Is Telling a Story about a Patient a HIPAA Violation?
One of the primary purposes of the HIPAA Privacy Rule is to protect patient privacy, but is sharing an anecdote or telling a story about a patient a HIPAA violation? While it may seem that telling a story that discloses information about a patient is a HIPAA violation, this is not always the case.
Whether telling a story about a patient is a HIPAA violation will depend on who is telling the story, the audience of the story, and whether any protected health information (PHI) is disclosed. For example, not all healthcare providers qualify as HIPAA Covered Entities; and, if the story is being told by an employee of a healthcare provider that does not qualify as a Covered Entity, there can be no violation of HIPAA – although the disclosure may be a violation of another state or federal law.
Secondly, is telling a story about a patient a HIPAA violation if the story contains no individually identifiable health information? Most people would say no; but, if the events of the story identify the patient who is the subject of the story (for example, because some or all of the audience witnessed the events being retold in the story), the anecdote could be classed as an impermissible disclosure of PHI that effectively qualifies as a notifiable data breach.
However, if the information disclosed in the story is not classified as PHI because it is not individually identifiable health information and is maintained outside of a designated record set, there is no violation of HIPAA. Therefore, a doctor telling a story about a patient who crashed their car would not be violating HIPAA provided the injuries sustained by the patient, the treatment for the injuries, or payment for the treatment were not disclosed in the story.
Why it is Better Not to Tell Stories about Patients
As you can see from the above explanation, the answer to the question is telling a story about a patient a HIPAA violation is complicated. Furthermore, although the distinction may be clear to a trained workforce of compliant healthcare professionals, it may not be clear to the subject of the story or anybody who hears it who knows them – potentially resulting in complaints to HHS´ Office for Civil Rights for alleged impermissible and unauthorized disclosures of PHI.
Although the complaints may be unjustified, if HHS´ Office for Civil Rights decides to investigate the allegation, the investigation can be disruptive – notwithstanding that other compliance issues may come to light during a compliance investigation. Therefore, it is better not to tell stories about patients in any circumstances; and this should be included in HIPAA training, with the sanctions for violating an organizational policy (rather than a HIPAA policy) made clear.
Provided an explanation is given about why telling a story is a HIPAA violation – or could be interpreted as such – this should deter members of the workforce sharing workplace anecdotes that could lead to non-compliant gossiping and actual HIPAA violations. The explanation should also give members of the workforce a better understanding of what is considered PHI under HIPAA to enable them to do their jobs compliantly without disrupting the flow of information.
Telling a Story about a Patient: A HIPAA Violation or Not?
Examples exist of healthcare professionals telling stories about patients and being investigated for a HIPAA violation. In 2020, Lillian Udell – a frontline worker in the Emergency Department at the Lincoln Hospital in New York City – posted a video online about how the coronavirus pandemic was affecting her and her colleagues. The video featured a former co-worker who contracted the virus at the hospital and died. In the video, Udell named the co-worker.
Udell was not sanctioned for telling her story because members of the victim´s family had previously posted a similar video and the information was in the public domain. However, had she been found guilty of a HIPAA violation, the sanctions could have ranged from additional privacy training to being put on a probation period, or loss of her job. In some cases – depending on serious the violation is, some healthcare professionals can lose their job or their license to practice.
So, is telling a story about a patient a HIPAA violation? Often no, but sometimes yes. If no PHI has been disclosed (meaning that the patient in question cannot be identified), or the person telling the story is not subject to the HIPAA Privacy Rule, then no violation has occurred. However, all members of a Covered Entities workforce should be trained on permissible uses and disclosures of PHI and told it is better not to tell stories about patients.