Is Telling a Story about a Patient a HIPAA Violation?

HIPAA Telephone Rules -

Whether telling a story about a patient is a HIPAA violation will depend on who is telling the story, the audience of the story, whether any protected health information (PHI) is disclosed, and whether the disclosure has been authorized by the subject of the PHI. For example, not all healthcare providers qualify as HIPAA covered entities; and, if the story is being told by an employee of a healthcare provider that does not qualify as a covered entity, there can be no violation of HIPAA – although the disclosure may be a violation of another state or federal law.

Also, is telling a story about a patient a HIPAA violation if the story contains no individually identifiable health information? Most people would say no; but, if the events of the story identify the patient who is the subject of the story (for example, because some or all of the audience witnessed the events being retold in the story), the anecdote could be classed as an impermissible disclosure of PHI that effectively qualifies as a notifiable data breach.

However, if the information disclosed in the story is not classified as PHI because it is not individually identifiable health information and is maintained outside of a designated record set, there is no violation of HIPAA. For example, a doctor telling a story about a patient who crashed their car would not be violating HIPAA provided the injuries sustained by the patient, the treatment for the injuries, or payment for the treatment were not disclosed in the story.

Why it is Better Not to Tell Stories about Patients

As you can see from the above explanation, the answer to the question is telling a story about a patient a HIPAA violation is complicated. In addition, although the distinction may be clear to a trained workforce of compliant healthcare professionals, it may not be clear to the subject of the story or anybody who hears it who knows them – potentially resulting in complaints to HHS´ Office for Civil Rights for alleged impermissible and unauthorized disclosures of PHI.

Although the complaints may be unjustified, if HHS´ Office for Civil Rights decides to investigate the allegation, the investigation can be disruptive – notwithstanding that other compliance issues may come to light during a compliance investigation. Due to potential misunderstandings, it is better not to tell stories about patients in any circumstances; and this should be included in HIPAA training, with the sanctions for violating an organizational policy (rather than a HIPAA policy) made clear.

Provided an explanation is given about why telling a story is a HIPAA violation – or could be interpreted as such – this should deter members of the workforce sharing workplace anecdotes that could lead to non-compliant gossiping and actual HIPAA violations. The explanation should also give members of the workforce a better understanding of what is considered PHI under HIPAA to enable them to do their jobs compliantly without disrupting the flow of information.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Telling a Story about a Patient: A HIPAA Violation or Not?

Examples exist of healthcare professionals telling stories about patients and being investigated for a HIPAA violation. In 2020, Lillian Udell – a frontline worker in the Emergency Department at the Lincoln Hospital in New York City – posted a video online about how the coronavirus pandemic was affecting her and her colleagues. The video featured a former co-worker who contracted the virus at the hospital and died. In the video, Udell named the co-worker.

Udell was not sanctioned for telling her story because members of the victim´s family had previously posted a similar video and the information was in the public domain. However, had she been found guilty of a HIPAA violation, the sanctions could have ranged from additional privacy training to being put on a probation period, or loss of her job. In some cases – depending on how serious the violation is, healthcare professionals can lose their job or their license to practice.

So, is telling a story about a patient a HIPAA violation? Often no, but sometimes yes. If no PHI has been disclosed (meaning that the patient in question cannot be identified), or the person telling the story is not subject to the HIPAA Privacy Rule, then no violation has occurred. However, all members of a covered entity’s workforce should be trained on permissible uses and disclosures of PHI and told it is better not to tell stories about patients.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: