are the reasonable safeguards? Here is a whole new definition added to the law:
“Reasonable safeguards” means policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan;
So if you are an entity in OK you now have clear guidance for what you should be doing to protect your business and the information you collect and store.
Policies and practices including but not limited to:
- Risk Assessments
- Technical and physical layered defenses
- Employee Training on handling personal information
- Establish an incident response plan
Wow, that sounds familiar! They could basically use HICP and adapt it for their size and environment. Of course, as with any regulatory and legal requirement you have to be able to prove it, not just say it. Now, we are talking about Recognized Security Practices.
So, tell me why a HIPAA entity should be doing the exact same thing? Over time we will watch what guidance the States AG says constitutes proof of the reasonable safeguards since it does not include definitions of all of the terms there will be room for interpretation.
As we close this HIPAA horror story turned teachable moment, let’s all raise a metaphorical green bean casserole to better training, clearer policies, and keeping your phone (and your teeth) out of the medication process. Because in the end, a little compliance now might just keep you from starring in the next viral debacle—or at least keep your name off the class action list. Stay secure, stay sensible, and maybe just stick to cat videos on social media.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
