Most people who know of the Health Insurance Portability and Accountability act of 1996 will know that it protects patient privacy. But how far does the Act extend? Does it prevent workers from sharing stories about their practice? How much can healthcare workers disclose about their day? Is telling a story about a patient a HIPAA violation? We will discuss these questions, and others, below.
The HIPAA Privacy Rule was introduced in 2002 and outlined the permitted use and disclosure of Protected Health Information. This Protected Health Information, or PHI, is any data that refers to the past, present, or future condition of a patient or the payment for the condition. Critically, to be considered PHI, the information must also contain one of the 18 HIPAA identifiers. These identifiers include demographic or other information that can be used to trace the identity of an individual.
So, if any medical professional, or anyone else covered by HIPAA, recounts a story and discloses PHI, they are considered to be in violation of HIPAA. In the absence of these identifiers, the information is no longer considered to be PHI, and it is not covered by HIPAA. Those employed by Covered Entities or their Business Associates, therefore, should ensure that if they do tell a story about a patient, it only contains “de-identified” information.
In the previous paragraph, we alluded to another critical factor that will determine whether telling a story about a patient is a HIPAA violation. The person telling the story must be covered by HIPAA. That is, they must be under the “direct control” of a HIPAA Covered Entity or Business Associate (including employees, students, and volunteers). Anyone outside of this definition is not covered by HIPAA, but may still be in violation of other federal or state legislation.
Non-permitted PHI disclosures, including telling stories of patients that contain identifiable information, can be a serious HIPAA violation. These violations can result in serious consequences for both the employee who committed the violation and the Covered Entity. The CE may be fined by the Office for Civil Rights for HIPAA violations. Employees may be required to conduct more training or put on probation. They may face more severe disciplinary actions, too, including suspension or termination of their contract.
Clearly, there is no straightforward answer to the question, “is telling a story about a patient a HIPAA violation?” However, it is clear that anyone covered by HIPAA takes the utmost caution when telling stories to ensure the subject of the story cannot be identified.